Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
sbox
- Thread starter steveave
- Start date
We just received and have begun installing our S-Box (safe@Office version). At the moment, we do NOT yet have an operating tunnel with our NG FP2 system. Here's early comments:
(I consider myself an extremely experienced installer of CP and CP-compatible solutions. I've successfully implemented several CP-CP solutions and CP-SonicWall solutions. My personal opinion is that setting up a site-to-site tunnel is not SUPPOSED to be difficult...)
1) SHAMEFUL documentation. The Getting Started Guide that ships with the product is woefully inadaquate, and about one-third the size of the downloadable copy available online. It is completely silent on several parts of the administrative UI.
2) The printed guide makes no mention of how to enable the safe@office feature set. At first we were concerned that we'd been shipped the wrong product, since only safe@home was mentioned. The downloaded guide made a cryptic reference to needing to "input your license key" to enable the safe@office functions. Again, we received no separate license key so were once again left wondering whether what we had was correct. Receipt of instructions via our reseller to follow a set of instruction re: upgrading the firmware did not increase confidence (and, as expected, didn't have anything to do with getting safe@office functionality).
In reality, you can turn on the safe@office features during setup by clicking on the "Services" option of the admin tool and doing an online registration.
3) Both guides are completely silent on SBox<-->CheckPoint integration. How do you setup the site-to-site VPN? What does the SBox support? DES? 3DES? After some digging on the s-box web site (under the "I'm an Enterprise Customer" section) I did discover a PDF with details for the CheckPoint side of the configuration, but even that document fails to address the full configuration, as it is silent as to the SBox configuration. Sadly, even following the docs and using what I consider to be reasonable assumptions have not resulted in a successful connection yet.
So, the jury is still out on this one from my side.
(I consider myself an extremely experienced installer of CP and CP-compatible solutions. I've successfully implemented several CP-CP solutions and CP-SonicWall solutions. My personal opinion is that setting up a site-to-site tunnel is not SUPPOSED to be difficult...)
1) SHAMEFUL documentation. The Getting Started Guide that ships with the product is woefully inadaquate, and about one-third the size of the downloadable copy available online. It is completely silent on several parts of the administrative UI.
2) The printed guide makes no mention of how to enable the safe@office feature set. At first we were concerned that we'd been shipped the wrong product, since only safe@home was mentioned. The downloaded guide made a cryptic reference to needing to "input your license key" to enable the safe@office functions. Again, we received no separate license key so were once again left wondering whether what we had was correct. Receipt of instructions via our reseller to follow a set of instruction re: upgrading the firmware did not increase confidence (and, as expected, didn't have anything to do with getting safe@office functionality).
In reality, you can turn on the safe@office features during setup by clicking on the "Services" option of the admin tool and doing an online registration.
3) Both guides are completely silent on SBox<-->CheckPoint integration. How do you setup the site-to-site VPN? What does the SBox support? DES? 3DES? After some digging on the s-box web site (under the "I'm an Enterprise Customer" section) I did discover a PDF with details for the CheckPoint side of the configuration, but even that document fails to address the full configuration, as it is silent as to the SBox configuration. Sadly, even following the docs and using what I consider to be reasonable assumptions have not resulted in a successful connection yet.
So, the jury is still out on this one from my side.
- Thread starter
- #3
Guest_imported
New member
- Jan 1, 1970
- 0
Hello out there,
I'm interested to know if anyone else has experienced an AD kerberos failure thru a VPN using Checkpoint firewall 4.1/VPN1 w/ SP4, to a Sonicwall Soho2 home appliance. The failure is the machine behind the Soho2, is waiting for an ungodly amount of time to authenticate to the corporate network. Sometimes, never even getting a reply, and just hangs.
The issue is related to the AD kerberos packet size being huge and Checkpoint fragmenting the packet, but Sonicwall not able to piece back together. We have tried several different methods to modify the MTU size: on the firewall, on the PC, on the server, on the Sonicwall, and also tried to force TCP kerberos authentication. No luck.
Calls to Checkpoint, Sonicwall, and Microsoft have not resolved the VPN failure.
Only thing that has worked, is to place a Sonicwall Pro200 in parallel w/ the Checkpoint firewall, and offload the VPN tunnels onto the Pro200: Sonicwall to Sonicwall has no problem w/ the kerberos packets.
If you have had the issue and resolved it, or are in the same boat, please share.
Thanks,
Cyndra
I'm interested to know if anyone else has experienced an AD kerberos failure thru a VPN using Checkpoint firewall 4.1/VPN1 w/ SP4, to a Sonicwall Soho2 home appliance. The failure is the machine behind the Soho2, is waiting for an ungodly amount of time to authenticate to the corporate network. Sometimes, never even getting a reply, and just hangs.
The issue is related to the AD kerberos packet size being huge and Checkpoint fragmenting the packet, but Sonicwall not able to piece back together. We have tried several different methods to modify the MTU size: on the firewall, on the PC, on the server, on the Sonicwall, and also tried to force TCP kerberos authentication. No luck.
Calls to Checkpoint, Sonicwall, and Microsoft have not resolved the VPN failure.
Only thing that has worked, is to place a Sonicwall Pro200 in parallel w/ the Checkpoint firewall, and offload the VPN tunnels onto the Pro200: Sonicwall to Sonicwall has no problem w/ the kerberos packets.
If you have had the issue and resolved it, or are in the same boat, please share.
Thanks,
Cyndra
- Status