Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Clientless VPNs and multiple certificates

from Matthias Leu [Permanent Link]
Subject: Re: [FW-1] Clientless VPNs and multiple certificates
From: Matthias Leu <mleu AT AERASEC DOT DE>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Wed, 28 Sep 2005 15:23:05 +0200 
Michael Kelly (HRG) wrote:

Hi all,
Our environment is Checkpoint Express NG AI R55
Reading the documentation, it seems that the only way to do content
inspection on inbound HTTPS traffic is to enable Clientless VPN.
However I have two web servers in the DMZ  Each has a different FQDN which
resolve to different public IP addresses. These addresses are NAT'ed on the
firewall.
Each server has its own X.509 certificate.
Looking at the configuration options for Clientless VPN, it seems that I can
only specify one certificate.
Does this mean that I can't use Clientless VPN to do content inspection on
more that one HTTPS server?
Or have I completely misunderstood the concept of Clientless VPN?
Thanks in advance, 
Michael.


Hi,
as far as I understood Clientless VPN is a protected access to a server behind the Firewall. Usually, this access is for web based protocols. With the SSL Network Extender you are able to tunnel any protocol over HTTPS (as in SecureClient Visitor Mode).
As an example: A server in the internal network is usually accessed with HTTP, which isn't good from the Internet. So the user initiates a connection from the Internet with HTTPS, which is authenticated and decrypted by the Firewall. The traffic in the internal network from the Firewall to the server is plain HTTP. So the HTTPS traffic from a client to a server running HTTPS isn't inspected. For inspecting HTTPS you will need a 'SSL-Proxy' which, in your case, has to be able to handle more than one server certificate. 

Hope it helps,
best regards,
Matthias
http://www.fw-1.de
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Clientless VPNs and multiple certificates, Michael Kelly (HRG)
Next by Date:  Re: [FW-1] License version might be not compatible - Error in CP.macro, Lorenzo
Previous by Thread:  [FW-1] Clientless VPNs and multiple certificates, Michael Kelly (HRG)
Next by Thread:  [FW-1] Nokia + checkpoint Issue, Marius Banica
Indexes:  [Date] [Thread] [Top] [All Lists]