I've been reading this thread and now I'm confused. Not on how this is supposed to work but how the terminology is being used, seems like POOL is being used to describe the encryption domain.
When someone says POOL in reference to Check Point I'm thinking one of two things, IP POOL NAT or OFFICE MODE IP POOL. In the case of IP POOL NAT these can be used for Gateway to Gateway or for Remote Access. These are allowed as a global property (NAT) and then assigned on gateways, encrypted connections are translated to these ip addresses to help eliminate asyncronous routing. The only other mention of POOL has to do with Office mode IP POOL. Now, with Office Mode it is important that these networks are NOT part of your Remote access encryption domain. These addresses are assigned to your clients on the client side, so think of them as the Remote encryption domain. Also, If you want to use a subset of your existing internal address space for your Office Mode addresses then you need to also make sure that the topology for all of the internal interfaces NOT include these networks. You can do this by using Groups with Exclusions. The exclusions will be the Office Mode networks. Finally, you'll have to make sure that if you use any generalized routes like 10/8 points to a router inside, and your office mode is 10.10.10.0/24, you'll have to specifically add a route on your gateways to not point 10.10.10.0/24 to the inside router. It doesn't really matter where you point the route as long as it's being reflected externally, in general I point this to the default gateway. As a general practice I use different Office Mode networks from my local networks/encryption domain networks so that I don't have to do this. With larger networks I had to use the Group with exclusions frequently. Also note if you're using both Office Mode and IP POOL NAT, by default the Office Mode addresses will be NATted to the IP POOL NAT addresses too. You can prevent this by creating a No NAT rule for the Office Mode Network, or by setting the om_prevent_ippool_nat_for_users property to true in the objects_5_0.C on the management server. Compuquip TECHNOLOGIES "Providing Solutions Since 1980" David Barker Senior Security Engineer Internet Security Division Phone: 305.436.7272 X 1364 Fax: 305.436.9149 email:[EMAIL PROTECTED] -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of cp user Sent: Saturday, October 08, 2005 5:46 PM To: [email protected] Subject: Re: [FW-1] Office Mode & SecureClient Hi Bill, This means that the "POOL" network object (internal addresses that will be affected to remote clients) is located in a group that is defined as VPN domain. --- Bill Smith <[EMAIL PROTECTED]> a écrit : > Hi there, > > what do you mean by network pool BEHIND YOUR VPN DOMAIN. > Could you please expan a bit? > > Thx, > > Bill > > cp user <[EMAIL PROTECTED]> wrote: > > Be sure to put your SecureClient NETWORK POOL > behind > > your VPN Domain. > > As Mike says it's probably "address spoofing". > > I set the SecureClient network pool behind my VPN domain but the > problem is still here!! what may I do please? > > > > > -----Original Message----- > > From: Sahli, Mike [mailto:[EMAIL PROTECTED] > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m. > > To: [email protected] > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > Your problem is probably "address spoofing" check your logs for all > > traffic coming in from a known client that is failing. > > > > Michael D Sahli > > Sr. Network Engineer > > Lockheed Martin IT @ SMECO > > > > > > -----Original Message----- > > From: cp user [mailto:[EMAIL PROTECTED] > > Sent: Thursday, October 06, 2005 7:54 AM > > To: [email protected] > > Subject: [FW-1] Office Mode & SecureClient > > > > Hi list, > > > > I configured Office Mode with IP Pool on the > gateway > > side. > > Once I check "Support Office Mode" on my SecureClient, it can no > > longer logon to policy server and download policy. The "Connect" > returnes: > > Connecting to gateway... > > Negociation succeeded, tunnel test failed Connected to gateway: MyGW > > Login on to policy server MyServer... > > Logon to policy server failed. > > Connection succeeded. > > > > I try again to logon to policy server. But this failes with the > > following message: "SecureClient failed to communicate with policy > > server MyServer > at > > site MySite". > > > > Logs return: > > Connecting to site MySite using profile MySite Interface change: > > VPN-1 SecureClient Adapter - Miniport d'ordonnancement de paquets > > interface added, current ip: 192.168.34.65 Default Desktop Security > > Policy Loaded SecureClient failed to communicate with Policy Server > > MyServer at site MySite Successfully connected to site > > > > Any idea is wolcome! > > > > Many thanks > > > > > > > > > > > > > > > ___________________________________________________________________________ > > Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! > > Messenger Téléchargez cette version sur > > http://fr.messenger.yahoo.com > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email [EMAIL PROTECTED] > > ================================================= > > > > > > The information contained in this communication > may > > be confidential, is intended only for the use of > the > > recipient named above, and may be legally > > privileged. If the reader of this message is not > > the intended recipient, you are hereby notified > that > > any dissemination, distribution, or copying of > this > > communication, or any of its contents, is strictly > > prohibited. If you have received this > communication > > in error, please re-send this communication to the > > sender and delete the original message and any > copy > > of it from your computer system. > > > > SMECO embraces a culture of mutual respect, > > acceptance, and appreciation in which we value our > > differences. > > > > Thank you. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > > > > > ___________________________________________________________________________ > > Appel audio GRATUIT partout dans le monde avec le > nouveau Yahoo! Messenger > Téléchargez cette version sur > http://fr.messenger.yahoo.com > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > --------------------------------- > Yahoo! for Good > Click here to donate to the Hurricane Katrina > relief effort. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > === message truncated === ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** This email was scanned for viruses, vandals and malicious content. ** ************************************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
