Firewall Wizards mailing list archives
Questions on Firewall-1 and Neighborhood Browser
From: "Jim Hebert" <jhebert () graypeak com>
Date: Mon, 25 May 1998 22:42:21 -0400
Hi, I have a customer that I'm working with using Check Point Firewall-1. I have two (2) problems with it and was wondering if you might be able to assist me. They are using Firewall-1 for NT. NT v4.0 has the latest Service Pack (3) installed. Also, the latest patch (3064) for Firewall-1 has been applied (Version 3.0b VPN+DES, build 3064). The first problem is dealing with the network neighborhood browser between the internal network (10.1.1.0 with a subnet mask 255.255.255.0) and the DMZ (a legally registered IP network ID with a subnet mask of 255.255.255.240). The firewall, internal network, and DMZ are all in the same WindowsNT domain. The firewall is a standalone server. The customer would like the internal users to be able to use the network neighborhood browser to see the ftp and application servers that are on the DMZ so that they can see the shares that are available. By default, the user will not see these because the NetBEUI protocol is not routable, (the firewall HAS been enabled to do IP forwarding). I defined a WINS server on the ftp server on the DMZ and also on a WindowsNT server on the internal network. I define a peering between the two (2) WINS servers and force a replication. The DMZ WINS server pushes and the internal WINS server pulls. The Master Browser and PDC are located on the internal network. The Master Browser should learn of the servers on the DMZ via the internal WINS server and thus allow the internal users to see the shares available. I see entries in the firewall log and in the Event Viewers on the WINS servers that a connection is made between the two (2) hosts. Through various tries I sees messages that the connection has been accepted or that the connection has been aborted by the remote WINS server, etc. No matter what the messages are, my network neighborhood browsers don't show the DMZ servers in their listing. I have rules that allow sources on the DMZ and the internal network to go anywhere with any service so I believe that this should work. I've also installed a rule base with a single rule allowing any source to any destination with any service to be accepted but have the same result. The appropriate address translation is also present. Has anyone been able to do this? Are there additional ports that need to be opened? The second problem is similar. The customer wishes for users that are dialed into their local ISP to have access to the shares on the DMZ and to see them from their network neighborhood browser, while using SecuRemote. So far I have been able to access the ftp server and application server via SecuRemote because I know that they are there, i.e., I know the IP address ahead of time. This is fine for most of the users but apparently there are users who require the ability to browse the various shares. I have also been able to get the client to validate on the PDC with the same username as SecuRemote with only a single sign-on. Even though the user has been validated in the domain they can't see the various machine in the network. NetBEUI over TCP/IP should allow me to see them. Is this possible? Any thoughts, suggestions, or comments are greatly appreciated. Regards, Jim Hebert
Current thread:
- Questions on Firewall-1 and Neighborhood Browser Jim Hebert (May 28)
- Re: Questions on Firewall-1 and Neighborhood Browser roger nebel (May 29)
- Re: Questions on Firewall-1 and Neighborhood Browser kr= carlier (May 29)
- <Possible follow-ups>
- Re: Questions on Firewall-1 and Neighborhood Browser Rodney van den Oever (May 30)