Connection from Office to SSL Network Extender Connected Machine

[mcnallym]

Looking to make RDP/VNC/Dameware style connectivity to a machine connected via SSL Network Extender/Office Mode IP from the Internal Network/Helpdesk Network.

Know how to do this with a traditional IPsec VPN Client, simply add a rule allowing the Internal Lan's access to the Office Mode IP range in the Firewall Blade Policy.

Two Questions

1.) Is it possible with the SSL Network Extender
2.) If so HOW

Have created the rules that would do normally in the Firewall Blade.
At suggestion of Check Point TAC who "think" this may work then created a Mobile Access App with Server to Client Connection Direction with Authorized Location as Internal Networks and the required protocols. Then published the App to everyone. This hasn't worked so figured would see if anyone else has tried this and made it work with the SSL Network Extender connected clients before going down the "install the Fat Client instead" route.

[jdmoore0883]

I have never seen this implemented, though I agree that it would certainly appear possible.

So you have the rules to allow that traffic back to the Office Mode IPs, and you have an app published to allow that back connection... What does track show for your RDP connection attempts? What about 'fw ctl zadebug drop'? What does that show for your connection? What about the RDP Connection itself, I assume that it simply times out, is this correct? Are there any other error messages? We need to know more about what the firewall is doing with the connection to work this out.

[mcnallym]

Have the rule that initially created for the FAT VPN Client.

ie

Source = Internal_Networks
Dest = OfficeModeNetwork
Srv=Dameware/VNC/Remote Desktop

This rule is showing 0 hits.

Created a Mobile Application, set the direction as Server to Client

For the Hosts then is the Internal Networks
Services are the Dameware/VNC etc

Not seeing anything in the tracker for this, the fw ctl zdebug etc, other then times out then not really able to get anything from the firewall.

Personally was sceptical that this would work, and TAC only think, not a definite yes this will work. I know with a FAT VPN Client then will work as done this in the past.

With this and not really seeing anything helpful when attempting to debug figured would check if anyone else has actually done this with the SSL Network Extender and got it too work. Sounds like nobody else tried this either.

[jdmoore0883]

Tracker SHOULD show some logs of some kind for that traffic, even if not necessarily an accept, but even some kind of VPN encryption/decryption... What a tcpdump or fw monitor on the Gateway? Is the RDP traffic getting to the GW in the first place?