CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We've already had our first sign-ups!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 6/9, 7/14, 8/25, 10/6, 11/3, 12/8.
3. We have new forums in Portuguese and German (see below).
4. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
5. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Miscellaneous
Reload this Page ISA Server (HTTPS) & Checkpoint NGX R62
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 1 Week Ago
budgie69 budgie69 is offline
Junior Member
  
Join Date: 2006-03-21
Posts: 13
budgie69 has an average reputation (10+)
Default ISA Server (HTTPS) & Checkpoint NGX R62
Hi Guys

Hoping somebody can help out here.

We currently have all our client machines point to the ISA Server for web proxy.

We then have a rule in Checkpoint that says;
ISA Server to Anywhere using http and https accept.

HTTP traffic works fine, however https traffic is dropped by the firewall. How does one get round this problem?

Thanks in advance
Reply With Quote
  #2 (permalink)  
Old 1 Week Ago
MarioL MarioL is offline
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 306
MarioL has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
Go and check on the log viewer (SmartView Tracker), do a filter by source and check why the traffic is being dropped. Check rule number, etc.

It can be a lot of things, like anti-spoofing (if the ISA has multiple interfaces, but very unlikely), error in policy configuration or NAT (unlikely), rule order, etc.
Reply With Quote
  #3 (permalink)  
Old 1 Week Ago
budgie69 budgie69 is offline
Junior Member
  
Join Date: 2006-03-21
Posts: 13
budgie69 has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
Thanks for the reply -

i am seeing the traffic get dropped but no reason why. The traffic is being dropped by the cleanup rule.

Number: 25069
Date: 30Apr2008
Time: 10:34:34
Product: VPN-1 Power/UTM
Interface: eth2c0
Origin: nk-firewall
Type: Log
Action: Drop
Protocol: tcp
Service: https (443)
Source: 10.72.x.x
Destination: 212.x.x.x
Rule: 73
Current Rule Number: 73
Rule UID: {29FF8150-E789-41C3-B52D-D25CD6D95182}
Source Port: 1185
SmartDefense Profile: No Protection


Would this be something to do with the way ISA Server forwards the HTTPS packet to the firewall, and then the firewall can't inspect the packet?
Reply With Quote
  #4 (permalink)  
Old 1 Week Ago
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 834
RayPesek has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
ISA works perfectly behind FW-1. Check to make sure your HTTPS service definition is set up correctly. Check to make sure you're really using HTTPS in the rule and not SSL_V3. The two are not the same.

Ray
Reply With Quote
  #5 (permalink)  
Old 1 Week Ago
MarioL MarioL is offline
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 306
MarioL has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
If the traffic is being dropped on the last rule that means it isn't matching the HTTPS rule you created, so go and double check it.

Check source, service, etc. (if you have multiple firewalls, make sure it's being applied to the right one)
Reply With Quote
  #6 (permalink)  
Old 1 Week Ago
budgie69 budgie69 is offline
Junior Member
  
Join Date: 2006-03-21
Posts: 13
budgie69 has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
Quote:
Originally Posted by RayPesek View Post
ISA works perfectly behind FW-1. Check to make sure your HTTPS service definition is set up correctly. Check to make sure you're really using HTTPS in the rule and not SSL_V3. The two are not the same.

Ray
This is how i have got the https service configured, i am correct?

Reply With Quote
  #7 (permalink)  
Old 1 Week Ago
MarioL MarioL is offline
Senior Member
  
Join Date: 2007-01-18
Location: London
Posts: 306
MarioL has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
Nope, in the Protocol Type drop-down box it should have ENC-HTTP.
Reply With Quote
  #8 (permalink)  
Old 1 Week Ago
budgie69 budgie69 is offline
Junior Member
  
Join Date: 2006-03-21
Posts: 13
budgie69 has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
changed to ENC_HTTP and packets are still being dropped by the cleanup rule.

Do i have to do anything with the https packets that leave the ISA server? i know this is probably the wrong forum.
Reply With Quote
  #9 (permalink)  
Old 1 Week Ago
RayPesek RayPesek is offline
Senior Member
  
Join Date: 2006-03-19
Location: Northern Ohio
Posts: 834
RayPesek has an average reputation (10+)
Default Re: ISA Server (HTTPS) & Checkpoint NGX R62
Did you push the policy after making the change?

It has nothing to do with the ISA packets. What you're trying to do is alredy being done by tons of companies.

Ray
Reply With Quote
Reply

« Previous Thread | Next Thread »


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 22:41.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0