Hey!
|+-+-+-+-+-+-+-+-+-+-+|
| Integrity Clients |
|iAgent (XP/2K boxes) | --------------> Cisco C2950 ----------->
FW-1/VPN-1
| 10.0.0.0/24 |
|+-+-+-+-+-+-+-+-+-+-+| | |
| | |
| | |
| | |
|+-+-+-+-+-+-+-+-+| | |
|IS Appliance 410 | ------------------------- |
| 10.0.0.65/24 | |
|in bridging mode | |+-+-+-+-+-+-+-+|
|+-+-+-+-+-+-+-+-+| | IAS 6.0 |
| | Server 2003 |
| | 10.0.0.124/24 |
| |+-+-+-+-+-+-+-+|
|
MGM
Integrity Antispyware add-on is now available!
btw, did you manage to test integrity agent for Linux?
Aleks
Hi Aleks,
We have also implemented said solution with other clients with much
success. This particular install, however, is not so lucky.
At first, we did have SIC established, but all clients would get
quarantined even if the Integrity client is installed. Reason for the
block/quarantine is "Client does not have Integrity installed." So we tried
to re-init SIC, and now we cannot. We did uninstall IAS 6 and went to IAS
5.1, and it worked fine -- SIC established right away.
The SK30075 describes this issue we are having and the solution says,
"Solution available, currently under investigation."
Can you give me a quick description of the network configuration you used?
The Integrity portion of this project works great. Awesome product!
Thank you very much,
Neil Delacruz
On 11/8/05, Aleks Feltin <[EMAIL PROTECTED]> wrote:
Hello there!
We have succesfully managed to combine the stuff and achieved the
functionality of the Cooperative Enforcement. Also we have used the same
hardware as well as software as you have.
Deployment process went just fine. During the testing phase we
encountered similar malfunction ot the Cooperative Enforcement. (SIC was
succesfully established, and clients were communicating with the IAS).
After restarting the Interspect appliance everything gone just fine. It
is also noticeably that after the pulling cert the Interspect gateway 's
certificate appeared among the other certificates on the IAS in the
certificate section.
best regards,
Aleks
fwguru wrote:
Fellow Gurus,
Have any of you implemented Integrity Server with InterSpect using
Cooperative Enforcement? We need some help trying to figure out the
problem
we are having. Environment is InsterSpect Appliance 210 running
InterSpect
2.0 HF1 and Intergrity 6.0 server is running on Windows 2003 SP1.
We are having an issue where any traffic from the protected zone
traversing
the InterSpect box gets quarantined or blocked (depending on policy).
Reason
is "Client does not have Integrity Client installed" and that is not
true.
The client does have Integrity installed and the client is communicating
just fine with the Integrity Server.
The Integrity box and the InterSpect box can ping each other. I think
the
fundamental problem is the SIC between the Integrity and the InterSpect
boxes. It should be a very simple process that we are following
correctly;
however, the Integrity box never pulls the SIC cert from the InterSpect
box.
In fact, we run fw monitor on the InterSpect box listening for traffic
between Integrity and ISpect. When we create the Gateway Entity object on
the Integrity box and click save, we see traffic from Integrity to ISpect
on
dst port 5054. We are expecting it to communicate on port 18210
(fw1_ica_pull) to pull the cert, but this is not the case. The ISpect box
responds with a RST/ACK when it receives the 5054 comm (3-way handshake
not
established).
Any clues as to why Integrity wants to pull a cert over port 5054
instead
of 18210? Is there another way to initialize SIC between these two boxes?
By
the way, there is no way (that I know of) to test SIC from an InterSpect
box
(there is no "test SIC" button). And you can't run any SIC commands on
the
ISpect box, either.
Also, if we turn off Cooperative Enforcement everything is fine --
clients
can communicate from protected zone to backbone and beyond.
Any help would be appreciated.
Warm regards,
Neil Delacruz
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
