Thanks a lot Fares, I will go over the settings again. Sam -----Original Message----- From: Fares Rihani (Personal) [mailto:Fares@xxxxxxxxxx] Sent: Wednesday, January 21, 2004 7:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Checkpoint client http://www.ISAserver.org Hi Sam, Please note that the following does not apply IP packet filters, those are only used for publishing on the ISA Server itself. Instead, create protocol rules as illustrated below. I recall your message from a while ago, and remember posting this as a reply. Using the below configuration I have successfully run the Checkpoint VPN-1 SecuRemote on a client computer behind the isa firewall. An excellent article about this issue can be found here (by Stefaan Pouseele): http://www.isaserver.org/articles/IPSec_Passthrough.html This info was taken from section "5.1. Checkpoint" If you have CheckPoint 4.1 SP6 or NG1 FP1 or higher, then it would work with the following protocol definitions: UDP 500 (send-receive) - for authentication UDP 2746 (send-receive) - for encrypted traffic TCP 264 (Outbound) *optional* - for topology update. For more information, check out the topic <http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=001107> CP SecuRemote Client can't get out. Even if your client version is ok, the CheckPoint VPN server side must be of at least the correct version. Some other things that you may need to look into: Under (ComputerName) > Access policy > IP Packet Filters (right click and select Properties) make sure "Enable IP routing" is enabled. On the client side where you installed the SecuRemote, uninstall the firewall client, and point the Network Gateway to the ISA server's internal IP address. (located in the Network Card Settings, TCP/IP, Gateway) That will configure the client as a "SecureNat" Client. -Fares Rihani -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, January 21, 2004 1:31 AM To: [ISAserver.org Discussion List] Subject: [isalist] Checkpoint client http://www.ISAserver.org (changing the subject for you) Many IPSec clients fail behind ANY NAT device, not just ISA. Supposedly, there is a specific version of hte Cisco VPN client that supports NAT traversal. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Tue, 20 Jan 2004 18:06:22 -0800 "Sam Chapman" <adminone@xxxxxxxxxxx> wrote: http://www.ISAserver.org Hi all, Not to change subjects or anything but it is amazing that I have yet to speak or hear from anyone that has successfully run a secure remote checkpoint client behind ISA. Rumors are ISA changes the packet header and drops all incoming communication regardless if it is destined to a firewall or a secure Nat client, and regardless of the Ip packet filters or protocol rules that one might have setup. The question here is does ISA really allow communication between a secure remote client corporate office? I have tried it myself, opening all possible ports, creating filters and protocol rules did not work. Thank you all, Sam ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: adminone@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')