I am glad to know it, Ray! On 9/22/05, Ray <[EMAIL PROTECTED]> wrote: > > Bingo! That was it. > > Thank you VERY much! > > Ray > > >From: Rajeev Gupta <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient? > >Date: Sun, 11 Sep 2005 14:25:33 -0400 > > > >Not in the desktop policy but you need this rule in your security policy > >from the server to client. That is exactly what happened with my dept > >engineers kept creating rule in the desktop policy until I had them do in > >the security policy. > > > >hth, > > > >Rajeev > > > >On 9/11/05, Ray <[EMAIL PROTECTED]> wrote: > > > > > > Thanks, Rajeev, > > > > > > Unfortunately I've already done that. I've got the "[EMAIL PROTECTED]" > >desktop > > > security poilcy working fine with Exceed (the policy in effect when > not > > > VPNed in) so I just duplicated it for the SecureClient user group that > >is > > > allowed to use Exceed and access those servers while VPNed in. > > > > > > There is something weird, though, with SamrtView Tracker. I have a > >network > > > object named > > > > > > net-ProcessControl > > > > > > defined as > > > > > > 192.168.2.0 <http://192.168.2.0> <http://192.168.2.0> > > > 255.255.255.0<http://255.255.255.0>< > http://255.255.255.0> - > > > include broadcast - Hide NAT behind the gateway > > > (I did try it with and without any NAT and it made no difference) > > > > > > yet when I try to use it to filter on the Source or Destination column > >in > > > SmartView Tracker I see all of the traffic traversing the firewall. > It's > > > like the firewall doesn't know what that network object does. > > > > > > Take care, > > > > > > Ray > > > > > > >From: Rajeev Gupta <[EMAIL PROTECTED]> > > > >Reply-To: Mailing list for discussion of Firewall-1 > > > ><[email protected]> > > > >To: [email protected] > > > >Subject: Re: [FW-1] Running Hummingbird Exceed through SecureClient? > > > >Date: Sun, 11 Sep 2005 09:53:23 -0400 > > > > > > > >I had the same issue a couple of moths back and found CP had a > solution > > > >sk21432, " Exceed Hummingbird does not work through SecuRemote" and > had > > > to > > > >add a rule to allow back connections from server to client for tcp > high > > > >ports from server to client and it of course worked. > > > > > > > >hth, > > > > > > > >Rajeev > > > > > > > > > > > >On 9/9/05, Ray <[EMAIL PROTECTED]> wrote: > > > > > > > > > > I'm trying to get Exceed 2006, an X-Windows client to some Unix > >boxes, > > > > > working over SecureClient. As long as I'm not VPNed in and I'm on > >the > > > >LAN, > > > > > it works fine so I know I have the desktop security policy right. > > > > > > > > > > When I fire up Exceed, it is set to do an XDMCP broadcast to > > > >192.168.2.255 <http://192.168.2.255> <http://192.168.2.255>< > http://192.168.2.255> > > > > > rather than its default broadcast address of > > > >255.255.255.255 <http://255.255.255.255> <http://255.255.255.255>< > http://255.255.255.255>. > > > > > I couldn't get > > > > > the default to work on just the LAN for whatever reason. The Unix > > > boxes > > > > > are > > > > > in another state. > > > > > > > > > > Watching the SecureClient log viewer, I see the broadcast go out > >with > > > an > > > > > Encrypt action but nothing comes back from the server on > > > >192.168.2.1 <http://192.168.2.1> <http://192.168.2.1>< > http://192.168.2.1>. > > > > > When I > > > > > watch the log viewer on the LAN, I can see the Unix box come back > > > > > immediately with its X-11 traffic and I get the correct login > >screens. > > > > > > > > > > The 192.168.2.0/24 <http://192.168.2.0/24> <http://192.168.2.0/24> > <http://192.168.2.0/24> > > > network is part of the > > > > > encryption domain and I can ping > > > > > the Unix box or telnet to it when VPNed in. I had explicit rules > to > > > >allow > > > > > X-11 traffic before any "any service" rules and that didn't help. > I > > > even > > > > > made the dbedit change so FW-1 won't reject X-11 traffic. I even > put > >a > > > > > laptop with a static IP on the FW-1 internal interface network > just > >to > > > > > assure myself that all of the routing is correct. > > > > > > > > > > Frankly, I'm totally stumped. It feels like FW-1 is not allowing > the > > > > > 192.168.2.255 <http://192.168.2.255> <http://192.168.2.255> < > http://192.168.2.255> > >broadcast > > > out even though it's > > > > > showing Encrypt. > > > > > > > > > > Any guesses would be greatly appreciated. > > > > > > > > > > Thanks, > > > > > > > > > > Ray > > > > > > > > > > ================================================= > > > > > To set vacation, Out-Of-Office, or away messages, > > > > > send an email to [EMAIL PROTECTED] > > > > > in the BODY of the email add: > > > > > set fw-1-mailinglist nomail > > > > > ================================================= > > > > > To unsubscribe from this mailing list, > > > > > please see the instructions at > > > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================= > > > > > If you have any questions on how to change your > > > > > subscription options, email > > > > > [EMAIL PROTECTED] > > > > > ================================================= > > > > > > > > > > > > > > > > > > > > >-- > > > >Rajeev Gupta > > > >CISSP, CCMSE+VSX > > > > > > > >================================================= > > > >To set vacation, Out-Of-Office, or away messages, > > > >send an email to [EMAIL PROTECTED] > > > >in the BODY of the email add: > > > >set fw-1-mailinglist nomail > > > >================================================= > > > >To unsubscribe from this mailing list, > > > >please see the instructions at > > > >http://www.checkpoint.com/services/mailing.html > > > >================================================= > > > >If you have any questions on how to change your > > > >subscription options, email > > > >[EMAIL PROTECTED] > > > >================================================= > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > > > > >-- > >Rajeev Gupta > >CISSP, CCMSE+VSX > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= >
-- Rajeev Gupta CISSP, CCMSE+VSX ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
