Roy, 4.1 uses port 264 for topology download and 265 for public key transfers. You should need no explicit protocol accepts, as the 'accept firewall-1 control connections' allows for this. Usually when you get a timeout after authentication, it is because the firewall object has been defined based on the internal ip address. So again, I wouldn't look at the rules, I would look at the fw workstation object primary ip address. If you want to disable control connections, you must enable fw1_topo, and fw1_key and IKE to get these connections to go through. HTH, CryptoTech Roy Hills wrote: > On Firewall-1 v4.0 I have been able to use SecuRemote with FWZ key > scheme by just allowing "FW1" (tcp port 256) from any to the Firewall > as well as the relevant client encrypt rules and unchecking the > "accept Firewall-1 control connections" box in the policy properties. > > However on Firewall-1 v4.1, I find that I need to select "accept VPN-1 & > Firewall-1 > control connections" in the policy properties. I cannot seem to get SecuRemote > to work by using specific rules in the rulebase. > > I have tried the following two rules without success: > > a) > > Src: Any > Dst: Firewall > Svc: FW1, FW1_key, FW1_topo, RDP > Act: Accept > Trk: Long > > b) > > Src: SecuRemote-Client > Dst: Firewall > Svc: Any > Act: Accept > Trk: Long > > Src: Firewall > Dst: SecuRemote-Client > Svc: Any > Act: Accept > Trk: Long > > In both cases, I also had the appropriate client encrypt rules present. > > The symptoms I see are that I can add the Firewall "site" OK, and the > authentication dialog box appears. However authentication fails with > "communication failed" message. > > Allowing "accept VPN-1 & Firewall-1 control connections" in the policy > properties makes SecuRemote work fine. > > Does anyone know what has changed from V4.0 to V4.1 regarding SecuRemote > that causes this? > > Is it possible to allow SecuRemote with just rules in the rulebase and not > with "accept VPN-1 & Firewall-1 control connections" in the policy properties? > > I'm using Firewall-1 v4.1[DES] SP1 on Windows NT 4.0 SP5. SecuRemote is > v4.1 [DES] on Win-95. I am using DES encryption, MD5 integrity and FWZ key > exchange. > > Roy Hills > -- > Roy Hills Tel: +44 1634 721855 > NTA Monitor Ltd FAX: +44 1634 721844 > 14 Ashford House, Beaufort Court, > Medway City Estate, Email: [EMAIL PROTECTED] > Rochester, Kent ME2 4FA, UK WWW: http://www.nta-monitor.com/ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
