RE: Checkpoint client
- From: "Sam Chapman" <adminone@xxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 23 Jan 2004 17:33:29 -0800
Thanks a lot Fares, I will go over the settings again.
Sam
-----Original Message-----
From: Fares Rihani (Personal) [mailto:Fares@xxxxxxxxxx]
Sent: Wednesday, January 21, 2004 7:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Checkpoint client
http://www.ISAserver.org
Hi Sam,
Please note that the following does not apply IP packet filters, those are
only used for publishing on the ISA Server itself. Instead, create protocol
rules as illustrated below.
I recall your message from a while ago, and remember posting this as a
reply.
Using the below configuration I have successfully run the Checkpoint VPN-1
SecuRemote on a client computer behind the isa firewall.
An excellent article about this issue can be found here (by Stefaan
Pouseele): http://www.isaserver.org/articles/IPSec_Passthrough.html
This info was taken from section "5.1. Checkpoint"
If you have CheckPoint 4.1 SP6 or NG1 FP1 or higher, then it would work with
the following protocol definitions:
UDP 500 (send-receive) - for authentication
UDP 2746 (send-receive) - for encrypted traffic
TCP 264 (Outbound) *optional* - for topology update.
For more information, check out the topic
<http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001107> CP
SecuRemote Client can't get out.
Even if your client version is ok, the CheckPoint VPN server side must be of
at least the correct version. Some other things that you may need to look
into: Under (ComputerName) > Access policy > IP Packet Filters (right click
and select Properties) make sure "Enable IP routing" is enabled. On the
client side where you installed the SecuRemote, uninstall the firewall
client, and point the Network Gateway to the ISA server's internal IP
address. (located in the Network Card Settings, TCP/IP, Gateway) That will
configure the client as a "SecureNat" Client.
-Fares Rihani
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, January 21, 2004 1:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Checkpoint client
http://www.ISAserver.org
(changing the subject for you)
Many IPSec clients fail behind ANY NAT device, not just ISA.
Supposedly, there is a specific version of hte Cisco VPN client that
supports NAT traversal.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Tue, 20 Jan 2004 18:06:22 -0800
"Sam Chapman" <adminone@xxxxxxxxxxx> wrote:
http://www.ISAserver.org
Hi all,
Not to change subjects or anything but it is amazing that I have yet to
speak or hear from anyone that has successfully run a secure remote
checkpoint client behind ISA. Rumors are ISA changes the packet header and
drops all incoming communication regardless if it is destined to a firewall
or a secure Nat client, and regardless of the Ip packet filters or protocol
rules that one might have setup. The question here is does ISA really allow
communication between a secure remote client corporate office? I have tried
it myself, opening all possible ports, creating filters and protocol rules
did not work.
Thank you all,
Sam
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
adminone@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
