CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3.
2. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > SecureClient/SecuRemote
Outbound Session to a SecuRemote Client Outbound Session to a SecuRemote Client
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2005-08-14
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 582
Rep Power: 10
BarryStiefel has disabled reputation
Default Outbound Session to a SecuRemote Client
Outbound Session to a SecuRemote Client



SecuRemote, at least historically, was designed only to handle encrypted connections initiated from the client side. For some applications (like X Windows), it can be made to work in the other direction, but the trick is that the SecuRemote Client has to first initiate a connection to the machine that will be making a back connection.

Assuming that the SecuRemote client has "authenticated" with the firewall, anything normally allowed by the firewall out that is destined for the SecuRemote client will be encrypted before being transmitted to the client. This is because FireWall-1 keeps track of which hosts are currently authenticated via SecuRemote. If the SecuRemote client has recently initiated a connection inside the encryption domain, the machine's IP address will be in the userc_rules table. FireWall-1 will automatically encrypt any data sent to that IP address from within the encryption domain provided it would normally be accepted by the rulebase.

If you want to allow certain services out, but only to those machines that have authenticated with SecuRemote (i.e. you wouldn't want to permit these services outbound in an unencrypted fashion), you can make this work.

In FireWall-1 NG when using "Simplified" Mode (i.e. VPN Communities), you can simply create a rule permitting the necessary services outbound with the If-Via column is set to the Remote-Access community.

On FireWall-1 NG with "Traditional" Mode or FireWall-1 4.1 and earlier, you will need to create the service srMyApp of type other with the following stuff in the Match field (assuming for a moment that "myApp" is a TCP service on port 5555):

tcp,dport=5555, in userc_rules

The rule that you would need to put in the rule base is: Source Destination Service ActionHelpDesk-net Any srMyApp AcceptThis match stuff means: the protocol has to be tcp, the "destination" port (which defines the service) has to be port 5555, and the destination IP address must be listed in the userc_rules table, which is the table where FireWall-1 keeps track of what IP addresses are currently authenticated with SecuRemote.



To "initiate" the connection from the laptop side, you should be able to have the client ping or otherwise connect to the helpdesk machine that is about to initiate the connection.

-- PhoneBoy - 05 Apr 2004

FAQForm FAQs.Class: SecureClientFAQs FAQs.OS: FAQs.Version:
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT -7. The time now is 15:53.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0