I thought I'd follow myself up since I've had a couple of responses OOB. The address cut over without a single problem. Everyone stayed connected, nothing crashed. An ancient evil did rise from the watery deep but I gave it some coconut shrimp and it was cool. -- be - MOS
Innovation is hard to schedule. --Dan Fylstra > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of East, Bill > Sent: Thursday, November 03, 2005 3:46 PM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Office Mode & SecureClient > > A belated follow-up.... > > I'm wrestling with a similar problem which I believe is due > to my firewall object having the internal address. My license > is keyed to the external correctly, however. > > If I simply change the address in the object, do I expect the > whole firewall to come crashing down? Rules to fail? Clients > to disconnect? > Ancient evils to rise from their watery slumber? Or should > everything simply be ducky? > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf Of Ray > > Sent: Tuesday, October 11, 2005 7:12 PM > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > Does your firewall object have the external IP or the > internal IP? It > > has to be the external IP. > > > > If it works with hub mode, that tells me it's a routing issue. > > SecureClient doesn't know how to find the policy server until it's > > already inside the firewall. > > > > Ray > > > > >From: cp user <[EMAIL PROTECTED]> > > >Reply-To: Mailing list for discussion of Firewall-1 > > ><FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM> > > >To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > >Subject: Re: [FW-1] Office Mode & SecureClient > > >Date: Tue, 11 Oct 2005 11:45:06 +0200 > > > > > >May any one please give me the steps to configure Office > > Mode-IP POOL > > >on SecureClient R55? > > > > > >I tried to follow steps described on VPN-1 guide but I still have > > >problems (my SecureClient cannot communicate with policy server)! > > > > > >My architecture consists on the following: > > >- some hosts on the LAN. > > >- a SmartCenter server that lies on the LAN > > >- a VPN-1 Pro gateway that has two interfaces: an external > one and a > > >local one (connected to the LAN) > > >- a remote access client (the SecureClient) whose default > gateway is > > >set to the VPN-1 Pro gateway. I actually have no router. > > > > > >As David suggested, my VPN domain is actually a Group with > > exclusions. > > >It is the LAN except Office Mode IP POOL subnetwork addresses'. > > > > > >I noticed that tunnel test succeeds when I activate both > Office Mode > > >and Hub mode. But the tunnel test fails when I only > activate Office > > >mode. Communication with policy server always fails. > > > > > >Kind regards > > > > > >--- "David S. Barker" <[EMAIL PROTECTED]> a ecrit > > >: > > > > > > > I've been reading this thread and now I'm confused. > > > > > > > > Not on how this is supposed to work but how the > > terminology is being > > > > used, seems like POOL is being used to describe the encryption > > > > domain. > > > > > > > > When someone says POOL in reference to Check Point I'm > > thinking one > > > > of two things, IP POOL NAT or OFFICE MODE IP POOL. In > > the case of > > > > IP POOL NAT these can be used for Gateway to Gateway or > > for Remote > > > > Access. These are allowed as a global property (NAT) and then > > > > assigned on gateways, encrypted connections are > > translated to these > > > > ip addresses to help eliminate asyncronous routing. > > > > > > > > The only other mention of POOL has to do with Office > mode IP POOL. > > > > > > > > Now, with Office Mode it is important that these > networks are NOT > > > > part of your Remote access encryption domain. These > > addresses are > > > > assigned to your clients on the client side, so think of > > them as the > > > > Remote encryption domain. Also, If you want to use a > > subset of your > > > > existing internal address space for your Office Mode > > addresses then > > > > you need to also make sure that the topology for all of > > the internal > > > > interfaces NOT include these networks. You can do this > by using > > > > Groups with Exclusions. The exclusions will be the Office Mode > > > > networks. > > > > Finally, you'll have to make sure that if you use any > generalized > > > > routes like 10/8 points to a router inside, and your > > office mode is > > > > 10.10.10.0/24, you'll have to specifically add a route on your > > > > gateways to not point 10.10.10.0/24 to the inside router. It > > > > doesn't really matter where you point the route as long as it's > > > > being reflected externally, in general I point this to > > the default > > > > gateway. > > > > > > > > As a general practice I use different Office Mode > > networks from my > > > > local networks/encryption domain networks so that I don't > > have to do > > > > this. With larger networks I had to use the Group with > > exclusions > > > > frequently. > > > > > > > > Also note if you're using both Office Mode and IP POOL NAT, by > > > > default the Office Mode addresses will be NATted to the > > IP POOL NAT > > > > addresses too. You can prevent this by creating a No NAT > > rule for > > > > the Office Mode Network, or by setting the > > > > om_prevent_ippool_nat_for_users property to true in the > > > > objects_5_0.C on the management server. > > > > > > > > > > > > > > > > Compuquip TECHNOLOGIES > > > > "Providing Solutions Since 1980" > > > > > > > > David Barker > > > > Senior Security Engineer > > > > Internet Security Division > > > > > > > > Phone: 305.436.7272 X 1364 > > > > Fax: 305.436.9149 > > > > email:[EMAIL PROTECTED] > > > > > > > > > > > > -----Original Message----- > > > > From: Mailing list for discussion of Firewall-1 > > > > [mailto:[EMAIL PROTECTED] > > > > On Behalf Of cp user > > > > Sent: Saturday, October 08, 2005 5:46 PM > > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > > > Hi Bill, > > > > > > > > This means that the "POOL" network object (internal > > addresses that > > > > will be affected to remote clients) is located in a > group that is > > > > defined as VPN domain. > > > > > > > > --- Bill Smith <[EMAIL PROTECTED]> a ecrit : > > > > > > > > > Hi there, > > > > > > > > > > what do you mean by network pool BEHIND YOUR VPN > > > > DOMAIN. > > > > > Could you please expan a bit? > > > > > > > > > > Thx, > > > > > > > > > > Bill > > > > > > > > > > cp user <[EMAIL PROTECTED]> wrote: > > > > > > Be sure to put your SecureClient NETWORK POOL > > > > > behind > > > > > > your VPN Domain. > > > > > > As Mike says it's probably "address spoofing". > > > > > > > > > > I set the SecureClient network pool behind my VPN > > > > domain but the > > > > > problem is still here!! what may I do please? > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Sahli, Mike [mailto:[EMAIL PROTECTED] > > > > > > Sent: Jueves, 06 de Octubre de 2005 07:42 a.m. > > > > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > > > > Subject: Re: [FW-1] Office Mode & SecureClient > > > > > > > > > > > > Your problem is probably "address spoofing" > > > > check your logs for all > > > > > > traffic coming in from a known client that is > > > > failing. > > > > > > > > > > > > Michael D Sahli > > > > > > Sr. Network Engineer > > > > > > Lockheed Martin IT @ SMECO > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: cp user [mailto:[EMAIL PROTECTED] > > > > > > Sent: Thursday, October 06, 2005 7:54 AM > > > > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > > > > Subject: [FW-1] Office Mode & SecureClient > > > > > > > > > > > > Hi list, > > > > > > > > > > > > I configured Office Mode with IP Pool on the > > > > > gateway > > > > > > side. > > > > > > Once I check "Support Office Mode" on my > > > > SecureClient, it can no > > > > > > longer logon to policy server and download > > > > policy. The "Connect" > > > > > returnes: > > > > > > Connecting to gateway... > > > > > > Negociation succeeded, tunnel test failed > > > > Connected to gateway: MyGW > > > > > > Login on to policy server MyServer... > > > > > > Logon to policy server failed. > > > > > > Connection succeeded. > > > > > > > > > > > > I try again to logon to policy server. But this > > > > failes with the > > > > > > following message: "SecureClient failed to > > > > communicate with policy > > > > > > server MyServer > > > > > at > > > > > > site MySite". > > > > > > > > > > > > Logs return: > > > > > > Connecting to site MySite using profile MySite > > > > Interface change: > > > > > > VPN-1 SecureClient Adapter - Miniport > > > > d'ordonnancement de paquets > > > > > > interface added, current ip: 192.168.34.65 > > > > Default Desktop Security > > > > > > Policy Loaded SecureClient failed to communicate > > > > with Policy Server > > > > > > MyServer at site MySite Successfully connected > > > > to site > > > > > > > > > > > > Any idea is wolcome! > > > > > > > > > > > > Many thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >_____________________________________________________________ > > __________ > > >____ > > > > > > Appel audio GRATUIT partout dans le monde avec > > > > le nouveau Yahoo! > > > > > > Messenger Telechargez cette version sur > > > > > > http://fr.messenger.yahoo.com > > > > > > > > > > > > > > > > ================================================= > > > > > > To set vacation, Out-Of-Office, or away > > > > messages, send an email to > > > > > [EMAIL PROTECTED] > > > > > > in the BODY of the email add: > > > > > > set fw-1-mailinglist nomail > > > > > > > > > > ================================================= > > > > > > To unsubscribe from this mailing list, please > > > > see the instructions > > > > > > at > > > > http://www.checkpoint.com/services/mailing.html > > > > > > > > > > ================================================= > > > > > > If you have any questions on how to change your > > > > subscription > > > > > > options, email [EMAIL PROTECTED] > > > > > > > > > > ================================================= > > > > > > > > > > > > >=== message truncated === > > > > > > > > > > > > > > > > > > > > > > > >_____________________________________________________________ > > __________ > > >____ Appel audio GRATUIT partout dans le monde avec le > > nouveau Yahoo! > > >Messenger Telechargez cette version sur > http://fr.messenger.yahoo.com > > > > > >================================================= > > >To set vacation, Out-Of-Office, or away messages, send an email to > > >[EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, please see the > instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your subscription > > options, > > >email [EMAIL PROTECTED] > > >================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the > instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================