 | ||
 Disable policy enforcement for MacOSX | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-07-10 | |||
| |||
 Disable policy enforcement for MacOSX I've read up a few previous posts on how to disable the policy enforcement on the client side. I have only one Mac OSX client and I don't want to start customizing the rules on the gateway for one user. Below I describe my issue, understanding and workaround, if you have any comments or alternative I'd be very interested. Thanks Context: One Mac running secure client for Mac OSX NG R56. Issue: the enforced policy on the Mac OSX client prevents him from sharing files locally when he is not connected to the gateway. This is documented in the client Readme as a side effect and they recommend adding rules for rendez-vous services. Indeed, after initial login to the gateway, the policy is enforced during the boot process. I would like to stop the policy from being enforced during boot time. Workarounds: I found these suggested methods reading up on similar posts: (1) allow the user to disable the policy (set manual_slan_control (true) in userc.c) (2) Add rules for rendez-vous as described in the Readme for the Mac OSX client (3) delete all files in the policy folder and chmod the folder to read/exec before first login (4) Give the user a PC (5) unbind the secure client firewall (#srfw ctl uninstall) My Outcome: Option (1) conflicts with my gateway rules, we do not allow this Option (2) we do not to customize just for one user Option (3) didn't work on the Mac OSX client, the local.scv files still get installed Option (4) This did not sell very well ! Option (5) Works well but the user has to reboot if he wants to login to the gateway. The client will not connect if the firewall was not launched at boot time and re-binding the firewall (#srfw ctl install) does not seem to work  |
| 2007-07-10 | |||
| |||
| Re: Disable policy enforcement for MacOSX You may be able to get him to use a third party VPN client called VPN Tracker. I've found that it works rather well as long as your remote access setup doesn't require Office Mode. It simply won't download the desktop security policy. I've been experimenting with other VPN clients on Mac OS and that's the best substitute for SecureClient I've found so far. Most of the rest require you to set the Mac up as a site-to-site peer. The company that makes VPN Tracker offers a 30-day trial version so you could test it to see if it'll work for you. The easiest way to get this to work, though, would be to add rules to let your users communicate with 224.0.0.251 (the Bonjour - formerly Rendezvous - multicast address) and to use TCP 548 (Apple Filesharing Protocol). I know you said that you don't do customizations for single users, but that would be the solution that would take the least effort. __________________ Robert Zimmerman |
| 2007-07-11 | |||
| |||
| Re: Disable policy enforcement for MacOSX Thanks for the link which may be very useful for others, But, yes, we do use office mode. We will just tell our user how to switch off the secureclient firewall when needed or give him a nice easy script. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
