After 2 successfull installations, I am confident enough to give some
Windows 2000 tips to everyone out there who was as nervous as I was
about Windows 2000 and Checkpoint.
1) An IKE VPN will NOT work until you stop the IPSec Policy Agent
service built-in to Windows 2000 - I beat myself up over it for 2 days
before finally figuring it out. Stopping additional services below
probably assisted as well.
2) Along with that service, here is the bare minumum list of services
required in order for checkpoint to run. Due to lack of support on
Windows 2000 performance tuning, basically I set EVERY service to Manual
and left Event Log, the 2 Checkpoint Services and SNMP as automatic -
after that, these are the services that were started. I tried to
disable RPC, but it is bad news, it took nearly 2 hours for the machine
to finish booting and unlock the service and event databases.
Service Name Setting
Check Point ELA Proxy Automatic
Checkpoint VPN-1/Firewall-1 Automatic
Event Log Automatic
Plug and Play Automatic
Remote Procedure Call (RPC) Automatic (Would love to
remove if someone knows how)
RunAs Service Automatic (this is by
choice)
SNMP Service Automatic
WMI Automatic (Would love to
remove if someone knows how)
WMI Driver Extensions Manual (Dito here)
COM+ System Event Manual (Necessary for
Event Log)
Network Connections Manual
Remote Access Conn. Mgr. Manual
Telepony Manual (Remote Access
Conn. Mgr. depends on it)
3) Standard security checks on ethernet connections - Make sure netbios
is disabled over tcp/ip on both adapters, unbind Client for Microsoft
Networks and File and Printer Sharing for Microsoft Networks.
4) Lastly, but certainly not least, your firewall won't do ANYTHING
until you make the registry change to route packets between adapters.
This is the replacement for the NT 4.0 checkbox concerning IP Routing
under tcp/ip properties.
Key
Value
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
IPEnableRouter:REG_DWORD:0x1
I am still game to some registry tweaks for performance, but it seems
like with the hardware available now, the differences are tiny (at T1
speeds any how).
Cheers,
Jamie (bootip on EFnet)
The information transmitted by the following E-Mail is intended only for the addressee
and may contain confidential and/or privileged material. Any interception, review,
retransmission, dissemination, or other use, or taking any action upon this
information by persons or entities other than the intended recipient is prohibited by
law and may subject them to criminal or civil liability. If you received this
communication in error, please contact us immediately at 954-730-2900 ext. 3600 and
delete the communication from any computer or network system.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
