It is not necessary, it's only a suggestion.
By defining the firewall in the SecuRemote rule and negating it, you are
stating that users can connect to anything BUT the firewall. The negate
option is something that a lot of people don't realize is there or what it is,
but can be very helpful.
-Jeff
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Baird
Sent: Wednesday, March 07, 2001 8:30 AM
To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Subject: RE: [FW1] Secure Client and NATCan you give an example of this? I am having trouble understanding why this is necessary if the firewall isn't defined in any of the SecuRemote rules."Also, when constructing your Client Encrypt rule, make sure to put the firewall object(s) in the destination field and negate them so that even VPN users can't make a direct connection to the firewall through a SecuRemote session."thanks!PDB-----Original Message-----
From: Jeff Hochberg [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 06, 2001 10:38 PM
To: 'Rafiyq Mondesir'; [EMAIL PROTECTED]
Subject: RE: [FW1] Secure Client and NATNo there is not.How does this undermine the use of a stealth rule? Disable the "Respond to Unauthenticated Topology Requests" option in Policy->Properties in order to enable SSL authenticated topology downloads to prevent just "anyone" from getting your userc.C file.Also, when constructing your Client Encrypt rule, make sure to put the firewall object(s) in the destination field and negate them so that even VPN users can't make a direct connection to the firewall through a SecuRemote session.-Jeff Hochberg-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rafiyq Mondesir
Sent: Tuesday, March 06, 2001 11:21 AM
To: [EMAIL PROTECTED]
Subject: [FW1] Secure Client and NATHelo.
Does anyone know if its possible to use a NAT'ed address of the firewall's external interface as the point of connect in the SecureRemote Client. In otherwords, say the external interface of of my firewall is publicly addressable: 111.111.111.111, and I plan giving it a NAT'ed address of 222.222.222.222 to be used by my clients for topology updates and VPN connections. Is this possible?
The reason I want to do this is because the file: userc.C, which is located on the client, contains (in clear text) several firewall and network details that undermine the use of a Stealth Rule, and thus compromises my security policy.
Any advice would be appreciated.
Regards,
R.
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
