On 9/9/05, Ray <[EMAIL PROTECTED]> wrote: > I'm trying to get Exceed 2006, an X-Windows client to some Unix boxes, > working over SecureClient. As long as I'm not VPNed in and I'm on the LAN, > it works fine so I know I have the desktop security policy right. > > When I fire up Exceed, it is set to do an XDMCP broadcast to 192.168.2.255 > rather than its default broadcast address of 255.255.255.255. I couldn't get > the default to work on just the LAN for whatever reason. The Unix boxes are > in another state. > > Watching the SecureClient log viewer, I see the broadcast go out with an > Encrypt action but nothing comes back from the server on 192.168.2.1. When I > watch the log viewer on the LAN, I can see the Unix box come back > immediately with its X-11 traffic and I get the correct login screens. > > The 192.168.2.0/24 network is part of the encryption domain and I can ping > the Unix box or telnet to it when VPNed in. I had explicit rules to allow > X-11 traffic before any "any service" rules and that didn't help. I even > made the dbedit change so FW-1 won't reject X-11 traffic. I even put a > laptop with a static IP on the FW-1 internal interface network just to > assure myself that all of the routing is correct. > > Frankly, I'm totally stumped. It feels like FW-1 is not allowing the > 192.168.2.255 broadcast out even though it's showing Encrypt. > > Any guesses would be greatly appreciated. >
Wow! It's been literally more than 5 years since the last time I used Exceed! - Good to know they still on business. I loved such product! I'd use in the client srfw monitor to see whether the traffic is being encapsulated correctly and then fw monitor in the other-side firewall to see if the VPN is getting the packet through. Once you have that, make sure that the X-Server is answering correctly and the packet encrypted back. Once again, fw monitor should carry the gossip on whether this is being done or not. Take special look on any NAT going on over there. I'd try and use Office Mode, just to make sure is not something related to NATted traffic or not, and as well to make the source/destination rules in the firewall more "manageable" with regards to this. HTH. - MartÃn.. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
