The management server can be hidden behind the firewall, and it doesn't need
to be publicly routable. For security reasons, our internal network is not
publicly routable, even though it contains valid IP addresses. The
management console lives in the protected network, and SR works fine. When
setting up your site, you need to use the name / address of the management
console, not the firewall. There is one gotcha - you cannot do Topology
downloads over the Internet if you cannot contact the Management console.
One way around that may be to statically map the management console to an
external IP address. On the other hand, I use it as a feature. PC's can do a
download when they are connected to the internal network, or I can do an
out-of-band update.
Craig.
>Jon wrote
>
>When doing a client to site VPN w/ SR in a distributed environment
>(firewall module separate from management station) does the client
>need to have access to the management station i.e. key exchange
>or can the client exchange keys with the firewall module?
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
