Reinhard, Can Connectra use web browsers' proxy settings (& servers)?
Chris -----Original Message----- From: Reinhard Stich [mailto:[EMAIL PROTECTED] Sent: Wed Dec 28 08:16:19 2005 To: [email protected] Subject: Re: [FW-1] Please help: Connectra Security Gateway on Secureplatform hi, you can also use port 443 for the SNX - but not with the same IP as for the web-portal. cheers reinhard At 14:02 28.12.2005, you wrote: >Ray, > >Is it required to use TCP port 444 with Connectra? Unfortunately >that won't work for us as most of our employees are restricted to >outbound 80/443 only. > >Chris > > > -----Original Message----- >From: Ray [mailto:[EMAIL PROTECTED] >Sent: Tue Dec 27 20:18:55 2005 >To: [email protected] >Subject: Re: [FW-1] Please help: Connectra Security Gateway >on Secureplatform > >Having just gone through this, sure! > >"On the SPLAT firewall, I allow http/https and tcp port 4433 from anywhere >to the Connectra." > >Port 4433 is only for administration. You need to close it from the outside. >You should allow only 80, 443 and a new service, TCP 444, through FW-1 to >Connectra. I called TCP 444 "SNX" (Secure Network Extender). You will want >to allow 80 to Connectra unless you want to force everyone to type httpS to >get to it. Connectra handles the redirect to 443 automatically. > >SSL Network Extender (SNX) is how Check Point tunnels non -TTP protocols, >like FTP, telnet, terminal services, etc. It runs on TCP 444. Without some >type of SNX add-in, the setup of an SSL VPN system is much more convoluted. > >There are two modes for SNX: Network and Application. If the SNX application >is NOT installed (because the end user does not have admin rights or >declined the install), then the SNX function runs using Java. If you have >XP, you probably need to install the Java Runtime Engine. This is called the >"application" mode of SNX. If the SNX software is installed, it runs all the >time as a service on the computer. I think it's named "slim_svc"". This is >called the "network" mode of SNX and is the most compatible. > >The SNX Client should be the computer accessing Connectra. > >For terminal services (remote desktop), you will have to define a new >service on Connectra for TCP 3389. It's pre-defined RDP service is Check >Point's remote access gateway probing, not Microsoft's Remote Desktop >Protocol. > >Connectra cannot really be managed by a NGX SmartCenter, but you can >estabish SIC with one and ship the Connectra logs to it. The built-in log >viewer in Connectra is a bit cumbersome to use. All configuration of >Connectra is still done by its web interface. I'm running Connectra NGX >without the SmartCenter interface because I'm still on R55. > >Make sure Connectra has direct access to the Internet for SmartDefense >updates. That's how it updates its various components. > >Note that user names in Connectra are case-sensitive. > >I can't help you with the comparison. but its Integrity Clientless Security >pre-connect scan is very nice. We switched our consultants to Connectra from >PPTP and caught a few with out of date anti-virus. Note that the licensing >is concurrent, not per-user like SecureClient. That usually means you need >far less licenses. > >HTH, > >Ray > > >From: cisco4ng <[EMAIL PROTECTED]> > >Reply-To: Mailing list for discussion of Firewall-1 > ><[email protected]> > >To: [email protected] > >Subject: [FW-1] Please help: Connectra Security Gateway on Secureplatform > >Date: Mon, 26 Dec 2005 17:22:50 -0800 > > > >Hi Everyone, > > > > I am new to Connectra so I would like to learn this product. > >So I install Connectra gateway NGx on my dual processor > >Pentium III with 1GB of RAM with a 15 days eval license. > > > > Background: > > My internal network is 192.168.1.0/24. Gateway is 192.168.1.1 > > > >My DMZ network is 192.168.15.0/24. Gateway is 192.168.15.1 > > > >Both the internal and DMZ network is separated by a Checkpoint > >NG AI R55w with HFA_04 firewall running on SPLAT. > > > > I would like remote access users to be able to connect > >to my Internal network using Connectra. Therfore, I place a > >Connectra NGx on my dmz network with IP of 192.168.15.104. > > > >The connectra is static NAT by the Checkpoint Secureplatform > >firewall to a public IP of 129.174.1.8. On the SPLAT firewall, > >I allow http/https and tcp port 4433 from anywhere to the Connectra. > > Furthermore, I also allow any services from the connectra to > >internal network (for testing purposes). > > > > This is my objective and questions: > > > > 1) I would like to allow remote access users the ability to > >do terminal services, telnet and ftp once they are authenticated > >to the Connectra NGx gateway. Is it a simple thing to do? I > >know how to do this with Cisco vpn concentrator and Juniper > >ssl vpn device but not connectra. > > so I went ahead and configure a user group called "corp" and > >a user "cisco4ng" and put this username into group corp. next, > >I created a new network applications call TEST and specify > >the range of my internal network, 192.168.1.0/24 and allowed ALL > >services to my internal network (again for testing purposes). > > From the internet, I can connect to the Connectra, but I can not get > > to any services behind my internal network. I tried remote desktop, > > telnet and ftp to hosts behind my internal network but no luck. > > What am I doing wrong here? > > > >2) What is SSL Extender Server? From reading the documentation, > >it seems like this is an "add-on" from checkpoint but the > >documentation also states that it is FREE for connectra. > >Does SSL extender provide native IP network applications? > > > > 3) What is SSL Extender clients? Is this some java or ActiveX that the > >browser download from connectra? > > > > 4) Can I operate a Connectra without using a SmartCenter Server? Other > >getting log to the SmartCenter, what is the SmartCenter good for with > > Connectra? > > > > 5) Can provider-1 NGx R60A manage Connectra? > > > > If someone in this forum have used connectra before, please contact > >me off-line and give me a few pointers. I need to learn this beast > >in the next two weeks for a job interview. On the surface, it is > >not that difficult but the devil is in the detail. Furthermore, > >how is this product compared to Juniper/Netscreen SSL vpn device? > > > > TIA > > > > my email is cisco at yahoo dot com > > > > > >__________________________________________________ > >Do You Yahoo!? > >Tired of spam? Yahoo! Mail has the best spam protection around > >http://mail.yahoo.com > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= > > > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= -- Reinhard Stich ASSIST [EMAIL PROTECTED] Internet Security AG, 1150 Wien, Johnstrasse 29 Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= !DSPAM:1,43b2902361871896815092! ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
