I recently introduced a URI resource, marking the first time the HTTP
Security Server needed to do anything on my firewall. I had two problems as
a result. I found little help at first (and Check Point's tech support was
rather useless), but I finally believe I know what's going on. I offer these
FYI and in case someone can offer further solutions or work-arounds.
First, I found that internal users could no longer reach external Hotmail
accounts using Outlook Express. This is an http connection, not a pop3
connection. Apparently, the HTTP Security Server was inspecting all http
connections, not just the ones that would have matched the rule I
introduced. Hotmail must be doing some non-standard http, because in the
firewall log I see a Rule 0 reject (http) because of a "Malformed request."
That is, the security server is deciding to chuck the connection even though
my rules would have allowed an http connection to that site.
When we disabled the new rule, Hotmail was fine again. When we re-enabled
the rule, Hotmail broke again. I have no good work-around. The security
server was introduced for a real purpose, but we have a few people who have
a defensible need for access to Hotmail. So far, I can't have it both ways.
Check Point's tech support took a while even to understand the question, and
then they said the Hotmail URL must be matching something in the rule (it
doesn't) or in a UFP server (which I'm not using).
I've seen the next issue posted in a few places, but it took a while to find
a good explanation. Intermittently, internal users visiting external web
pages get a response page along these lines: "FW-1 at <firewall>: Unable to
connect to WWW server." I finally found a good explanation here:
http://www.websense.com/support/platform/display.cfm?id=10
The work-around is simply to hit shift-refresh in the browser until the real
page shows up -- or to disable any rules that need the http security server.
Check Point's tech support had assured me this problem had nothing to do
with the firewall.
--
Jim Becker
The Urban Institute (http://www.urban.org/)
DECUS ESILUG (http://eisner.decus.org/lugs/esilug/)
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
