Hi,
I have a strange problem with a Gateway Cluster made from two Nokia IP650s
running IPSO 3.2.1 and FW-1 version 4.1 SP1 DES. There are 2 VIPs
configured for the internal network, one ordinarily residing on each box.
Some internal browsers are set to proxy at one VIP for http, others at the
other (to load balance outbound http).
The management server downloads a seemingly identical security policy to the
IP650s which are members of the gateway cluster. (The conf directory has
files that are the same date / length etc.)
I'm using User Authentication for outbound http (no resources etc, just
source-user@internal destination-any protocol-http action-userauth).
Browsers proxying at one VIP get authenticated and everything works fine.
When proxying at the other VIP, FW-1 comes back with fw-1 at machine access
denied without even prompting for authentication.
Network traces indicate that the module that isn't working queries DNS to
resolve the requested hostname, receives a valid reply then sends the denied
message back to the browser.
I don't understand how this can be happening given that the same security
policy is supposedly installed on both of the modules.
Other services work fine through the weirdly behaving machine. It's only
when the http security server gets involved that the weirdness begins.
Any Ideas?
Matt
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
