SNX stands for "SSL Network Extender". It is a feature that allows to establish SSL VPNs through a portal hosted in the gateway, but it does encapsule an IPSec tunnel within SSL, which allows to have the features of SSL VPN (without having to previously install a VPN Client on each user's laptop) and the flexibility of a regular IPSec VPN, which allows access to any client/server application and not just "web-able" applications, as happens with regular SSL solutions.
SNX does require extra licensing, it used to be a feature by itself, but it is now considered part of the Mobile Access Blade. On Fri, Sep 28, 2012 at 9:03 AM, Nathan Hawkins <na...@thfcom.com> wrote: > No, Visitor mode is NOT required as per that guide and a few others I've > read (please refer to the note about SecuRemote). Anyway, everything is set > according to the documentation (including that guide). Yes, I'm using the > FW's external IP for everything (including HTTP/S). I've disabled the NAT > for every test... No special license is required for SecuRemote... I have > recently tried the R60 version of SecuRemote/Client and it does not > connect. I'm not sure what SNX is? > > Any other ideas? > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott > Sent: Thursday, September 27, 2012 10:25 AM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > Visitor mode is required to be enabled on the gateway for the E75.20 > client to work, check the admin guide specific for this client, > CP_E75.20_Remote_Access_Clients_Admin_Guide.pdf. To be clear, are you using > the FW's external IP for port NAT for http/https?, if so then this needs to > be disabled. Disabling http/https NAT for any other external IP's you have > I don't think this would have any bearing on this, not something I would > consider doing....that would be just crazy. Do you have the proper license > in place? I would try a 32 bit SC R60 client just to make sure basic IPSEC > VPN/office mode/etc.. were functioning properly, you could also enable SNX, > if licensed for it, and check if you can https through a browser. > > > > ________________________________ > From: Nathan Hawkins <na...@thfcom.com> > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Sent: Thursday, September 27, 2012 8:23 AM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > Well...the R60 client wont work on the machines I support because they are > all 64 bit and the R60 client is 32 bit only. Whenever someone has > something to suggest trying I disable all NATing for HTTP/S to the web > servers, because so far I have yet to make the VPN client even create the > site let alone work... I guess I'll switch to simplified mode when it > presents itself as the better way to go. So far it has not. > > Any suggestions as to what to try next? > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Gary Scott > Sent: Wednesday, September 26, 2012 8:27 PM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > The E7x clients do operate a bit differently than the older R60 IPSEC > client, I think the initial https connection from the client are for auth > purposes, a change from the older hybrid mode auth. Even though no longer > supported can you connect with the R60 client?, unless using visitor mode > it will do native IPSEC with no SSL? Make sure your 443 port is not being > stepped on by anything else, also have the proper license(s) in place, > office mode was a freebie for the R60 client but no longer the case for the > E7x client, which is a shame for such a needed feature. You still have > complete control using simplified mode, it is just a mode to simplify the > configuration of multiple VPN sites and a few other things, once you get > over the sticker shock you will see simplified mode is the way to go. > > > -GS > > ________________________________ > From: Nathan Hawkins <na...@thfcom.com> > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Sent: Wednesday, September 26, 2012 2:23 PM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > All of that was already set (checked) and applied to the GW > > On the Client (E75.20 is currently installed), what I see at the FW and > other logs I'm using to troubleshoot this is only HTTP/HTTPS connections > and I cant configure anything else because when I go to create a new site > it fails and won't continue to configure anything. All I get is a back / > cancel / help (which brings up the help file) button. > > If I must, I'll change to simplified mode, but I like traditional because > I don't like anything to be automatic. I like complete control over > everything. > > I appreciate your help! I hope we can fix this... > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 [mailto: > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio Alvarez > Sent: Wednesday, September 26, 2012 12:14 PM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > Global Properties > Remotes Access > VPN Auth and Ecryp > IKE over TCP > -----> here you enable support for TCP encapsulation on the gateway > > Gateway Properties > IPSec VPN > Remote Access > Support NAT Traversal > ------> Here you enable support for a propietary UDP Encapsulation on > ------> the > gateway. > > Now, on the client side you must enable these also, otherwise the client > won't try to use them when trying to establish VPN. Now, I unfortunately > don't have handy an installation of the new versions of the VPN clients, > but on the old ones, I remember you go to Settings > Properties of the Site > > Advanced and you configured there the use of TCP and/or UDP Encap > > (also > enable/disable Visitor mode). > > If you are still seeing HTTPS from the client IP and destined to the > firewall on your logs, then your client is still trying to use "Visitor > Mode". > > Finally, you will find more help from people, forums and documentation if > you turn to simplified VPN mode, traditional mode is pretty old. > > On Wed, Sep 26, 2012 at 10:12 AM, Nathan Hawkins <na...@thfcom.com> wrote: > > > Actually I see the FW external IP used frequently, but that's not > > relevant here. > > > > Please explain where I would involve TCP encapsulation - I've looked > > around for anything that would re-designate a way for Secure Client to > > make a connection and nothing has worked so far. > > > > I have mentioned (at least once, in my initial post) that in Logviewer > > all I see are accepts for HTTP/HTTPS. > > > > I have also explained in a recent post that I don't see any drops at > > the console (CLI) for the SIP of where the remote client is coming from. > > > > Yes - I have read the Admin Guide for R75.20 - several times actually... > > Its not that helpful... > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 [mailto: > > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > > Alvarez > > Sent: Wednesday, September 26, 2012 10:12 AM > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > > > Well, usually the Firewall public IP is not used to staticaly NAT web > > servers, so regularly this is not an issue... anyway. > > > > I have mentioned already that you could try using something else like > > TCP encapsulation, have you tried that?? > > > > So far you have not mentioned anything about the logs... have you > > checked them? What does it say for connection attempts from a test VPN > client user? > > > > I see that before someone else explained to you how to use debugging > > with a filter to check for drops on the firewall, have you tried that? > > > > Have you read the "VPN Admin Guide" pdf document? > > > > > > > > On Wed, Sep 26, 2012 at 8:34 AM, Nathan Hawkins <na...@thfcom.com> > wrote: > > > > > Because HTTP/HTTPS is used for web servers - almost exclusively. I > > > cant believe that I'm supporting the only company on Earth who uses > > > Checkpoint at the edge with web servers that need port 80 and 443 > > > opened and NATed to them without the FW intercepting that traffic > > > for > > Remote VPN connectivity. > > > > > > In R60-65 Remote Access VPN was initiated on ports other than 80/443 > > > and it worked great...even for visitor mode... > > > > > > Okay. I'll disable visitor mode because its not necessary, but its > > > still not connecting - so what now? > > > > > > -----Original Message----- > > > From: Mailing list for discussion of Firewall-1 [mailto: > > > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > > > Alvarez > > > Sent: Wednesday, September 26, 2012 9:11 AM > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > > > > > As said... it uses TCP/443 when you enable the feature called > > > "Visitor Mode". You can choose to use UDP or TCP encapsulation and > > > that would make it work on other ports. > > > > > > On any case, I don't see how using a well used port would be > > > "stupid/irresponsible". > > > > > > On Wed, Sep 26, 2012 at 7:50 AM, Nathan Hawkins <na...@thfcom.com> > > wrote: > > > > > > > There has to be a way to set Secure Client to connect at a port > > > > (or > > > > ports) other than port 80 and 443... That it requires those ports > > > > is pretty stupid/irresponsible... > > > > > > > > -----Original Message----- > > > > From: Mailing list for discussion of Firewall-1 [mailto: > > > > FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Sergio > > > > Alvarez > > > > Sent: Monday, September 24, 2012 11:23 AM > > > > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > > > > Subject: Re: [FW-1] Setup of Remote VPN on R75+ > > > > > > > > AFAIK, you need TCP/443 when you enable "visitor mode", which > > > > basically makes the clients establish and SSL conection first and > > > > encapsulates an IPSec inside that. > > > > It is meant to avoid connectivity issues for users located on > > > > public sites, where only http/https is allowed to restrict > > > > Internet use to browsing only. > > > > I would say, try other "advanced" connectivity" features, such as > > > > TCP encapsulation. > > > > > > > > On Mon, Sep 24, 2012 at 10:08 AM, Nathan Hawkins > > > > <na...@thfcom.com> > > > wrote: > > > > > > > > > > "fw ctl zdebug drop" displays ALL drops...I need a way to > > > > > > further filter > > > > > out the drops because there's too many drops to see the one(s) I > > want. > > > > > fw ctl zdebug drop | grep myipaddress > > > > > > In the global properties there is no specific "IKE" property. > > > > > > All > > > > > control connections are allowed First. > > > > > > > > > > > > Well, you use "client encrypt" in the action column in order > > > > > > to make > > > > > remote access work...what do you suggest? > > > > > set the user@at in the source, then restrict rule to apply only > > > > > on remoteaccess community. > > > > > (but it requires the policy to be moved to simplified mode). > > > > > > > > > > I think I read somewhere that Secure Client/Remote requires port > > > > > 443 to be open on the firewall...which I don't understand why > > > > > that would be a requirement when HTTPS is necessary for web > > > > > server applications...anyway...is there a way to make Secure > > > > > Client/Remote connect at a different port (I suspect so - how do > > > > > you > > do so)? > > > > > > > > > > I don't like simplified mode...so how do you configure the rule > > > > > policy for secure remote connections for traditional mode? > > > > > > > > Scanned by Check Point Total Security Gateway. > > > > > > > > ================================================= > > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > > lists...@amadeus.us.checkpoint.com > > > > in the BODY of the email add: > > > > set fw-1-mailinglist nomail > > > > ================================================= > > > > To unsubscribe from this mailing list, please see the instructions > > > > at http://www.checkpoint.com/services/mailing.html > > > > ================================================= > > > > If you have any questions on how to change your subscription > > > > options, email fw-1-ow...@ts.checkpoint.com > > > > ================================================= > > > > > > > > > > > > > > > > -- > > > Sergio Alvarez > > > CISSP | CCSE+ > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > lists...@amadeus.us.checkpoint.com > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email > > > fw-1-ow...@ts.checkpoint.com======================================== > > > == > > > ======= > > > > > > Scanned by Check Point Total Security Gateway. > > > > > > ================================================= > > > To set vacation, Out-Of-Office, or away messages, send an email to > > > lists...@amadeus.us.checkpoint.com > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, please see the instructions > > > at http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your subscription > > > options, email fw-1-ow...@ts.checkpoint.com > > > ================================================= > > > > > > > > > > > -- > > Sergio Alvarez > > CISSP | CCSE+ > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > lists...@amadeus.us.checkpoint.com > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription options, > > email > > fw-1-ow...@ts.checkpoint.com========================================== > > ======= > > > > Scanned by Check Point Total Security Gateway. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > lists...@amadeus.us.checkpoint.com > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription options, > > email fw-1-ow...@ts.checkpoint.com > > ================================================= > > > > > > -- > Sergio Alvarez > CISSP | CCSE+ > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email > fw-1-ow...@ts.checkpoint.com================================================= > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to lists...@amadeus.us.checkpoint.com > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > fw-1-ow...@ts.checkpoint.com > ================================================= > -- Sergio Alvarez CISSP | CCSE+ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================