Hello there!
We have succesfully managed to combine the stuff and achieved the
functionality of the Cooperative Enforcement. Also we have used the same
hardware as well as software as you have.
Deployment process went just fine. During the testing phase we
encountered similar malfunction ot the Cooperative Enforcement. (SIC was
succesfully established, and clients were communicating with the IAS).
After restarting the Interspect appliance everything gone just fine. It
is also noticeably that after the pulling cert the Interspect gateway 's
certificate appeared among the other certificates on the IAS in the
certificate section.
best regards,
Aleks
fwguru wrote:
Fellow Gurus,
Have any of you implemented Integrity Server with InterSpect using
Cooperative Enforcement? We need some help trying to figure out the problem
we are having. Environment is InsterSpect Appliance 210 running InterSpect
2.0 HF1 and Intergrity 6.0 server is running on Windows 2003 SP1.
We are having an issue where any traffic from the protected zone traversing
the InterSpect box gets quarantined or blocked (depending on policy). Reason
is "Client does not have Integrity Client installed" and that is not true.
The client does have Integrity installed and the client is communicating
just fine with the Integrity Server.
The Integrity box and the InterSpect box can ping each other. I think the
fundamental problem is the SIC between the Integrity and the InterSpect
boxes. It should be a very simple process that we are following correctly;
however, the Integrity box never pulls the SIC cert from the InterSpect box.
In fact, we run fw monitor on the InterSpect box listening for traffic
between Integrity and ISpect. When we create the Gateway Entity object on
the Integrity box and click save, we see traffic from Integrity to ISpect on
dst port 5054. We are expecting it to communicate on port 18210
(fw1_ica_pull) to pull the cert, but this is not the case. The ISpect box
responds with a RST/ACK when it receives the 5054 comm (3-way handshake not
established).
Any clues as to why Integrity wants to pull a cert over port 5054 instead
of 18210? Is there another way to initialize SIC between these two boxes? By
the way, there is no way (that I know of) to test SIC from an InterSpect box
(there is no "test SIC" button). And you can't run any SIC commands on the
ISpect box, either.
Also, if we turn off Cooperative Enforcement everything is fine -- clients
can communicate from protected zone to backbone and beyond.
Any help would be appreciated.
Warm regards,
Neil Delacruz
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
