Thanks Ray, but we'd already been there (take a look at the tail end of the post, we already have it working over TCP which is what is referenced in the KB you sent). We're trying to get the firewall to pass 88/UDP through the tunnel, not convert all of our workstations over to use 88/TCP...
Craig -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray P. Sent: Friday, December 05, 2003 8:51 PM To: [EMAIL PROTECTED] Subject: Re: [FW-1] Keberos V5 though client VPN http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474 and its related link should do it. Ray >From: Craig Baltzer <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [FW-1] Keberos V5 though client VPN >Date: Fri, 5 Dec 2003 19:31:54 -0500 > >We're having an issue where we're unable to successfully perform >Kerberos authentication through a VPN connection. Environment is >CheckPoint NG (Nokia) with the latest Checkpoint VPN client. Clients are >a mixture of Windows 2000 Pro and Windows XP. Servers are Windows 2003 >(Kerberos V5). The configuration is basically an Internet connected >client establishing a VPN connection via the NG VPN client back to a >Nokia NG firewall which protects the corporate network hosting the >Windows 2003 server. > >When attempting a connection, we see a Kerberos request over 88/UDP with >a destination of a Kerberos KDC. It shows in the client log, however it >never appears in the firewall log and nothing reaches the KDC server. >Switching the client to use Kerberos 88/TCP fixes the problem, however >we're reluctant to modify all of our clients to use TCP (a ton of >clients to update, overhead concerns with a large number of TCP sessions >setups/teardowns needed for KDC operators, and a desire to generally >stay with the standard (RFC 1510) method of doing Kerberos over UDP). > >What do we need to change on the firewall to get it to pass Kerberos >88/UDP inside a VPN connection? > >Thoughts/hints appreciated. > >Thanks > >Craig > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= _________________________________________________________________ Wonder if the latest virus has gotten to your computer? Find out. Run the FREE McAfee online computer scan! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
