AFAIK, you need TCP/443 when you enable "visitor mode", which basically makes the clients establish and SSL conection first and encapsulates an IPSec inside that. It is meant to avoid connectivity issues for users located on public sites, where only http/https is allowed to restrict Internet use to browsing only. I would say, try other "advanced" connectivity" features, such as TCP encapsulation.
On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins <na...@thfcom.com> wrote: > > "fw ctl zdebug drop" displays ALL drops...I need a way to further filter > out the drops because there's too many drops to see the one(s) I want. > fw ctl zdebug drop | grep myipaddress > > In the global properties there is no specific "IKE" property. All > control connections are allowed First. > > > > Well, you use "client encrypt" in the action column in order to make > remote access work...what do you suggest? > set the user@at in the source, then restrict rule to apply only on > remoteaccess community. > (but it requires the policy to be moved to simplified mode). > > I think I read somewhere that Secure Client/Remote requires port 443 to be > open on the firewall...which I don't understand why that would be a > requirement when HTTPS is necessary for web server > applications...anyway...is there a way to make Secure Client/Remote connect > at a different port (I suspect so - how do you do so)? > > I don't like simplified mode...so how do you configure the rule policy for > secure remote connections for traditional mode? > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > > Scanned by Check Point Total Security Gateway. > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
