Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securemote Internet traffic through firewall

Status
Not open for further replies.
lynx

lynx

MIS
Nov 30, 2000
2
NZ
Our CheckPoint VPN-1 firewall provides VPN network access to Securemote clients. These clients (staff using Win98 and Win 95 notebooks) dial-up an ISP account to start the connection.

The process of authentification to the firewall works fine and they successsfully access any shared resource.

The problem is the path that the connection to the Internet in these notebooks follows. When they are connected to the ISP, all web trafic is routed by the ISP; our firewall is unawared of these connections. This also means that, if the authentification to the firewall fails or is overlooked on purpose, users still can surf the net.

We want to route users Internet traffic through the VPN-1 firewall and, that way, record it in the Log Viewer. Can any of you help me to solve this problem?

The properties of TCP/IP--FW1 protocol are setup to look for our internal DNS, WINS, and Gateways servers. The properties of the dial-up connection to the ISP also have the TCP/IP settings with the IP addresses of DNS and WINS servers.

The Internet Explorer connection settings are LAN based. We don't use a proxy.

I found an advice in a web site that suggested to change the Desktop Security (Properties of Policy Editor) to 'Allow encrypted only' but this didn't give any results.

Does any of you have similar experience? Do you know how to solve it?

Thanks a lot,
 
Sort by date Sort by votes
Hi I'm not sure just how helpfull this is but here we go.....
Firstly you need to install SecureRemote client so that it is bound to both the dialup and the ethernet adaptor, so that when the SecurRemote client is running it is protecting all your network interfaces, then you control the traffic via the Policy server with rules accordingly.

After that you need a client like "iPass", which can be configured so that when you dial into the ISP and connect it starts your SecurRemote client and can not be switched off (You control this with the Setup.ini at install time, you can remove start stop buttons/menu selections etc)) You can switch things on and off this way so the users have no control over it other then to log on to the required site and download policy. Once the policy is downloaded users have access to network. SecurRemote also has default policy which will protect notebook when user is not loged on to site.

Cheers
Solargeek
 
Upvote 0 Downvote
You could lookup Checkpoints document on split/encryted DNS but just implement the encryted DNS only by creating the $FWDIR/conf/dnsinfo.C file and populating it with:-
(
:encrypt_dns (true)
)
Then all DNS traffic will be encrypted to your internal DNS servers and it will not be possible to resolve dns using public DNS servers as long as SecuRemote is running.
Paul
 
Upvote 0 Downvote
Would you not also have trouble routing web traffic back in an out of the external interface of the firewall? Would you need to have 2 inet pipes in and out of the firewall to do this?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
152
Russtoleum
Russtoleum
ChrisFairley
  • Locked
  • Question
Downloads failing through ASA 5520
Replies
1
Views
133
iggsterman
iggsterman
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
176
hairlessupportmonkey
hairlessupportmonkey
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
127
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
118
hall5942
hall5942

Part and Inventory Search

Sponsor

Back
Top