Visitor mode is required to be enabled on the gateway for the E75.20 client to work, check the admin guide specific for this client, CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using the FW's external IP for port NAT for http/https?, if so then this needs to be disabled. Disabling http/https NAT for any other external IP's you have I don't think this would have any bearing on this, not something I would consider doing....that would be just crazy. Do you have the proper license in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC VPN/office mode/etc.. were functioning properly, you could also enable SNX, if licensed for it, and check if you can https through a browser.
________________________________ From: Nathan Hawkins <na...@thfcom.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Thursday, September 27, 2012 8:23 AM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Well...the R60 client wont work on the machines I support because they are all 64 bit and the R60 client is 32 bit only. Whenever someone has something to suggest trying I disable all NATing for HTTP/S to the web servers, because so far I have yet to make the VPN client even create the site let alone work... I guess I'll switch to simplified mode when it presents itself as the better way to go. So far it has not. Any suggestions as to what to try next? -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott Sent: Wednesday, September 26, 2012 8:27 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ The E7x clients do operate a bit differently than the older R60 IPSEC client, I think the initial https connection from the client are for auth purposes, a change from the older hybrid mode auth. Even though no longer supported can you connect with the R60 client?, unless using visitor mode it will do native IPSEC with no SSL? Make sure your 443 port is not being stepped on by anything else, also have the proper license(s) in place, office mode was a freebie for the R60 client but no longer the case for the E7x client, which is a shame for such a needed feature. You still have complete control using simplified mode, it is just a mode to simplify the configuration of multiple VPN sites and a few other things, once you get over the sticker shock you will see simplified mode is the way to go. -GS ________________________________ From: Nathan Hawkins <na...@thfcom.com> To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Sent: Wednesday, September 26, 2012 2:23 PM Subject: Re: [FW-1] Setup of Remote VPN on R75+ All of that was already set (checked) and applied to the GW On the Client (E75.20 is currently installed), what I see at the FW and other logs I'm using to troubleshoot this is only HTTP/HTTPS connections and I cant configure anything else because when I go to create a new site it fails and won't continue to configure anything. All I get is a back / cancel / help (which brings up the help file) button. If I must, I'll change to simplified mode, but I like traditional because I don't like anything to be automatic. I like complete control over everything. I appreciate your help! I hope we can fix this... -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez Sent: Wednesday, September 26, 2012 12:14 PM To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Subject: Re: [FW-1] Setup of Remote VPN on R75+ Global Properties > Remotes Access > VPN Auth and Ecryp > IKE over TCP -----> here you enable support for TCP encapsulation on the gateway Gateway Properties > IPSec VPN > Remote Access > Support NAT Traversal ------> Here you enable support for a propietary UDP Encapsulation on ------> the gateway. Now, on the client side you must enable these also, otherwise the client won't try to use them when trying to establish VPN. Now, I unfortunately don't have handy an installation of the new versions of the VPN clients, but on the old ones, I remember you go to Settings > Properties of the Site > Advanced and you configured there the use of TCP and/or UDP Encap > (also enable/disable Visitor mode). If you are still seeing HTTPS from the client IP and destined to the firewall on your logs, then your client is still trying to use "Visitor Mode". Finally, you will find more help from people, forums and documentation if you turn to simplified VPN mode, traditional mode is pretty old. On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins <na...@thfcom.com> wrote: > Actually I see the FW external IP used frequently, but that's not > relevant here. > > Please explain where I would involve TCP encapsulation - I've looked > around for anything that would re-designate a way for Secure Client to > make a connection and nothing has worked so far. > > I have mentioned (at least once, in my initial post) that in Logviewer > all I see are accepts for HTTP/HTTPS. > > I have also explained in a recent post that I don't see any drops at > the console (CLI) for the SIP of where the remote client is coming from. > > Yes - I have read the Admin Guide for R75.20 - several times actually... > Its not that helpful... > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > Alvarez > Sent: Wednesday, September 26, 2012 10:12 AM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > Well, usually the Firewall public IP is not used to staticaly NAT web > servers, so regularly this is not an issue... anyway. > > I have mentioned already that you could try using something else like > TCP encapsulation, have you tried that?? > > So far you have not mentioned anything about the logs... have you > checked them? What does it say for connection attempts from a test VPN client > user? > > I see that before someone else explained to you how to use debugging > with a filter to check for drops on the firewall, have you tried that? > > Have you read the "VPN Admin Guide" pdf document? > > > > On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins <na...@thfcom.com> wrote: > > > Because HTTP/HTTPS is used for web servers - almost exclusively. I > > cant believe that I'm supporting the only company on Earth who uses > > Checkpoint at the edge with web servers that need port 80 and 443 > > opened and NATed to them without the FW intercepting that traffic > > for > Remote VPN connectivity. > > > > In R60-65 Remote Access VPN was initiated on ports other than 80/443 > > and it worked great...even for visitor mode... > > > > Okay. I'll disable visitor mode because its not necessary, but its > > still not connecting - so what now? > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 [mailto: > > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > > Alvarez > > Sent: Wednesday, September 26, 2012 9:11 AM > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > > > As said... it uses TCP/443 when you enable the feature called > > "Visitor Mode". You can choose to use UDP or TCP encapsulation and > > that would make it work on other ports. > > > > On any case, I don't see how using a well used port would be > > "stupid/irresponsible". > > > > On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins <na...@thfcom.com> > wrote: > > > > > There has to be a way to set Secure Client to connect at a port > > > (or > > > ports) other than port 80 and 443... That it requires those ports > > > is pretty stupid/irresponsible... > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 [mailto: > > > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > > > Alvarez > > > Sent: Monday, September 24, 2012 11:23 AM > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > > > > > AFAIK, you need TCP/443 when you enable "visitor mode", which > > > basically makes the clients establish and SSL conection first and > > > encapsulates an IPSec inside that. > > > It is meant to avoid connectivity issues for users located on > > > public sites, where only http/https is allowed to restrict > > > Internet use to browsing only. > > > I would say, try other "advanced" connectivity" features, such as > > > TCP encapsulation. > > > > > > On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins > > > <na...@thfcom.com> > > wrote: > > > > > > > > "fw ctl zdebug drop" displays ALL drops...I need a way to > > > > > further filter > > > > out the drops because there's too many drops to see the one(s) I > want. > > > > fw ctl zdebug drop | grep myipaddress > > > > > In the global properties there is no specific "IKE" property. > > > > > All > > > > control connections are allowed First. > > > > > > > > > > Well, you use "client encrypt" in the action column in order > > > > > to make > > > > remote access work...what do you suggest? > > > > set the user@at in the source, then restrict rule to apply only > > > > on remoteaccess community. > > > > (but it requires the policy to be moved to simplified mode). > > > > > > > > I think I read somewhere that Secure Client/Remote requires port > > > > 443 to be open on the firewall...which I don't understand why > > > > that would be a requirement when HTTPS is necessary for web > > > > server applications...anyway...is there a way to make Secure > > > > Client/Remote connect at a different port (I suspect so - how do > > > > you > do so)? > > > > > > > > I don't like simplified mode...so how do you configure the rule > > > > policy for secure remote connections for traditional mode? > > > > > > Scanned by Check Point Total Security Gateway. > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > lists...@amadeus.us.checkpoint.com > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email fw-1-ow...@ts.checkpoint.com > > > ================================================= > > > > > > > > > > > -- > > Sergio Alvarez > > CISSP | CCSE+ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > lists...@amadeus.us.checkpoint.com > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email > > fw-1-ow...@ts.checkpoint.com======================================== > > == > > ======= > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > lists...@amadeus.us.checkpoint.com > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions > > at http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription > > options, email fw-1-ow...@ts.checkpoint.com > > ================================================= > > > > > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com========================================== > ======= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email fw-1-ow...@ts.checkpoint.com > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
