Initialized but trust not established in Win2k config

[wayne186]

I have setup a lab environment where I have 3 Windows 2000 servers. Server 1 only has the enforcement module, Server 2 has the primary enterprise module (and the management GUI's for now) and server 3 will have the management GUI's when I get everything working.

My problem is that I can not establsih the trust state between server 1 and 2. I think it has something to do with the services started on the servers, I have read the manual back to front and I still can not get it to work. Does anybody know how to resolve this or what services should/should not be running on the servers to setup the two servers.

Thanks

 

[scaine]

I'm not sure what you mean by "trust state"? In FW1 4.1, this might mean the putkeys, but in NG, this refers to the SIC...

It would also be useful to know the following:
* What version of Checkpoint are you trying to install?
* Are the servers in the same IP subnet?
* What commands are you trying to establish this "trust state"
* Are you getting any error messages?

Certainly, if the two PCs are in the same IP subnet and on the same network, there should be no issues getting putkeys/SIC to work fairly easily. In fact the only thing that might stop you is a valid licence on the Management module (your server 2).

But more info would be useful.

 

[scaine]

Apologies Wayne - I just loaded my NG manager, and double clicked on the module object and it showed in big shiny letters : Trust State : Trust established.

So now I know you're using NG! (Doh!)

I had this same problem and it was pass-phrase related. I resolved it as follows:

1. Go to the module, type cpconfig and reset the SIC. Type in your password and then reboot the module (your server 1)
2. Go to the management server, load your GUI, double click your module object and click "Communication". Reset the SIC here too and REBOOT the server! The reboot seems to clear out the synchronicity between the two pass-phrases. After the reboot, you might have to run step 2 again (but without the reboot) in order to get "Trust Established".

This was the only way I could get the pass-phrases to synchronise and get the Trust established.

Also, make sure that every name you're using is resolvable. In the Management Server's LMHOSTS file, I had to ensure that the actual object name of my firewall in the policy file was added as an entry, so that it would resolve correctly. Otherwise, you'll be in for a rough ride. Do the same on the Module's LMHOSTS file too.

Hope this helps.

 

[wayne186]

Scaine - thanks for your quick response. It seems that I was yet again over complicating a simple problem. After I finished putting up the begining of this post I took a step back and took a deep breath. It seems that NG gets it's knickers in a twist on a new install. For distributed configurations, the first server to be installed MUST be the management server - once this is installed and the key hit session has been completed I then re-booted and began installing the enforcement module on the firewall server. I then went to the server with the enforcement module and I completed the licence, key hit and began the secure internal communication configuration. I typed in an activation key and this finished the install. I then re-booted the server with the enforcement module, once the enforcement server was back online I went to the management server and created a new gateway for the enforcement module (In simple mode - I don't like wizards) I selected the communication button and entered the same activation key as I placed on the enforcement module. This established a trust and all is now working

So my next question to you all - is I have 2 geographic locations. A & B. A has 1 enforcement server, 1 management server and 1 gui client. B has 1 enforcement server, at the moment I have a workstation with ip forwarding and static routes between enforcement A and enforcement B pretending to be the internet... I know (I'm cheap)!! When I setup the LAN I made the PretendWeb workstation be on the same subnet as each connecting interface from the enforcement modules - am I right in thinking that the ip address I assign to the physical network adapter on each of the enforcement servers external facing network card be a non-routable ie 192.168.0.1 and that I apply a NAT address to this object which relates to the physical address assigned on the PretendWeb connecting interface (which in a real world would be the ip address of the router that my ISP has provided me with)?

If you can advise me then I would much appreciate it - because after that - I then need to configure a VPN between site A & B - may need some help with this one as well!!

cheers

 

[scaine]

Internal, non-routable addresses on an external interface? I've not heard of that configuration before.

I take it this PretendWeb workstation is the remote geographic location? And that you want to manage it from location A?

If so, I've done this with our NG installation (recently). Our location-A has management, enforcement and GUI. Our location-B has enforcement. Much like your own environment then, except that our remote enforcement module is a Nokia IP120 (3 interface appliance).

The location-B enforcement module's external IP is a publicly routable IP address (from my ISP). Its default route is the Internet router it is connected to. Note that I had to create the object with it's external IP address in order to get things working. And as mentioned in my previous post, I had to add static LMHOST entries to that external address also.

On the inside of this enforcement module, it's connected to our main router for access to all of our non-routable addresses. I've created static routes to each of the networks behind this firewall.

As for VPNs - I've just finished getting that up and running on the boxes I've just spoken about, so if you have any queries, I'll keep a look out on this forum. I had some problems getting that running, to do with the fact that I had some subnets at location-a identical to some subnets at location-b... not a nice situation!

If you're going to add internal addresses to you external interface and NAT them, I'd like to hear how things turn out though - although I'm still not really clear why you'd want to do that!

Let me know how it happens.

 

[wayne186]

I'd like to send you a topology diagram so you can see what I am talking about, I have one in visio format and I can send it as an image if you prefer. At the moment I have set up a lab environment at home as a proof of concept to install into the two remote offices. So I do not have direct internet access here and to simulate the environment I have simply built a desktop which pretends to be the internet and I have placed this between the two sites in the lab environment. I remember that when I configured a previous install at my old company I had a non routable address assigned to the external facing physical network card which was directly connected to the isp's router and then the firewall was installed, an object created for this external facing physical interface and a NAT address was placed onto this in the NAT properties which was on the same subnet as the as the routers ip.

If you are on Yahhoo messenger or you want to send me an e-mail address so that I can send the topology to you it would be really useful. Sounds like your environment is identical to the one that I am setting up and it would be a great help for me. Thanks.

 

[scaine]

Send the visio file to neil.broadley@bailliegifford.com and I'll take a look.

Further investigation on the internal address on external interface reveals that our Web Hosting company has used a similar setup in the past, but they used two firewalls to achieve this effect.

Not sure how it would apply to you, but I'll look at the diagram and get back to you.