Mike,
You can license any interface you wish, if your not going
to use SecurRemote or SecureClient VPN software.
With that said, you still can license an internal interface
and use SR/SC, but you would need to modify the clients
userc.C file after every topology update on the client. The
reason being, that when you do an update, the fwmgr sends
the licensed address to the client and it needs to be changed
to the real external IP of the enforcement point. I currently
work in this fashion since I find it easy to modify. BTW, you
need to bounce the SR/SC software in order to reread the
userc.C after your changes to the userc.C config file.
The interface considered external, is the one listed in the
$FWDIR/conf/external.if file. Generally it's the one facing
your ISP. In your case, you get to choose(but the user count
may help determine that for you.)
Another point on licensing is to consider the following. If you think
that you will be switching ISP's more often than switching/upgrading
the fw hardware, then I would license the hostid of the system(s). If
you feel that the hardware your using will hold up for a while, then
licensing the IP address is the way to go. There are tools out there
to change the hostid of a system. I've not attempted to license
an NT system on it's hostid name, which is supposedly the
NetBIOS or machine name.
I found licensing the private internal IP the easiest and it allows
me the ability to switch hardware and/or ISP without the hassles
of relicensing at Checkpoints site, which they allow you to do a
second time without having to speak with them on the phone. After
the second time, they want to know why your switching so much.
As for setting up SecuRemote, see www.phoneboy.com/fw1 or
see the old Checkpoint/~joe FAQs/public configuration docs at
(may be wrapped):
http://support.checkpoint.com/service/publisher.asp?id=55.0.4222079.2607206
Robert
- -
Robert P. MacDonald
Global Infrastructure Group, Haworth, Inc.
Voice: +1.616.393.1247
email: [EMAIL PROTECTED]
>>> "Mike M. Quimson" <[EMAIL PROTECTED]> 02/21/01 08:49PM >>>
>Hi there,
> I'm just wondering... should the checkpoint license always be binded
>on the valid or external ip address (ip address of the untrusted
>domain)? if i use checkpoint firewall on a network that is not
>connected to the internet and uses private ip addresses, what ip address
>will i give to checkpoint for licensing? will the license affect the
>functionality of the firewall with regards to vpn clients considering
>that i get unlimited user license.
>
>Lastly, is there any site that provides info in setting up SecuRemote?
>
>Thanks in advance,
>
>mike
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
