Firewall Wizards mailing list archives
RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook
From: "Adam C. Hudson" <adam () inergy net>
Date: Wed, 28 Nov 2001 12:05:52 -0700
After doing some extensive testing, we are still unable to make this work. SecuRemote should not enforce any desktop policy what-so-ever. SecureClient definitely should though. In this particular case, SecuRemote is actually being used. Since I have seen strange occurrences many times before with CheckPoint, we went ahead and tested all the settings for the desktop policy, including the Allow All type option. None of these changes had any affect. Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 -----Original Message----- From: Chris Calabrese [mailto:chris_calabrese () merckmedco com] Sent: Monday, November 26, 2001 7:47 AM To: Adam C. Hudson Subject: Re: [fw-wiz] CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook The issue is related to the mini-firewall built into SecuRemote. By default, it rejects all inbound traffic streams ("Allow outgoing only").. You should be able to fix this by setting it to accept all inbound encrypted packets ("Allow outgoing and encrypted"). Adam C. Hudson wrote:
The problem environment: * Remote users connected via SecuRemote 4.1, build 4199 to firewall module * CheckPoint Firewall-1 4.1 with Service Pack 5, Windows NT 4.0 with Service Pack 6a * Microsoft Exchange Server 2000, Service Pack 1 The network in question here has remote users connecting via SecuRemote to access Microsoft Exchange Server using Microsoft Outlook client software (97, 2000 and XP). As many of you know, getting the ports nailed down on Exchange server and getting Firewall-1 to filter everything properly is a bit tricky, but having been through it many times, it was configured quickly and works perfectly for all the MAPI communication. However, we are experiencing one annoying side effect. Microsoft Exchange server uses UDP packets to notify connected Outlook clients of new incoming mail and other relevant events. While connected via SecuRemote, these notifications never make it properly to the client side. Of course, Firewall-1 indicates the outbound packets are
accepted
and encrypted, but they are never actually decoded and utilized on the client machine. This renders the Outlook clients a little in the dark, as the users must perform other actions inside Outlook before their
is delivered (as it contacts the server). As a test, we had select users attach to the network via PPTP protocol to a Microsoft Windows 2000 server through the Firewall-1 module. By doing this, the UDP new mail notifications from the Exchange server
work
perfectly. Therefore, we have narrowed it down to the something within Firewall-1 or SecuRemote. There is a REALLY ambiguous entry in the CheckPoint Knowledgebase, that may be related: --------------------------------------------------- Solution: UDP encapsulated packets do not reach the destination (skI4512) Solution is yet not available. Currently under investigation. Problem Description UDP encapsulated packets do not reach the destination UDP Encapsulated packets report about incorrect packet size UDP encapsulated packets are dropped by Cisco PIX with intrusion detection software installed --------------------------------------------------- Has anyone experienced this problem, or something loosely connected to it? I would love to get this solved, as the users complain constantly about this side effect. Adam Hudson Networking and Security Consultant Office 720-348-0564 Fax 720-294-0778 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
-- Chris Calabrese Internet Security Analyst MerckMedco.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Adam C. Hudson (Nov 23)
- Re: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Chris 'Chipper' Chiapusio (Nov 25)
- <Possible follow-ups>
- RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook Adam C. Hudson (Nov 29)
- RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook David Hawley (Nov 30)