Thanks, Martin. I'll try those. i did find a CP article about NAT issues
with X-Windows, but I forgot to mention we are using Office Mode, so I don't
think that would be the problem. I forgot about srfw though, I'll give it a
try.
I'm seeing absolutely no traffic from the Unix boxes back to SecureClient on
the R55 firewall. Nothing at all. Since I know the routing is correct, it
feels like the XDMCP broadcasts aren't getting through to the Unix boxes. I
do see the broadcasts getting through on SmartView tracker.
Ray
From: Martin Hoz <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient?
Date: Sat, 10 Sep 2005 22:02:13 -0500
On 9/9/05, Ray <[EMAIL PROTECTED]> wrote:
> I'm trying to get Exceed 2006, an X-Windows client to some Unix boxes,
> working over SecureClient. As long as I'm not VPNed in and I'm on the
LAN,
> it works fine so I know I have the desktop security policy right.
>
> When I fire up Exceed, it is set to do an XDMCP broadcast to
192.168.2.255
> rather than its default broadcast address of 255.255.255.255. I couldn't
get
> the default to work on just the LAN for whatever reason. The Unix boxes
are
> in another state.
>
> Watching the SecureClient log viewer, I see the broadcast go out with an
> Encrypt action but nothing comes back from the server on 192.168.2.1.
When I
> watch the log viewer on the LAN, I can see the Unix box come back
> immediately with its X-11 traffic and I get the correct login screens.
>
> The 192.168.2.0/24 network is part of the encryption domain and I can
ping
> the Unix box or telnet to it when VPNed in. I had explicit rules to
allow
> X-11 traffic before any "any service" rules and that didn't help. I even
> made the dbedit change so FW-1 won't reject X-11 traffic. I even put a
> laptop with a static IP on the FW-1 internal interface network just to
> assure myself that all of the routing is correct.
>
> Frankly, I'm totally stumped. It feels like FW-1 is not allowing the
> 192.168.2.255 broadcast out even though it's showing Encrypt.
>
> Any guesses would be greatly appreciated.
>
Wow! It's been literally more than 5 years since the last time I used
Exceed! - Good to know they still on business. I loved such product!
I'd use in the client srfw monitor to see whether the traffic is being
encapsulated correctly and then fw monitor in the other-side firewall
to see if the VPN is getting the packet through. Once you have that,
make sure that the X-Server is answering
correctly and the packet encrypted back. Once again, fw monitor should
carry the gossip on whether this is being done or not. Take special
look on any NAT going on over there.
I'd try and use Office Mode, just to make sure is not something
related to NATted traffic or not, and as well to make the
source/destination rules in the firewall more "manageable" with
regards to this.
HTH.
- MartÃn..
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
