X11 protocl uses back connections to the clients...make sure that you have a firewall policy that allow back connections from the X11(unix) server back to SecureClients. Also on some newest version of AIX you need to male sure the client has an extry in DNS or local host file in the Unix side.
Ray <[EMAIL PROTECTED]> wrote: Thanks, Martin. I'll try those. i did find a CP article about NAT issues with X-Windows, but I forgot to mention we are using Office Mode, so I don't think that would be the problem. I forgot about srfw though, I'll give it a try. I'm seeing absolutely no traffic from the Unix boxes back to SecureClient on the R55 firewall. Nothing at all. Since I know the routing is correct, it feels like the XDMCP broadcasts aren't getting through to the Unix boxes. I do see the broadcasts getting through on SmartView tracker. Ray >From: Martin Hoz >Reply-To: Mailing list for discussion of Firewall-1 > >To: [email protected] >Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient? >Date: Sat, 10 Sep 2005 22:02:13 -0500 > >On 9/9/05, Ray wrote: > > I'm trying to get Exceed 2006, an X-Windows client to some Unix boxes, > > working over SecureClient. As long as I'm not VPNed in and I'm on the >LAN, > > it works fine so I know I have the desktop security policy right. > > > > When I fire up Exceed, it is set to do an XDMCP broadcast to >192.168.2.255 > > rather than its default broadcast address of 255.255.255.255. I couldn't >get > > the default to work on just the LAN for whatever reason. The Unix boxes >are > > in another state. > > > > Watching the SecureClient log viewer, I see the broadcast go out with an > > Encrypt action but nothing comes back from the server on 192.168.2.1. >When I > > watch the log viewer on the LAN, I can see the Unix box come back > > immediately with its X-11 traffic and I get the correct login screens. > > > > The 192.168.2.0/24 network is part of the encryption domain and I can >ping > > the Unix box or telnet to it when VPNed in. I had explicit rules to >allow > > X-11 traffic before any "any service" rules and that didn't help. I even > > made the dbedit change so FW-1 won't reject X-11 traffic. I even put a > > laptop with a static IP on the FW-1 internal interface network just to > > assure myself that all of the routing is correct. > > > > Frankly, I'm totally stumped. It feels like FW-1 is not allowing the > > 192.168.2.255 broadcast out even though it's showing Encrypt. > > > > Any guesses would be greatly appreciated. > > > >Wow! It's been literally more than 5 years since the last time I used >Exceed! - Good to know they still on business. I loved such product! > >I'd use in the client srfw monitor to see whether the traffic is being >encapsulated correctly and then fw monitor in the other-side firewall >to see if the VPN is getting the packet through. Once you have that, >make sure that the X-Server is answering >correctly and the packet encrypted back. Once again, fw monitor should >carry the gossip on whether this is being done or not. Take special >look on any NAT going on over there. > >I'd try and use Office Mode, just to make sure is not something >related to NATted traffic or not, and as well to make the >source/destination rules in the firewall more "manageable" with >regards to this. > >HTH. > >- MartÃn.. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
