Jim,
Just add a rule above the one that you have which uses
the HTTP security server. This will bypass the HTTP
security server, and you'll be working fine again.
I did this. I created a group called BypassHS (bypass
Http Security), and put sites like hotmail into it.
Security policy is something like this:
[internal nets] - [BypassHS] - [HTTP]
[internal nets] - [Any] - [http->uri_svc]
Make sense? Hope so. There may be something on this at
www.phoneboy.com
Good Luck! -- cf
--- "Becker, Jim" <[EMAIL PROTECTED]> wrote:
>
> I recently introduced a URI resource, marking the
> first time the HTTP
> Security Server needed to do anything on my
> firewall. I had two problems as
> a result. I found little help at first (and Check
> Point's tech support was
> rather useless), but I finally believe I know what's
> going on. I offer these
> FYI and in case someone can offer further solutions
> or work-arounds.
>
> First, I found that internal users could no longer
> reach external Hotmail
> accounts using Outlook Express. This is an http
> connection, not a pop3
> connection. Apparently, the HTTP Security Server was
> inspecting all http
> connections, not just the ones that would have
> matched the rule I
> introduced. Hotmail must be doing some non-standard
> http, because in the
> firewall log I see a Rule 0 reject (http) because of
> a "Malformed request."
> That is, the security server is deciding to chuck
> the connection even though
> my rules would have allowed an http connection to
> that site.
>
> When we disabled the new rule, Hotmail was fine
> again. When we re-enabled
> the rule, Hotmail broke again. I have no good
> work-around. The security
> server was introduced for a real purpose, but we
> have a few people who have
> a defensible need for access to Hotmail. So far, I
> can't have it both ways.
>
> Check Point's tech support took a while even to
> understand the question, and
> then they said the Hotmail URL must be matching
> something in the rule (it
> doesn't) or in a UFP server (which I'm not using).
>
> I've seen the next issue posted in a few places, but
> it took a while to find
> a good explanation. Intermittently, internal users
> visiting external web
> pages get a response page along these lines: "FW-1
> at <firewall>: Unable to
> connect to WWW server." I finally found a good
> explanation here:
>
http://www.websense.com/support/platform/display.cfm?id=10
>
> The work-around is simply to hit shift-refresh in
> the browser until the real
> page shows up -- or to disable any rules that need
> the http security server.
>
> Check Point's tech support had assured me this
> problem had nothing to do
> with the firewall.
>
> --
> Jim Becker
> The Urban Institute (http://www.urban.org/)
> DECUS ESILUG (http://eisner.decus.org/lugs/esilug/)
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
