Questions on Firewall-1 and Neighborhood Browser

["Jim Hebert" <jhebert () graypeak com>]

Hi,


I have a customer that I'm working with using Check Point Firewall-1. I have two (2) problems with it and was wondering 
if you might be able to assist me. They are using Firewall-1 for NT. NT v4.0 has the latest Service Pack (3) installed. 
Also, the latest patch (3064) for Firewall-1 has been applied (Version 3.0b VPN+DES, build 3064).


The first problem is dealing with the network neighborhood browser between the internal network (10.1.1.0 with a subnet 
mask 255.255.255.0) and the DMZ (a legally registered IP network ID with a subnet mask of 255.255.255.240). The 
firewall, internal network, and DMZ are all in the same WindowsNT domain. The firewall is a standalone server. The 
customer would like the internal users to be able to use the network neighborhood browser to see the ftp and 
application servers that are on the DMZ so that they can see the shares that are available. By default, the user will 
not see these because the NetBEUI protocol is not routable, (the firewall HAS been enabled to do IP forwarding). I 
defined a WINS server on the ftp server on the DMZ and also on a WindowsNT server on the internal network. I define a 
peering between the two (2) WINS servers and force a replication. The DMZ WINS server pushes and the internal WINS 
server pulls. The Master Browser and PDC are located on the internal network. The Master Browser should learn of the 
servers on the DMZ via the internal WINS server and thus allow the internal users to see the shares available. 


I see entries in the firewall log and in the Event Viewers on the WINS servers that a connection is made between the 
two (2) hosts. Through various tries I sees messages that the connection has been accepted or that the connection has 
been aborted by the remote WINS server, etc. No matter what the messages are, my network neighborhood browsers don't 
show the DMZ servers in their listing. I have rules that allow sources on the DMZ and the internal network to go 
anywhere with any service so I believe that this should work. I've also installed a rule base with a single rule 
allowing any source to any destination with any service to be accepted but have the same result. The appropriate 
address translation is also present.


Has anyone been able to do this? Are there additional ports that need to be opened?


The second problem is similar. The customer wishes for users that are dialed into their local ISP to have access to the 
shares on the DMZ and to see them from their network neighborhood browser, while using SecuRemote. So far I have been 
able to access the ftp server and application server via SecuRemote because I know that they are there, i.e., I know 
the IP address ahead of time. This is fine for most of the users but apparently there are users who require the ability 
to browse the various shares. I have also been able to get the client to validate on the PDC with the same username as 
SecuRemote with only a single sign-on. Even though the user has been validated in the domain they can't see the various 
machine in the network. NetBEUI over TCP/IP should allow me to see them.


Is this possible?


Any thoughts, suggestions, or comments are greatly appreciated.


Regards,


Jim Hebert