Ray, Is it required to use TCP port 444 with Connectra? Unfortunately that won't work for us as most of our employees are restricted to outbound 80/443 only.
Chris -----Original Message----- From: Ray [mailto:[EMAIL PROTECTED] Sent: Tue Dec 27 20:18:55 2005 To: [email protected] Subject: Re: [FW-1] Please help: Connectra Security Gateway on Secureplatform Having just gone through this, sure! "On the SPLAT firewall, I allow http/https and tcp port 4433 from anywhere to the Connectra." Port 4433 is only for administration. You need to close it from the outside. You should allow only 80, 443 and a new service, TCP 444, through FW-1 to Connectra. I called TCP 444 "SNX" (Secure Network Extender). You will want to allow 80 to Connectra unless you want to force everyone to type httpS to get to it. Connectra handles the redirect to 443 automatically. SSL Network Extender (SNX) is how Check Point tunnels non -TTP protocols, like FTP, telnet, terminal services, etc. It runs on TCP 444. Without some type of SNX add-in, the setup of an SSL VPN system is much more convoluted. There are two modes for SNX: Network and Application. If the SNX application is NOT installed (because the end user does not have admin rights or declined the install), then the SNX function runs using Java. If you have XP, you probably need to install the Java Runtime Engine. This is called the "application" mode of SNX. If the SNX software is installed, it runs all the time as a service on the computer. I think it's named "slim_svc"". This is called the "network" mode of SNX and is the most compatible. The SNX Client should be the computer accessing Connectra. For terminal services (remote desktop), you will have to define a new service on Connectra for TCP 3389. It's pre-defined RDP service is Check Point's remote access gateway probing, not Microsoft's Remote Desktop Protocol. Connectra cannot really be managed by a NGX SmartCenter, but you can estabish SIC with one and ship the Connectra logs to it. The built-in log viewer in Connectra is a bit cumbersome to use. All configuration of Connectra is still done by its web interface. I'm running Connectra NGX without the SmartCenter interface because I'm still on R55. Make sure Connectra has direct access to the Internet for SmartDefense updates. That's how it updates its various components. Note that user names in Connectra are case-sensitive. I can't help you with the comparison. but its Integrity Clientless Security pre-connect scan is very nice. We switched our consultants to Connectra from PPTP and caught a few with out of date anti-virus. Note that the licensing is concurrent, not per-user like SecureClient. That usually means you need far less licenses. HTH, Ray >From: cisco4ng <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: [FW-1] Please help: Connectra Security Gateway on Secureplatform >Date: Mon, 26 Dec 2005 17:22:50 -0800 > >Hi Everyone, > > I am new to Connectra so I would like to learn this product. >So I install Connectra gateway NGx on my dual processor >Pentium III with 1GB of RAM with a 15 days eval license. > > Background: > My internal network is 192.168.1.0/24. Gateway is 192.168.1.1 > >My DMZ network is 192.168.15.0/24. Gateway is 192.168.15.1 > >Both the internal and DMZ network is separated by a Checkpoint >NG AI R55w with HFA_04 firewall running on SPLAT. > > I would like remote access users to be able to connect >to my Internal network using Connectra. Therfore, I place a >Connectra NGx on my dmz network with IP of 192.168.15.104. > >The connectra is static NAT by the Checkpoint Secureplatform >firewall to a public IP of 129.174.1.8. On the SPLAT firewall, >I allow http/https and tcp port 4433 from anywhere to the Connectra. > Furthermore, I also allow any services from the connectra to >internal network (for testing purposes). > > This is my objective and questions: > > 1) I would like to allow remote access users the ability to >do terminal services, telnet and ftp once they are authenticated >to the Connectra NGx gateway. Is it a simple thing to do? I >know how to do this with Cisco vpn concentrator and Juniper >ssl vpn device but not connectra. > so I went ahead and configure a user group called "corp" and >a user "cisco4ng" and put this username into group corp. next, >I created a new network applications call TEST and specify >the range of my internal network, 192.168.1.0/24 and allowed ALL >services to my internal network (again for testing purposes). > From the internet, I can connect to the Connectra, but I can not get > to any services behind my internal network. I tried remote desktop, > telnet and ftp to hosts behind my internal network but no luck. > What am I doing wrong here? > >2) What is SSL Extender Server? From reading the documentation, >it seems like this is an "add-on" from checkpoint but the >documentation also states that it is FREE for connectra. >Does SSL extender provide native IP network applications? > > 3) What is SSL Extender clients? Is this some java or ActiveX that the >browser download from connectra? > > 4) Can I operate a Connectra without using a SmartCenter Server? Other >getting log to the SmartCenter, what is the SmartCenter good for with > Connectra? > > 5) Can provider-1 NGx R60A manage Connectra? > > If someone in this forum have used connectra before, please contact >me off-line and give me a few pointers. I need to learn this beast >in the next two weeks for a job interview. On the surface, it is >not that difficult but the devil is in the detail. Furthermore, >how is this product compared to Juniper/Netscreen SSL vpn device? > > TIA > > my email is cisco at yahoo dot com > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= !DSPAM:1,43b1e7ff61871698413003! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
