Thanks, Chris. We're trying to stick to just one authentication scheme that
doesn't involve user names and passwords.
Ray
From: "Covington, Chris" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] R55 Clientless VPN questions
Date: Mon, 24 Oct 2005 13:54:54 -0400
How about setting up an Apache or Squid box in your DMZ to reverse proxy
the site? Make sure some kind of authentication is required first, of
course.
Chris
-----Original Message-----
From: Ray [mailto:[EMAIL PROTECTED]
Sent: Sat Oct 22 12:36:18 2005
To: [email protected]
Subject: [FW-1] R55 Clientless VPN questions
We're running SecureClient with SCV activated and enforced. I have a need
to
allow a few customers access to an internal web server via SSL but from any
IP address. I know I could use Connectra, but spending several thousand
dollars for just a few people is a bit expensive.
If I understand the R55 "Clientless VPN" capability correctly, it looks
like
it could do the trick. I understand it's not really scalable but we're
talking about less than a dozen computers and at different times of the day
and night. I've got plenty of CPU and memory capacity available for the
security server that will be invoked.
Clientless VPN seems to be nothing more that using am ICA-generated client
certificate to authenticate a particular computer to the system, the same
as
is done for gaining access to the ICA web interface on port 18265. Is this
correct?
Since there is only one remote access community and because we enforce SCV
compliance before allowing a connection with SecureClient, can I still use
the Clientless VPN? From the meager documentation I've found, it looks like
Clientless VPN is not really considered remote access like SecuRemote and
SecureClient are so SCV doesn't come into play.
Is Clientless VPN still supported in NGX?
Would it be better to setup the firewall to accept Microsoft's L2TP
connections? I would rather the outside companies just be able to open the
browser, go to the SSL URL and see their login page. We also don't want to
get into the hassle of installing any client software at all, like SNX. I
don't need those kinds of headaches.
Thanks for any help,
Ray
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
