From: "Covington, Chris" <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Please help: Connectra Security Gateway on
Secureplatform
Date: Wed, 28 Dec 2005 15:09:05 -0500
Reinhard,
Can Connectra use web browsers' proxy settings (& servers)?
Chris
-----Original Message-----
From: Reinhard Stich [mailto:[EMAIL PROTECTED]
Sent: Wed Dec 28 08:16:19 2005
To: [email protected]
Subject: Re: [FW-1] Please help: Connectra Security Gateway on
Secureplatform
hi,
you can also use port 443 for the SNX - but not with the same IP as
for the web-portal.
cheers
reinhard
At 14:02 28.12.2005, you wrote:
>Ray,
>
>Is it required to use TCP port 444 with Connectra? Unfortunately
>that won't work for us as most of our employees are restricted to
>outbound 80/443 only.
>
>Chris
>
>
> -----Original Message-----
>From: Ray [mailto:[EMAIL PROTECTED]
>Sent: Tue Dec 27 20:18:55 2005
>To: [email protected]
>Subject: Re: [FW-1] Please help: Connectra Security Gateway
>on Secureplatform
>
>Having just gone through this, sure!
>
>"On the SPLAT firewall, I allow http/https and tcp port 4433 from
anywhere
>to the Connectra."
>
>Port 4433 is only for administration. You need to close it from the
outside.
>You should allow only 80, 443 and a new service, TCP 444, through FW-1 to
>Connectra. I called TCP 444 "SNX" (Secure Network Extender). You will
want
>to allow 80 to Connectra unless you want to force everyone to type httpS
to
>get to it. Connectra handles the redirect to 443 automatically.
>
>SSL Network Extender (SNX) is how Check Point tunnels non -TTP protocols,
>like FTP, telnet, terminal services, etc. It runs on TCP 444. Without
some
>type of SNX add-in, the setup of an SSL VPN system is much more
convoluted.
>
>There are two modes for SNX: Network and Application. If the SNX
application
>is NOT installed (because the end user does not have admin rights or
>declined the install), then the SNX function runs using Java. If you have
>XP, you probably need to install the Java Runtime Engine. This is called
the
>"application" mode of SNX. If the SNX software is installed, it runs all
the
>time as a service on the computer. I think it's named "slim_svc"". This
is
>called the "network" mode of SNX and is the most compatible.
>
>The SNX Client should be the computer accessing Connectra.
>
>For terminal services (remote desktop), you will have to define a new
>service on Connectra for TCP 3389. It's pre-defined RDP service is Check
>Point's remote access gateway probing, not Microsoft's Remote Desktop
>Protocol.
>
>Connectra cannot really be managed by a NGX SmartCenter, but you can
>estabish SIC with one and ship the Connectra logs to it. The built-in log
>viewer in Connectra is a bit cumbersome to use. All configuration of
>Connectra is still done by its web interface. I'm running Connectra NGX
>without the SmartCenter interface because I'm still on R55.
>
>Make sure Connectra has direct access to the Internet for SmartDefense
>updates. That's how it updates its various components.
>
>Note that user names in Connectra are case-sensitive.
>
>I can't help you with the comparison. but its Integrity Clientless
Security
>pre-connect scan is very nice. We switched our consultants to Connectra
from
>PPTP and caught a few with out of date anti-virus. Note that the
licensing
>is concurrent, not per-user like SecureClient. That usually means you
need
>far less licenses.
>
>HTH,
>
>Ray
>
> >From: cisco4ng <[EMAIL PROTECTED]>
> >Reply-To: Mailing list for discussion of Firewall-1
> ><[email protected]>
> >To: [email protected]
> >Subject: [FW-1] Please help: Connectra Security Gateway on
Secureplatform
> >Date: Mon, 26 Dec 2005 17:22:50 -0800
> >
> >Hi Everyone,
> >
> > I am new to Connectra so I would like to learn this product.
> >So I install Connectra gateway NGx on my dual processor
> >Pentium III with 1GB of RAM with a 15 days eval license.
> >
> > Background:
> > My internal network is 192.168.1.0/24. Gateway is 192.168.1.1
> >
> >My DMZ network is 192.168.15.0/24. Gateway is 192.168.15.1
> >
> >Both the internal and DMZ network is separated by a Checkpoint
> >NG AI R55w with HFA_04 firewall running on SPLAT.
> >
> > I would like remote access users to be able to connect
> >to my Internal network using Connectra. Therfore, I place a
> >Connectra NGx on my dmz network with IP of 192.168.15.104.
> >
> >The connectra is static NAT by the Checkpoint Secureplatform
> >firewall to a public IP of 129.174.1.8. On the SPLAT firewall,
> >I allow http/https and tcp port 4433 from anywhere to the Connectra.
> > Furthermore, I also allow any services from the connectra to
> >internal network (for testing purposes).
> >
> > This is my objective and questions:
> >
> > 1) I would like to allow remote access users the ability to
> >do terminal services, telnet and ftp once they are authenticated
> >to the Connectra NGx gateway. Is it a simple thing to do? I
> >know how to do this with Cisco vpn concentrator and Juniper
> >ssl vpn device but not connectra.
> > so I went ahead and configure a user group called "corp" and
> >a user "cisco4ng" and put this username into group corp. next,
> >I created a new network applications call TEST and specify
> >the range of my internal network, 192.168.1.0/24 and allowed ALL
> >services to my internal network (again for testing purposes).
> > From the internet, I can connect to the Connectra, but I can not get
> > to any services behind my internal network. I tried remote
desktop,
> > telnet and ftp to hosts behind my internal network but no luck.
> > What am I doing wrong here?
> >
> >2) What is SSL Extender Server? From reading the documentation,
> >it seems like this is an "add-on" from checkpoint but the
> >documentation also states that it is FREE for connectra.
> >Does SSL extender provide native IP network applications?
> >
> > 3) What is SSL Extender clients? Is this some java or ActiveX that
the
> >browser download from connectra?
> >
> > 4) Can I operate a Connectra without using a SmartCenter Server?
Other
> >getting log to the SmartCenter, what is the SmartCenter good for with
> > Connectra?
> >
> > 5) Can provider-1 NGx R60A manage Connectra?
> >
> > If someone in this forum have used connectra before, please contact
> >me off-line and give me a few pointers. I need to learn this beast
> >in the next two weeks for a job interview. On the surface, it is
> >not that difficult but the devil is in the detail. Furthermore,
> >how is this product compared to Juniper/Netscreen SSL vpn device?
> >
> > TIA
> >
> > my email is cisco at yahoo dot com
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam protection around
> >http://mail.yahoo.com
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to [EMAIL PROTECTED]
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >[EMAIL PROTECTED]
> >=================================================
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
--
Reinhard Stich ASSIST [EMAIL PROTECTED]
Internet Security AG, 1150 Wien, Johnstrasse 29
Tel: +43 1 3709440 RS784-RIPE Fax: +43 1 3709440-333
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
!DSPAM:1,43b2902361871896815092!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
