Re: [squid-users] Checkpoint FW1 & Securemote client

From: Wei Keong <chooweikeong@dont-contact.us>
Date: Fri, 31 May 2002 16:09:53 +0800

> > The user is able to use telnet, ftp through Securemote. He should have
no
> > problem connect to the Checkpoint firewall. Moreover, the reply is not
> > 'authentication failed' but 'page cannot display'.
>
> Verify that the user hasn't configured his browser to use your proxy. If
> it has the proxy configuration of the broser will most likely bypass the
> secure tunnel set up by Securemote.

The browser has no proxy setting, as the tranparent proxy is in place.

> > The problem is the transparent proxy will 'hijack' all port 80 traffic
and
> > redirect to the Squid box. Seems that with TP will not work in this
case...
>
> If Securemote is doing it's job properly in the way described by others
> here, your systems should not see any longer that the traffic is for
> port 80...
>
> If securemote abuses port 80 for the encrypted tunnel traffic in order
> to more easily pass firewalls etc then that is the problem.

I think this is what they are doing... VPN over port 80, very bad
implementation.

> What you can do if securemote abuses port80 is to exclude the address of
> the firewall from your transparent proxying. You do not need to exlude
> the user, only this specific destination.

Another alternative is to ask the destination server to change the http page
to https page, thereby not hijacked by our squid box...

Thanks for helping...
Wei Keong
Received on Fri May 31 2002 - 02:10:13 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:17 MST