 | ||
 SecureClient issues | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2005-12-23 | |||
| |||
 SecureClient issues Hello ! I've got 2 questions. 1) Is Checkpoint's SecureClient with Office mode can be used without installed Policy Server on Gateway (NG R55) ? In my case SecureClient is connecting to Firewall then getting local ip address (Office mode) but then it cannot go anywhere. I'm not sure it's becouse of misconfiguration or lack of Policy Server installed ? secureClient Diagnostics is indicating that Machine is not securely Configured - SCV is not verified. ------------- 2) DNS when using SecureClient without office mode or SecuRemote. In that case SecureClient or SecuRemote client doesn't get local private address and therefore cannot connect to resources using dns names. it's possible only when using ip address. All resorces are within internal network with private addresses. This is quite obvious ... becouse client is using existing network connection with DNS Servers that cannot resolve our private addresses but is it possible somehow for clients to use internal DNS Servers without adding them manually to existing network connection ? Is there a workround for this ? Thanks.  |
| 2005-12-24 | |||
| |||
| Re: SecureClient issues 1. SecureClient can be used without a policy server but it does still (legally anyway) require a license. The licensing wasn't enforced well before R60. You need to check your "Remote Access" settings on the gateway and make sure it is set to allow non-verified connections. Also make sure that the office mode pool is routable within your network or is being NATed to something that is. 2. There are some ways to get around this but none are really good. Giving people a host table is one way around it, and probably the safest way. SecureClient's office mode is the "right" way to do this. That being said, you should complain to your local Check Point SE/Sales Rep that this should be part of SecuRemote and not a charged item. If enough people complain, TPTB will listen. |
| 2006-01-09 | |||
| |||
| Re: SecureClient issues Quote:
|
| 2006-01-10 | |||
| |||
| Re: SecureClient issues Here is checkpoint's answer: Solution ID: #skI2065 Product: SecuRemote Version: NG Last Modified: 15-Jul-2004 Solution To set up Split DNS for VPN-1/FireWall-1 NG and SecuRemote/SecureClient NG, proceed with the following: Create a Host Node network object in the Policy Editor 1. Select Manage > Network Objects 2. In the Network Objects dialog box, click on New and select Node > Host from the drop down list 3. In the Host Node dialog box, select General Properties in the left pane 4. In the Host Node - General Properties, enter the network object name of the internal DNS server in the Name field (ie. internal_dns) 5. Enter the IP address of the of the internal DNS in the IP Address field (ie. 192.168.2.100) 6. Click on OK in the Host Node dialog box 7. Click on Close in the Network Objects dialog box Create a SecuRemote DNS server object in the Policy Editor 1. Select Manage > Servers 2. In the Servers dialog box, click on New and select "SecuRemote DNS..." from the drop down list 3. In the SecuRemote DNS Properties dialog box, select the General tab 4. In the General tab, enter the SecuRemote DNS server name for the SecuRemote DNS server in the Name field (ie. sr_dns_server) 5. Select the network object of the internal DNS server (ie. internal_dns) from the Host drop down list 6. In the SecuRemote DNS Properties dialog box, select the Domains tab 7. In the Domains tab, Click on Add 8. In the Domain dialog box, enter the domain suffix of the internal network in the Domain Suffix field (ie. detroit.com) 9. In the Domain Match Case section, select "Match only *.suffix" option Note: If internal network workstations have a name such as pcstation.sales.detroit.com (two labels preceding the domain suffix), select "Match up to ** labels preceding the suffix" option rather than the "Match only *.suffix" option. Adjust the number of labels in this option according to the maximum number of labels that may precede the domain suffix. 10. Click on OK in the Domain dialog box 11. Click on OK in the SecuRemote DNS Properties dialog box 12. Click on Close in the Servers dialog box 13. Install the security policy Note: After the security policy is installed on the firewall module, the SecuRemote / SecureClient needs to update/recreate the site in order to download the Split DNS information from the firewall module. Note: If you also wish to have the internal DNS traffic encrypted you will need to go to Global Properties > Remote Access and check the box to Encrypt DNS traffic. If you make this change you will need to install the Security Policy on the gateway and update the topology information on the client. |
| 2006-10-11 | |||
| |||
| Re: SecureClient issues Please note that this procedure gives no hint to the client that this is happening in the background. It's all done inside the SecuRemote kernel and forwarded onto the VPN gateway. What I mean is, there's no point in using commands like ipconfig on the client, because it won't show anything. Your best bet is to test it via ping FQDN. It definitely works without Office Mode though. Last edited by RobertGraham; 2006-10-11 at 10:58. Reason: added comment on ipconfig for clarity |
| 2006-10-16 | |||
| |||
| Re: SecureClient issues Quote:
I just upgraded to R61, and noticed R61 doesn't enforce the licensing for Office Mode, I was so happy, until I told my salesrep, he says in the future they could enforce the licensing check again and sadly I'll loose OM. Free OM would be very nice of them, I second chillyjim! |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
