Re: [squid-users] Checkpoint FW1 & Securemote client

From: Neil A. Hillard <hillardn@dont-contact.us>
Date: Fri, 31 May 2002 11:49:44 +0100 (BST)

Wei,

> > No... As you have a transparent proxy the browser does not know that it's
> > there and therefore will send packets destined for the destination as per
> > normal. SecuRemote will spot these, hijack them and send them down the
> > encrypted tunnel.
>
> Pondon me guys... I dont know much about this SecuRemote... Actually, based
> on my understanding, transparent proxy will have no effect on tunnelling (if
> it is done properly). But, the strange thing is when the same user connect
> through another ISP (no transparent proxy), he is able to connect to the
> CheckPoint FW.
>
> Emmm, what else could be the cause? Will check with the user on the
> CheckPoint log...
In order to check that nothing is NATing you need to compare the IP
address bound to the network card / dialup adapter (winipcfg or ipconfig)
with that logged in the firewall logs. If they match then no NATing is
taking place. This is one of the first things I tend to check.

                                Neil.

> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "Ward, John (GroupWare)" <john@metropolitan.co.za>
> Cc: "'Wei Keong'" <chooweikeong@pacific.net.sg>; "Squid Users"
> <squid-users@squid-cache.org>
> Sent: Friday, May 31, 2002 5:15 PM
> Subject: Re: [squid-users] Checkpoint FW1 & Securemote client
>
>
> > "Ward, John (GroupWare)" wrote:
> > >
> > > it seems that everyone is missing the point of the secureremote
> client....
> >
> > I don't think so, but it is true that at least I do not know for sure
> > exactly how it tunnels the traffic and I appreciate your clarifications
> > on this. There is a zillion ways one can tunnel traffic, and all have
> > their problems.
> >
> > Some idiots do tunnel things on TCP port 80 as this port is usually
> > allowed in firewalls etc. I am glad to hear that SecuRemote is not one
> > of them.
> >
> > > It creates a secure tunnel to a firewall.... most/all packets are then
> routed
> > > through this tunnel to the firewall, which ends up being the tunnel
> terminator.
> > > On the firewall, there can be the following things in place ... routing,
> nat,
> > > rules for browsing etc. This is also important as if the user is given
> an
> > > "internal network" address ( like he gets nat'd to the internal firewall
> > > address once his tunnel is established ... depending on configuration).
> this
> > > is not going through port 80.
> >
> > Good.
> >
> > > Setup ports are usually udp 500 and then a gre/similar tunnel is
> established.
> >
> > Good.
> >
> > > Once he is connected to this tunnel ( usually an ipsec or des) he wont
> be
> > > using local network settings.
> >
> > Good.
> >
> > > Its important to look at the firewall logs and the configuration (yes,
> > > firewall rules) that gets downloaded to the pc once secure remote is
> setup.
> >
> > And the local firewall (if any) to ensure the needed traffic is allowed
> > to get out on the internet and back...
> >
> > If what you describe above is true then the transparent proxy should
> > have no effect on SecuRemote.
> >
> > If however any phase of the setup is using port 80 then a transparent
> > proxy may disturb things.
> >
> > Regards
> > Henrik
> >
>
>

-- 
Neil Hillard                    hillardn@whl.co.uk
Westland Helicopters Ltd.       http://www.whl.co.uk/
Disclaimer: This message does not necessarily reflect the
            views of Westland Helicopters Ltd.
Received on Fri May 31 2002 - 05:30:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:18 MST