Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] VPN via SSL configuration

from Ray [Permanent Link]
Subject: Re: [FW-1] VPN via SSL configuration
From: Ray <sixsigma44 AT HOTMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Sat, 22 Jul 2006 12:00:35 -0400 
Hi Alan,
I think you've got it, even though it's been a few years since I did it. I do use connection profiles, one for visitor mode and one not. Note that you cannot use spaces in the name of the connection profile and the description that was displayed to the end user in SC/SR R55 is not used in SC/SR R56 or SC/SR NGX. If you're not using the Compact View, your end users will see the connection profile name with underscores (if you use them), which is kind of ugly.
Don't forget you will need a rule allowing HTTPS connections from "any" directly to the firewall external IP.
How often are your topology updates? I have mine set to one hour and I think you'll need a topology update to get the connection profiles to the laptops.
Will creating the connection profiles on this gateway/management server break current VPN tunnels? Will there be any tunnel downtime during configuration? 

There shouldn't be.
Will there be any benefit changing the gateway/management server's VPN to simplified mode? If l do change it will it break current VPN tunnels? (including the one between these to firewalls).
Not for this purpose. If you're going to manage Edge boxes, you will need simplified mode. 

Ray


From: Alan Choyna <achoyna AT PATHF DOT COM>
Reply-To: Mailing list for discussion of Firewall-1 <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM> 
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] VPN via SSL configuration
Date: Thu, 20 Jul 2006 11:16:58 -0500

We have 2 checkpoint locations, both running SPLAT NG AI R55.
One location has a cluster running HFA09 (with VPN using simplified mode), the other has a stand alone gateway/management server running HFA16 (with VPN using traditional mode). When the servers were built l configured the management web interface to listen on port 8443, to free up the HTTPS port for future VPN use.
At the location with the cluster we have configured VPN access via the normal method, and via HTTPS, and l would like to do the same with the stand alone gateway/management server, but l must admit that l have forgotten how.
l think l need to perform the following, but would like confirmation (or correction) as to whether this will achieve it, and whether it will affect current VPN tunnels:
1) Edit the checkpoint gateway object and under the "Remote Access" tab, check "support visitor mode", with the allocated port as HTTPS. 2) Select connection profiles from the "manage/remote access" tab, and create 2 connections, one allowing visitor mode, and one not allowing it (there are currently no profiles on this firewall).
The "connection profiles" configuration we have on the cluster is different from what l have stated above, but it seems to work. The visitor mode button is not checked on either of the 2 profiles, the only difference being that "support office mode" is checked on the HTTPS profile, even though "Office mode" is disabled under the cluster.
Will creating the connection profiles on this gateway/management server break current VPN tunnels? Will there be any tunnel downtime during configuration?
Will there be any benefit changing the gateway/management server's VPN to simplified mode? If l do change it will it break current VPN tunnels? (including the one between these to firewalls).
Sorry for so many questions, but l wish to get it right, and try to provide as much information as possible. 

Thanks in advance.

Alan






Alan C. Choyna
Director of Infrastructure

Pathfinder Associates, LLC

<http://www.pathfinderassoc.com/>http://www.pathfinderassoc.com
Internet Strategy Business Consultants
<mailto:achoyna AT pathfinderassoc DOT com>mailto:achoyna@pathf<mailto:achoyna AT 
pathfinderassoc DOT com>.com

Business telephone (312) 372-1058 ext 6003. Mobile (773) 255-6662


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Can't edit topology in Checkpoint host, Gary Scott
Next by Date:  Re: [FW-1] Can't edit topology in Checkpoint host, Reinhard Stich
Previous by Thread:  [FW-1] VPN via SSL configuration, Alan Choyna
Next by Thread:  [FW-1] HTTP Upload Problem., Patel, Aman
Indexes:  [Date] [Thread] [Top] [All Lists]