We need to be able to initiate a SecureClient Office Mode connection from within the VPN Domain for a couple of reasons. The first is initial setup of a computer. A second is allowing access to the firewall from an unknown IP address.
I have the ipassignment.conf file in R55 HFA06 set up to always assign the firewall administrators a particular Office Mode address and these addresses are allowed access to the firewall and management server. When I'm travelling at a remote company location, I can fire up SecureClient from within the VPN Domain and gain access to the firewall and management station. It works perfectly.
Almost.
When the topology of the internal interface is set and anti-spoofing is checked, Office Mode IPs originating from the VPN Domain get dropped as "message_info: Address spoofing". The tunnel test fails and the logon to the policy server fails. Check Point's sk25656 article titled "Office Mode functionality when connecting from internal DMZ" says the problem is that the Policy Server only listens on external interfaces and that the workaround is to redefine the DMZ interface as an external interface.
While this does work, turning off anti-spoofing on the DMZ interface also works, apparently showing that the Policy Server does listen on other interfaces.
Unfortunately, redefining the primary internal interface as an external interface probably isn't a real good idea. :-)
Even more unfortunately, I can't push a policy to an Edge box if anti-spoofing is turned off on any interface, because the policy push whines about it and fails.
So, I'm now having to quickly enable anti-spoofing on the internal interface, push the policy to the Edge box and main gateway, turn off anti-spoofing on the internal interface ad re-push the policy to just the main gateway again. And I can't do this from a remote company location because enabling anti-spoofing on the internal interface drops me as a spoof.
If anybody knows how to make R55 not drop Office Mode IP addresses from other than external interfaces, it would be greatly appreciated if you could let me in on the secret.
Thanks,
Ray
_________________________________________________________________ Make the most of your family vacation with tips from the MSN Family Travel Guide! http://dollar.msn.com
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
