Thanks, Rajeev,
Unfortunately I've already done that. I've got the "[EMAIL PROTECTED]" desktop
security poilcy working fine with Exceed (the policy in effect when not
VPNed in) so I just duplicated it for the SecureClient user group that is
allowed to use Exceed and access those servers while VPNed in.
There is something weird, though, with SamrtView Tracker. I have a network
object named
net-ProcessControl
defined as
192.168.2.0 255.255.255.0 - include broadcast - Hide NAT behind the gateway
(I did try it with and without any NAT and it made no difference)
yet when I try to use it to filter on the Source or Destination column in
SmartView Tracker I see all of the traffic traversing the firewall. It's
like the firewall doesn't know what that network object does.
Take care,
Ray
From: Rajeev Gupta <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient?
Date: Sun, 11 Sep 2005 09:53:23 -0400
I had the same issue a couple of moths back and found CP had a solution
sk21432, " Exceed Hummingbird does not work through SecuRemote" and had to
add a rule to allow back connections from server to client for tcp high
ports from server to client and it of course worked.
hth,
Rajeev
On 9/9/05, Ray <[EMAIL PROTECTED]> wrote:
>
> I'm trying to get Exceed 2006, an X-Windows client to some Unix boxes,
> working over SecureClient. As long as I'm not VPNed in and I'm on the
LAN,
> it works fine so I know I have the desktop security policy right.
>
> When I fire up Exceed, it is set to do an XDMCP broadcast to
192.168.2.255<http://192.168.2.255>
> rather than its default broadcast address of
255.255.255.255<http://255.255.255.255>.
> I couldn't get
> the default to work on just the LAN for whatever reason. The Unix boxes
> are
> in another state.
>
> Watching the SecureClient log viewer, I see the broadcast go out with an
> Encrypt action but nothing comes back from the server on
192.168.2.1<http://192.168.2.1>.
> When I
> watch the log viewer on the LAN, I can see the Unix box come back
> immediately with its X-11 traffic and I get the correct login screens.
>
> The 192.168.2.0/24 <http://192.168.2.0/24> network is part of the
> encryption domain and I can ping
> the Unix box or telnet to it when VPNed in. I had explicit rules to
allow
> X-11 traffic before any "any service" rules and that didn't help. I even
> made the dbedit change so FW-1 won't reject X-11 traffic. I even put a
> laptop with a static IP on the FW-1 internal interface network just to
> assure myself that all of the routing is correct.
>
> Frankly, I'm totally stumped. It feels like FW-1 is not allowing the
> 192.168.2.255 <http://192.168.2.255> broadcast out even though it's
> showing Encrypt.
>
> Any guesses would be greatly appreciated.
>
> Thanks,
>
> Ray
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
--
Rajeev Gupta
CISSP, CCMSE+VSX
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
