CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Connection from Office to SSL Network Extender Connected Machine

  1. #1
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Connection from Office to SSL Network Extender Connected Machine

    Looking to make RDP/VNC/Dameware style connectivity to a machine connected via SSL Network Extender/Office Mode IP from the Internal Network/Helpdesk Network.

    Know how to do this with a traditional IPsec VPN Client, simply add a rule allowing the Internal Lan's access to the Office Mode IP range in the Firewall Blade Policy.

    Two Questions

    1.) Is it possible with the SSL Network Extender
    2.) If so HOW

    Have created the rules that would do normally in the Firewall Blade.
    At suggestion of Check Point TAC who "think" this may work then created a Mobile Access App with Server to Client Connection Direction with Authorized Location as Internal Networks and the required protocols. Then published the App to everyone. This hasn't worked so figured would see if anyone else has tried this and made it work with the SSL Network Extender connected clients before going down the "install the Fat Client instead" route.

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Connection from Office to SSL Network Extender Connected Machine

    I have never seen this implemented, though I agree that it would certainly appear possible.

    So you have the rules to allow that traffic back to the Office Mode IPs, and you have an app published to allow that back connection... What does track show for your RDP connection attempts? What about 'fw ctl zadebug drop'? What does that show for your connection? What about the RDP Connection itself, I assume that it simply times out, is this correct? Are there any other error messages? We need to know more about what the firewall is doing with the connection to work this out.

  3. #3
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Connection from Office to SSL Network Extender Connected Machine

    Have the rule that initially created for the FAT VPN Client.

    ie

    Source = Internal_Networks
    Dest = OfficeModeNetwork
    Srv=Dameware/VNC/Remote Desktop

    This rule is showing 0 hits.

    Created a Mobile Application, set the direction as Server to Client

    For the Hosts then is the Internal Networks
    Services are the Dameware/VNC etc

    Not seeing anything in the tracker for this, the fw ctl zdebug etc, other then times out then not really able to get anything from the firewall.

    Personally was sceptical that this would work, and TAC only think, not a definite yes this will work. I know with a FAT VPN Client then will work as done this in the past.

    With this and not really seeing anything helpful when attempting to debug figured would check if anyone else has actually done this with the SSL Network Extender and got it too work. Sounds like nobody else tried this either.

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Connection from Office to SSL Network Extender Connected Machine

    Tracker SHOULD show some logs of some kind for that traffic, even if not necessarily an accept, but even some kind of VPN encryption/decryption... What a tcpdump or fw monitor on the Gateway? Is the RDP traffic getting to the GW in the first place?

Similar Threads

  1. Network Extender office mode NAT
    By devnull in forum SNX - SSL Network Extender
    Replies: 0
    Last Post: 2012-04-24, 02:45
  2. Bypassing SecureClient when connected to Local Network
    By grobicheau in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2009-06-03, 10:39
  3. Replies: 1
    Last Post: 2008-07-11, 10:20
  4. Cannot Establish Connection to SSL Network Extender
    By gt123 in forum Mobile Access Blade (Formerly Connectra)
    Replies: 4
    Last Post: 2007-10-03, 09:48
  5. 2 sites connected with the same network
    By danilody in forum Miscellaneous
    Replies: 0
    Last Post: 2007-07-20, 01:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •