PDA

View Full Version : Checkpoint NG site VPN HTTP prpxy traffic



gold01
2005-11-13, 16:45
Have a hub site with proxy server inside lan and site to site VPN with a branch office, users can ping the proxy server from branch office across the VPN. But when they to browse the internet with proxy settings of the proxy server, the web browser displays no web pages. From the TCPDUMP it shows the proxy server is passing the packets to the firewall to be returned to the branch office. Any ideas what is going on?

jrdld
2005-11-14, 10:10
Can the clients resolve Internet names via DNS? If not, that might be the problem. You might think that the proxy would be the one doing all the resolution of website names, but I've found that you can have problems if the clients cannot also resolve the names.

JR

Claer
2005-11-14, 10:50
@jrdld : I had this problem only with old Netscape 4 browsers. We looked for the problem a long time. Pages were print ok with IE and not with Netscape.
I didn't have the problem with recent browsers.

@mankua: If your proxy is binding on a port with HTTP type traffic (advanced button in port properties), it can be the problem. If it's the case, try to create a new port without this analyse. Otherwise, do you have anything in your logfiles that could help us determining the cause of your problem ?

gold01
2005-11-16, 06:27
The bluecoat proxy server handles all the DNS queries. They are working.

The problem seems to between the checkpoint Firewall and Bluecoat. Local users have no problems browsing the Internet via the Bluecoat proxy, but the branch office connected via VPN through the ChecKpoint Firewall do not work. But you can see packets on the TCPdump of the firewall.

It seems like when connections are made to the proxy from branch office via the VPN ok, cos the logs on the bluecoat confirm this but when requests are made they get lost in the Firewall somewhere and the firewall logs show nothing.

intehnet
2005-12-12, 23:46
maybe set HTTP next proxy in global properties -> firewall-1 -> security server.
I'm dealing with a similar issue at the moment and i am about to try this..