Because HTTP/HTTPS is used for web servers - almost exclusively. I cant believe that I'm supporting the only company on Earth who uses Checkpoint at the edge with web servers that need port 80 and 443 opened and NATed to them without the FW intercepting that traffic for Remote VPN connectivity.
In R60-65 Remote Access VPN was initiated on ports other than 80/443 and it worked great...even for visitor mode... Okay. I'll disable visitor mode because its not necessary, but its still not connecting - so what now? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 9:11 AM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ As said... it uses TCP/443 when you enable the feature called "Visitor Mode". You can choose to use UDP or TCP encapsulation and that would make it work on other ports. On any case, I don't see how using a well used port would be "stupid/irresponsible". On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins <na...@thfcom.com> wrote: > There has to be a way to set Secure Client to connect at a port (or > ports) other than port 80 and 443... That it requires those ports is > pretty stupid/irresponsible... > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > Alvarez > Sent: Monday, September 24, 2012 11:23 AM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > AFAIK, you need TCP/443 when you enable "visitor mode", which > basically makes the clients establish and SSL conection first and > encapsulates an IPSec inside that. > It is meant to avoid connectivity issues for users located on public > sites, where only http/https is allowed to restrict Internet use to > browsing only. > I would say, try other "advanced" connectivity" features, such as TCP > encapsulation. > > On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins <na...@thfcom.com> wrote: > > > > "fw ctl zdebug drop" displays ALL drops...I need a way to further > > > filter > > out the drops because there's too many drops to see the one(s) I want. > > fw ctl zdebug drop | grep myipaddress > > > In the global properties there is no specific "IKE" property. All > > control connections are allowed First. > > > > > > Well, you use "client encrypt" in the action column in order to > > > make > > remote access work...what do you suggest? > > set the user@at in the source, then restrict rule to apply only on > > remoteaccess community. > > (but it requires the policy to be moved to simplified mode). > > > > I think I read somewhere that Secure Client/Remote requires port 443 > > to be open on the firewall...which I don't understand why that would > > be a requirement when HTTPS is necessary for web server > > applications...anyway...is there a way to make Secure Client/Remote > > connect at a different port (I suspect so - how do you do so)? > > > > I don't like simplified mode...so how do you configure the rule > > policy for secure remote connections for traditional mode? > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email fw-1-ow...@ts.checkpoint.com > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
