I've tried it over a T1, in which I was the only user and there is still a lag. I've sniffed the sessions of a local login vs. a SR login. I see many LDAP lookups (for both sessions) and netlogin calls only on the Securemote login. If you load tcpdump on the inside and outside interfaces, you will see a lot of pausing going on between ADS and the client.
I've also noticed a lot of fragmentation, even with the _fw_dont_fragment option. At 06:26 PM 10/19/2001 , Palmer, Kevin wrote: >Jim, > >I'm having the same problem. I am running NG HF2 on W2K SP2 with all of >the security hotfixes (as of 10/01). I have yet to see a broadband user >log into the domain with SDL in under 5 minutes. > >As a test, I'm going to connect my notebook to the public Internet side >of the firewall and time how long it takes to log in from a 10Mbps >ethernet connection. > >Kevin Palmer >Granite Solutions > >-----Original Message----- >From: Jim Laverty [mailto:[EMAIL PROTECTED]] >Sent: Friday, October 19, 2001 11:30 AM >To: [EMAIL PROTECTED] >Subject: [FW-1] Securemote VPN - SDL Login to a Windows 2000 Domain >using Active Directory Services >Importance: High > > >We have been using Securemote on Win2K clients to login to a Windows >2000 >domain (non-mixed mode), running active directory services (ADS). We're >using Nokia's 3.4.1 IPSO and FW-1 4.1 SP-5 (plus the latest SP-5 >hotfix). Since I have installed SP-5 our login times over broadband >connections has been about 8-12 minutes, we were seeing 2 minute logins. > >I've been on the phone with Nokia and now they say Checkpoint does not >support Secure Domain Login (SDL) with Windows 2000 and ADS. Has anyone >else gotten this to work on SP-5 and if so, have you see the performance >hit? > >I'm running tcpdump (on the firewalls) and Sniffer Pro (on the ADS and >client boxes). I'm seeing lots of fragmentation on the firewall, even >with >the modzap hack for fragmentation. > >Any suggestions are welcome. > >=============================================== >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >=============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
