Hi Aleks, We have also implemented said solution with other clients with much success. This particular install, however, is not so lucky. At first, we did have SIC established, but all clients would get quarantined even if the Integrity client is installed. Reason for the block/quarantine is "Client does not have Integrity installed." So we tried to re-init SIC, and now we cannot. We did uninstall IAS 6 and went to IAS 5.1, and it worked fine -- SIC established right away. The SK30075 describes this issue we are having and the solution says, "Solution available, currently under investigation." Can you give me a quick description of the network configuration you used? The Integrity portion of this project works great. Awesome product! Thank you very much, Neil Delacruz
On 11/8/05, Aleks Feltin <[EMAIL PROTECTED]> wrote: > > Hello there! > > We have succesfully managed to combine the stuff and achieved the > functionality of the Cooperative Enforcement. Also we have used the same > hardware as well as software as you have. > Deployment process went just fine. During the testing phase we > encountered similar malfunction ot the Cooperative Enforcement. (SIC was > succesfully established, and clients were communicating with the IAS). > After restarting the Interspect appliance everything gone just fine. It > is also noticeably that after the pulling cert the Interspect gateway 's > certificate appeared among the other certificates on the IAS in the > certificate section. > > best regards, > > Aleks > > fwguru wrote: > > >Fellow Gurus, > > Have any of you implemented Integrity Server with InterSpect using > >Cooperative Enforcement? We need some help trying to figure out the > problem > >we are having. Environment is InsterSpect Appliance 210 running > InterSpect > >2.0 HF1 and Intergrity 6.0 server is running on Windows 2003 SP1. > > We are having an issue where any traffic from the protected zone > traversing > >the InterSpect box gets quarantined or blocked (depending on policy). > Reason > >is "Client does not have Integrity Client installed" and that is not > true. > >The client does have Integrity installed and the client is communicating > >just fine with the Integrity Server. > > The Integrity box and the InterSpect box can ping each other. I think > the > >fundamental problem is the SIC between the Integrity and the InterSpect > >boxes. It should be a very simple process that we are following > correctly; > >however, the Integrity box never pulls the SIC cert from the InterSpect > box. > >In fact, we run fw monitor on the InterSpect box listening for traffic > >between Integrity and ISpect. When we create the Gateway Entity object on > >the Integrity box and click save, we see traffic from Integrity to ISpect > on > >dst port 5054. We are expecting it to communicate on port 18210 > >(fw1_ica_pull) to pull the cert, but this is not the case. The ISpect box > >responds with a RST/ACK when it receives the 5054 comm (3-way handshake > not > >established). > > Any clues as to why Integrity wants to pull a cert over port 5054 > instead > >of 18210? Is there another way to initialize SIC between these two boxes? > By > >the way, there is no way (that I know of) to test SIC from an InterSpect > box > >(there is no "test SIC" button). And you can't run any SIC commands on > the > >ISpect box, either. > > Also, if we turn off Cooperative Enforcement everything is fine -- > clients > >can communicate from protected zone to backbone and beyond. > > Any help would be appreciated. > > Warm regards, > >Neil Delacruz > > > >================================================= > >To set vacation, Out-Of-Office, or away messages, > >send an email to [EMAIL PROTECTED] > >in the BODY of the email add: > >set fw-1-mailinglist nomail > >================================================= > >To unsubscribe from this mailing list, > >please see the instructions at > >http://www.checkpoint.com/services/mailing.html > >================================================= > >If you have any questions on how to change your > >subscription options, email > >[EMAIL PROTECTED] > >================================================= > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
