Ryan,
Someone might tell you otherwise, but this is my untested-idea:
Create 3 groups :
1 group containing your class B network
1 group containing your OWA server(s)
1 group with exclusion containing the 1st group but excluding
the 2d group
Then define this last group as your encryption domain, wouldn't this
work??
Met vriendelijke groeten - Bien � vous - Kind regards
Guy ROELANDTS
EMEA GS Internet Expertise Centre - CCSE-NG
Hewlett-Packard Belgium B.V.B.A./S.P.R.L.
E-mail : [EMAIL PROTECTED]
Tel: +32(02)729.77.44 (options 3 - 3 - 1)
Fax: +32(02)729.77.65
==========================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated. Should you receive this message by mistake
please inform the sender immediately.
==========================================================
-----Original Message-----
From: Ryan, Kennedy [mailto:[EMAIL PROTECTED]]
Sent: 24 January 2003 16:38
To: [EMAIL PROTECTED]
Subject: [FW-1] SR - NG - Excluding host(s) from class b encryption
domain
Good Day,
Our OWA server address falls within the VPN Gateway's (NG FP2) encryption
domain, a class B network address (e.g. 10.10.0.0/16). We allow non-vpn
https traffic to the server, which is not behind VPN firewalls. Problem is,
any user with Secureclient running cannot connect to OWA server unless they
do one of 2 things:
1) close/kill vpn client
2) login to vpn gateway and use vpn tunnel to access owa.
The idea is to allow OWA access without requiring VPN authentication or
having to kill the SR client
We'd like to know how to get secureclient to realize that traffic for this
host (10.10.0.1/32) should not be encrypted, essentially creating an
"exception" for this host from the encryption domain.
We'd like to do this without having to create lots(!) of class c network
address objects for an encryption domain group.
Any ideas are appreciated.
thanks!
Ken Ryan
Network Engineer
Viacom, Inc.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
