Not in the desktop policy but you need this rule in your security policy from the server to client. That is exactly what happened with my dept engineers kept creating rule in the desktop policy until I had them do in the security policy.
hth, Rajeev On 9/11/05, Ray <[EMAIL PROTECTED]> wrote: > > Thanks, Rajeev, > > Unfortunately I've already done that. I've got the "[EMAIL PROTECTED]" desktop > security poilcy working fine with Exceed (the policy in effect when not > VPNed in) so I just duplicated it for the SecureClient user group that is > allowed to use Exceed and access those servers while VPNed in. > > There is something weird, though, with SamrtView Tracker. I have a network > object named > > net-ProcessControl > > defined as > > 192.168.2.0 <http://192.168.2.0> 255.255.255.0 <http://255.255.255.0> - > include broadcast - Hide NAT behind the gateway > (I did try it with and without any NAT and it made no difference) > > yet when I try to use it to filter on the Source or Destination column in > SmartView Tracker I see all of the traffic traversing the firewall. It's > like the firewall doesn't know what that network object does. > > Take care, > > Ray > > >From: Rajeev Gupta <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient? > >Date: Sun, 11 Sep 2005 09:53:23 -0400 > > > >I had the same issue a couple of moths back and found CP had a solution > >sk21432, " Exceed Hummingbird does not work through SecuRemote" and had > to > >add a rule to allow back connections from server to client for tcp high > >ports from server to client and it of course worked. > > > >hth, > > > >Rajeev > > > > > >On 9/9/05, Ray <[EMAIL PROTECTED]> wrote: > > > > > > I'm trying to get Exceed 2006, an X-Windows client to some Unix boxes, > > > working over SecureClient. As long as I'm not VPNed in and I'm on the > >LAN, > > > it works fine so I know I have the desktop security policy right. > > > > > > When I fire up Exceed, it is set to do an XDMCP broadcast to > >192.168.2.255 <http://192.168.2.255><http://192.168.2.255> > > > rather than its default broadcast address of > >255.255.255.255 <http://255.255.255.255><http://255.255.255.255>. > > > I couldn't get > > > the default to work on just the LAN for whatever reason. The Unix > boxes > > > are > > > in another state. > > > > > > Watching the SecureClient log viewer, I see the broadcast go out with > an > > > Encrypt action but nothing comes back from the server on > >192.168.2.1 <http://192.168.2.1><http://192.168.2.1>. > > > When I > > > watch the log viewer on the LAN, I can see the Unix box come back > > > immediately with its X-11 traffic and I get the correct login screens. > > > > > > The 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> > network is part of the > > > encryption domain and I can ping > > > the Unix box or telnet to it when VPNed in. I had explicit rules to > >allow > > > X-11 traffic before any "any service" rules and that didn't help. I > even > > > made the dbedit change so FW-1 won't reject X-11 traffic. I even put a > > > laptop with a static IP on the FW-1 internal interface network just to > > > assure myself that all of the routing is correct. > > > > > > Frankly, I'm totally stumped. It feels like FW-1 is not allowing the > > > 192.168.2.255 <http://192.168.2.255> <http://192.168.2.255> broadcast > out even though it's > > > showing Encrypt. > > > > > > Any guesses would be greatly appreciated. > > > > > > Thanks, > > > > > > Ray > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > > >-- > >Rajeev Gupta > >CISSP, CCMSE+VSX > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Rajeev Gupta CISSP, CCMSE+VSX ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
