Firewall Wizards mailing list archives
RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook
From: "David Hawley" <chiman () hawaiian net>
Date: Thu, 29 Nov 2001 12:35:14 -1000
Chris, We had a bear of a time getting SecuRemote to work too, and I don't know from your symptoms if this will help, but it might, and if not might help someone else downstream. We were working with one of the most convoluted, Legacy networks I have ever seen, and so the problem we had was that SecuRemote encrypted packets would leave our site, reach the SecuRemote client, but upon their return they would take a different path and end up back at the Exchange server encrypted, having avoided the Firewall-1 firewall. We tried everything else in the world, that we could think of, until we realized that it was really a routing problem fixed in Cisco IOS land. Another thing, that is unrelated, that slowed us down was that, at that time the exact mechanism that SecuRemote uses to hand off the private key to the client used some exotic UDP ports, that weren't mentioned until some 140++ pages into the manual. Maybe this is all better documented now, this was a while ago. After those issues were all worked out it worked very well, and tickled everyone pink. Cheers, David -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Adam C. Hudson Sent: Wednesday, November 28, 2001 9:06 AM To: Chris Calabrese Cc: firewall-wizards () nfr com Subject: RE: [fw-wiz] CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook After doing some extensive testing, we are still unable to make this work. SecuRemote should not enforce any desktop policy what-so-ever. SecureClient definitely should though. In this particular case, SecuRemote is actually being used. Since I have seen strange occurrences many times before with CheckPoint, we went ahead and tested all the settings for the desktop policy, including the Allow All type option. None of these changes had any affect. Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 -----Original Message----- From: Chris Calabrese [mailto:chris_calabrese () merckmedco com] Sent: Monday, November 26, 2001 7:47 AM To: Adam C. Hudson Subject: Re: [fw-wiz] CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook The issue is related to the mini-firewall built into SecuRemote. By default, it rejects all inbound traffic streams ("Allow outgoing only").. You should be able to fix this by setting it to accept all inbound encrypted packets ("Allow outgoing and encrypted"). Adam C. Hudson wrote:
The problem environment: * Remote users connected via SecuRemote 4.1, build 4199 to firewall module * CheckPoint Firewall-1 4.1 with Service Pack 5, Windows NT 4.0 with Service Pack 6a * Microsoft Exchange Server 2000, Service Pack 1 The network in question here has remote users connecting via SecuRemote to access Microsoft Exchange Server using Microsoft Outlook client software (97, 2000 and XP). As many of you know, getting the ports nailed down on Exchange server and getting Firewall-1 to filter everything properly is a bit tricky, but having been through it many times, it was configured quickly and works perfectly for all the MAPI communication. However, we are experiencing one annoying side effect. Microsoft Exchange server uses UDP packets to notify connected Outlook clients of new incoming mail and other relevant events. While connected via SecuRemote, these notifications never make it properly to the client side. Of course, Firewall-1 indicates the outbound packets are
accepted
and encrypted, but they are never actually decoded and utilized on the client machine. This renders the Outlook clients a little in the dark, as the users must perform other actions inside Outlook before their
is delivered (as it contacts the server). As a test, we had select users attach to the network via PPTP protocol to a Microsoft Windows 2000 server through the Firewall-1 module. By doing this, the UDP new mail notifications from the Exchange server
work
perfectly. Therefore, we have narrowed it down to the something within Firewall-1 or SecuRemote. There is a REALLY ambiguous entry in the CheckPoint Knowledgebase, that may be related: --------------------------------------------------- Solution: UDP encapsulated packets do not reach the destination (skI4512) Solution is yet not available. Currently under investigation. Problem Description UDP encapsulated packets do not reach the destination UDP Encapsulated packets report about incorrect packet size UDP encapsulated packets are dropped by Cisco PIX with intrusion detection software installed --------------------------------------------------- Has anyone experienced this problem, or something loosely connected to it? I would love to get this solved, as the users complain constantly about this side effect. Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- Chris Calabrese Internet Security Analyst MerckMedco.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Adam C. Hudson (Nov 23)
- Re: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Chris 'Chipper' Chiapusio (Nov 25)
- <Possible follow-ups>
- RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Adam C. Hudson (Nov 29)
- RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook David Hawley (Nov 30)