Connectra SSL Extender and RDP with Vista?

[porcorosso]

Hi,

I'm new here, and I hope you'll forgive me for asking a question that has been asked (but not really answered, I think) before.

I have found a few threads on this, but they all seem to have died. I work as a domain admin in a separate department from Information Services (which controls the infrastructure) in our company. I use a notebook computer for remote admin chores on my domain. Unfortunately, though I am able to log on to the network via the VPN I am unable to connect to any of the member machines on my domain. I know that there is no problem with my user account being able to use RDP because I successfully pressed my wife's Windows XP Pro system into service one weekend. I was able to connect to all of my DCs via RDP through the VPN with WinXP, but not with Vista -- same account, same software versions (other than OS), etc.

The Information Services group here is very much overworked and has not been particularly responsive on this issue because all of the systems they have to service on this matter are WinXP systems.

Since I have no access to the Connectra logs or the firewall and its logs I'm not asking for technical advice right now. What I'm asking is simply --

So, the question: Does anyone have this SSL Extender and RDP working with Vista yet? If so, can you suggest a location where I can point our Information Systems people to so I can get this working? I've been using this system (Vista Business on a Dell M70) since November of last year -- well before they set up a VPN at the company. I don't want to scrap my OS just so I can use the VPN. I have a hard time believing that Check Point hasn't got a working solution for Vista this long after its release. Is that really the case?

Many thanks for any help you can provide.

[RayPesek]

Have them check the SmartDefense logs. The RDP v6 client update for XP and the one in Vista get dropped by a relatively recent SmartDefense check. Its just not compatible yet. They can uncheck that one protection and push the policy and you should be OK.

Ray

[porcorosso]

Thank you for that information, Ray. I called our sysadmin just now, and he's checking into it.

The thing is that I know that I've updated the RDP client on my wife's Windows XP boxes, but I'm not sure whether that was done before or after my successful testing of WinXP with the SSL Extender. So I'll keep my fingers crossed that this is going to be the answer. It's a PIA to use a dial-up connection for doing admin chores on an AD domain.

;-)

[RayPesek]

Ummm, it may not be that easy, actually. You threw me when you mentioned RDP because I assumed everything else was working, like Outlook, etc. However I'm going to bet that all you use is RDP and you didn't try anything else.

The reason I can say this is that I tried Vista Business and Connectra R62 about two months ago and could not get the SNX part to work. The Office Mode IP got assigned but nothing went down the SNX tunnel. Anything web-based worked, but nothing that required SNX worked for me. I opened a case with Check Point and got confirmation that Vista definitely is NOT supported with Connectra yet.

I forgot about this because I switched jobs since then and the new place does not have Connectra. I read somewhere else that there is supposed to be a beta going on to fix this, but I don't have any details.

Ray

[porcorosso]

Thanks for getting back to me, Ray.

Yes. I should have mentioned that the only thing I use, or need to use, with the VPN is RDP. At present I can't (or won't) try the SSL Extender again with other functions because my trial period for the only two of the anti-virus software packages that I would want to install on my system has expired -- meaning I would have to plunk down the money for the software without knowing whether or not I'm going to get a working solution with the VPN. I would swear, however, that I was able to use Windows Explorer to connect to shares on my domain using admin credentials. But I could be thinking of when I was logged on to the WinXP box.

I have not heard back from the sysadmin, so I'm not sure whether or not he went ahead and changed the setting you suggested. I'll let him know about your update.

And thanks again for posting this information. Regardless of the outcome this is already far more useful information that I've got in a few months of trying to glean a little information from Check Point itself.

;-)

[chillyjim]

SNX is not currently supported with Vista. If it works for you at all, count yourself lucky.

[Legion]

Vista will not be supported until the next HFA release for Connectra.

The reason that there are so many issues with Microsoft products, is that they like to change their DCE/RPC UUID's for their applications. They seem to do this every time they release a new OS. This presents certain problems and the developers have to basically rewrite a great deal of code to not only support the older UUID's, but also the new ones.

[Legion]

Taken from Check Point Forums just a moment ago...


We are happy to announce that we have released the IE7 & Vista support HFAs for versions R61 (IE7 support only), R62 and R62CM.
The HFAs can be downloaded from download center at the URLs below.
Please note that if the Release Notes states you need an ICS update for the installation of the HFA, than you may ignore this step (it will be corrected shortly).

R61 HFA_02
Package:
Link: http://updates.checkpoint.com/filese...a_R61_HFA2.tgz
File Size: 8.44 MB
MD5: 034a0b11fe33838d0df8e42b5fd9644e
SHA1: 4fff78a22f5bb895879f73f31670c5f90c51544e
Release Notes:
Link: http://updates.checkpoint.com/filese...ease_Notes.pdf
File Size: 79.58 KB
MD5: da77c9c99e75b6441e374cc581594a44
SHA1: ebc2b191fdd364e9773b723756ab19f27b1dc017
Note: Does NOT includes previous Security HFs released for Connectra R61


R62 HFA_01
Package:
Link: http://updates.checkpoint.com/filese...R62_HFA_01.tgz
File Size: 53.28 MB
MD5: 488cbdb0de78373d2d62c87a2e0a4ed8
SHA1: c7bc71d2bd78be39efe0a4d7b2db09fa5a16b064
Release Notes:
Link: http://updates.checkpoint.com/filese...ease_Notes.pdf
File Size: 143.02 KB
MD5: 3fcd12cabb167c574892963189760979
SHA1: 2f5c5f51ee8775dbbe465c356624b203324d2ea2
Note: Includes all previous Security HFs (up to 7) released for Connectra R62


R62CM HFA_01
Package:
Link: http://updates.checkpoint.com/filese...2CM_HFA_01.tgz
File Size: 23.88 MB
MD5: ab5d8090cabe003b92cd2b601eade644
SHA1: 8bc457287562bfbe83dd3e6e13d70113ac144c49
Release Notes:
Link: http://updates.checkpoint.com/filese...lease_Notes.pd f
File Size: 134.14 KB
MD5: 26ba3fcf36f6eeaaab9b0958c295e833
SHA1: f197811cd68b6daa496f7034709e06063691a09a
Note: Includes previous Security HFs 1+2 released for Connectra R62CM

Hope this will help you all,

Regards,
Shaked Vax
Connectra Projects Manager

[Tano13]

New to this forum.
I am having a problem applying the new R62_HFA_01 to my Connectra. For some reason it doesn’t recognize the version that’s running on the Connectra, and returns an error code. I’ve had no problem installing the Security HFA’s, including the latest HFA 7 for R62.
With my luck it’s probably just me, but if anyone out there has any insight, it would be greatly appreciated.
Here’s a copy of the output:

[Expert@N8-]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX R62, Hotfix 001 - Build 035
[Expert@N8-]# cvpn_ver
This is Check Point NGX R62, Hotfix 081 - Build 002
[Expert@N8-]# ls
CPcvpn Connectra_R62_HFA_01.tgz SecurePlatform hf7 wrapper.conf
CPvpn PreInstall.sh UnixInstallScript packages.txt
[Expert@N8-]# ./UnixInstallScript
Welcome to HFA R62_01 installation.
Do you wish to continue [Y/n]?y
/opt/CPInstLog/wrapper_HOTFIX_R62_01.elg
***********************************************
This HFA is compatible for installation on Connectra NGX R62 version only.
***********************************************
Pre-install script returned an error. Exiting.
----------------------------
The HFA was NOT installed!
----------------------------
[Expert@N8-]# ver
This is Connectra NGX 62 Build 005

Thanks.