SecureClient & LAN issues

[gmoore]

Hello all,

We are having an issue with SecureCLient. The SecureClient can connect from home fine and we can access everything but after we connect from home and bring it back to our corporate LAN we have issues browsing some Intranet sites and accessing some shares. There are no desktop policies defined and we are obviously not connected through SecureClient when on corporate. Our nslookups are not working either for the sites. It seems to be blocking DNS to our Intranet sites . As soon as I stop the Secureclient services I am able to browse the Intranet again.

We are using NGX R60 HFA1.

Any help would be appreciated.

[Acidio]

It sounds like some sort of policy is installed - somehow. What does the SecureClient diagnostics tool show?

There is also an option you can set in the userc.c which should help
allow_clear_in_enc_domain (false) is the default. Change to true and restart sec client.

Also defining a default policy that allows communication to the encryption domain will help.

AllUsers@xxx as the source or destination (depending on the direction of the rules) will define rules that get applied to a default policy of your choosing.

Rules would look like this:

Inbound Rules
SRC = EncryptionDomainObject
Destination = AllUsers@EncryptionDomainObject
Service = Any
Action = Accept
Track = Log

Outbound Rules would have the source an destination swapped around.

These rules should allow traffic to pass to and from the clients OK and will only apply when the users are withing the encryption domain

[Acidio]

Oops, should clarify....

AllUsers@Any defines the default rules that get applied to a policy not
AllUsers@xxx

So to protect your users fully when on of off the network, you'll also need to define the clean up rules...

EG
Any, AllUsers@Any, Any, Drop, Log
AllUsers@Any, Any, Any, Drop, Log

The rules I mentioned in the previous post will allow traffic to pass to and from the clients/encryption domain while the policy is loaded.

Sorry for any confusion

[gmoore]

Acidio, Thanks!!! Adding the True in the userc.c seemed to fix it. I will now look into the rules.

[gmoore]

I tried to create the rules you stated but I could only do the outbound. It does not let me put users in the destination.

Source: allusers@encryption_domain
Destination: encrytpion_domain
VPN: remote access
Service:any
Track:log

This one was ok but when I went to reverse it, it won't let me add users to destination....

[Acidio]

Are you adding the rules under the Desktop Security tab?

There are two sections - Inbound rules and Outbound rules. Don't forget these are rules that will be pushed to the client machine, so inbound rules means traffic inbound to the client machine and outbound means traffic leaving the client machine. These rules aren't enforced by Firewall-1

Secure client is all about protecting your network and remote client machines via rules enforced by secure client on the remote user machine.

[giulitn]

Hi all,
I have the same problem
CP cluster of NGX R60 HFA2
Secure Cleint NGX R60 build 191

Into the corporate LAN they are not able to connect at all; they receive the IP address from the DHCP server but they are not able to connect to any server or either to logon to Domain Controller.
I've modified to true the parameters allow_clear_ in enc_domain ed allow _send_clear_text_when_disconnect but it doesn't work.
The only way is to unbind the SC from tha LAN NIC.

Any idea?


Thanks

[giulitn]

Sorry the CP is R60 HFA_04 , hotfix 604

Thanks

[Acidio]

Is the IP range you're assigning to the Sec Client users routed back to your gateway?

[giulitn]

Hi,
thanks for your reply.
The answer is no, they are not routed to the gateway.

I resolved the issue disabling any desktop policy on the client; previous modification of the userc file or into the Advanced Settings of the Remote Access of the Global Properties didn't resolve the issue.
Bye.