• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

CP SecuRemote Client can't get out

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> CP SecuRemote Client can't get out Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
CP SecuRemote Client can't get out - 8.Nov.2002 5:05:00 PM   
wdPatterson

 

Posts: 12
Joined: 8.Nov.2002
Status: offline
How do I configure ISA to allow CheckPoint's SecuRemote Client out through ISA?

This is the KB article that CheckPoint publishes. Like everything else, it is maddeningly incomplete.
---------------------------------------------
...you should configure the other firewalls to allow FW-1 services to pass from the SecuRemote Client to the SecuRemote Server. You should allow the following services:
- IKE
- IPSEC and IKE (UDP on port 500)
- IPSEC ESP (IP type 50)
- IPSEC AH (IP type 51)
- TCP/500 (if using IKE over TCP)
- UDP 2746 or another port (if using UDP encapsulation)
- SecureClient connections
- FW1_scv_keep_alive (UDP port 18233) used for SCV keep-alive packets
- FW1_pslogon_NG (TCP port 18231) used for SecureClient's logon to Policy Server protocol
- FW1_sds_logon (TCP port 18232) used for SecureClient's Software Distribution Server download protocol
---------------------------------------
How do you configure IKE? Should there be a packet filter? Bidirectional? Please help!

Bill
Post #: 1
RE: CP SecuRemote Client can't get out - 8.Nov.2002 5:16:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=13;t=000326
Maybe there are some other posts too. Just do a search in the forums.

HTH,
Stefaan

(in reply to wdPatterson)
Post #: 2
RE: CP SecuRemote Client can't get out - 8.Nov.2002 5:35:00 PM   
wdPatterson

 

Posts: 12
Joined: 8.Nov.2002
Status: offline
Third message at the bottom seems like it has the answer that I need...but I am still a bit clueless......

Are these protocol definitions? Packet filters? Can Kirill enlighten me?

(in reply to wdPatterson)
Post #: 3
RE: CP SecuRemote Client can't get out - 8.Nov.2002 5:44:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

this are protocol definitions! So, just create them and allow them in a protocol rule.

BTW --- you can only pass IPSec traffic through ISA when the IPSec implementation supports the IETF NAT-T (NAT Traversal) drafts. In that case all IPSec traffic (ESP/AH) is encapsulated in UDP packets.

HTH,
Stefaan

(in reply to wdPatterson)
Post #: 4
RE: CP SecuRemote Client can't get out - 8.Nov.2002 6:11:00 PM   
wdPatterson

 

Posts: 12
Joined: 8.Nov.2002
Status: offline
Thanks! I'll test tonight, when I get home (That's where the ISA box is)

If it works, I ow you some EKU 24.

(in reply to wdPatterson)
Post #: 5
RE: CP SecuRemote Client can't get out - 9.Nov.2002 5:21:00 AM   
wdPatterson

 

Posts: 12
Joined: 8.Nov.2002
Status: offline
Got it to work, with some caveats.

1. The IP of the clinet machine CANNOT be in the same subnet as the internal interface of the CheckPoint VPN Server. For example, if your corporate network is 10.x.x.x, your remote machine had better be something other than 10.x.x.x.

2. Set up the ports as was discussed in the thread earlier. Or, you can just cut and paste the script below, save it to a file named "SecuRemote.vbs" execute it on the ISA machine.

3. Buy a case of EKU24 and send it to "spouseele"

-----------------script follows-----------

Const ERROR_ALREADY_EXISTS = 183
Sub CheckError()
On Error Resume Next
If (Err.Number <> 0) And (Err.Number <> ERROR_ALREADY_EXISTS) Then
MsgBox "An error has occured:" & vbCrLf & Err.Description & Err.Number
WScript.Quit Err.Number
End If
End Sub

On Error Resume Next
Set ISA = CreateObject("FPC.Root")
ISA.Refresh
Set Elements = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").PolicyElements
Set APolicy = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").ArrayPolicy
Set Publishing = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").Publishing

'-------------------------------------------------------
Set Protocols = Elements.Protocoldefinitions
Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500)
CheckError
NewDefinition.Description = "CheckPoint Key Control port."

Set NewDefinition = Protocols.AddUDP ("003 CheckPoint UDP Encapsulation",3,2746)
CheckError
NewDefinition.Description = "CheckPoint UDP Encapsulation port"

Set NewDefinition = Protocols.AddTCP ("004 SecuRemote Topo",1,264)
CheckError
NewDefinition.Description = "CheckPoint: Topology port"

Set NewDefinition = Protocols.AddUDP ("005 FW1_PSLogon_NG",3,18231)
CheckError
NewDefinition.Description = "CheckPoint: used for SecureClient's logon to Policy Server protocol"

Set NewDefinition = Protocols.AddTCP ("005 FW1_SCV_Keep_Alive",1,18233)
CheckError
NewDefinition.Description = "CheckPoint: used for SCV keep-alive packets"

Set NewDefinition = Protocols.AddTCP ("005 FW1_SDS_Logon",1,18232)
CheckError
NewDefinition.Description = "CheckPoint: used for SecureClient's Software Distribution Server download protocol"

Protocols.Save
CheckError
MsgBox "SecuRemote Setup finished succesfully. It is recommended that you restart ISA services after importing."

(in reply to wdPatterson)
Post #: 6
RE: CP SecuRemote Client can't get out - 9.Nov.2002 11:44:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Bill,

very good to hear you got it working and many thanks for the script to automate the configuration! [Smile]

BTW --- the caveat you mentioned about the possible IP address conflict is a general VPN networking issue because you are joining two networks together.

Thanks,
Stefaan

(in reply to wdPatterson)
Post #: 7
RE: CP SecuRemote Client can't get out - 18.Jun.2003 7:44:00 PM   
rungok

 

Posts: 22
Joined: 19.Feb.2001
From: Oslo, Norway
Status: offline
quote:
Originally posted by wdPatterson:
[QB]Got it to work, with some caveats.

1. The IP of the clinet machine CANNOT be in the same subnet as the internal interface of the CheckPoint VPN Server. For example, if your corporate network is 10.x.x.x, your remote machine had better be something other than 10.x.x.x.

2. Set up the ports as was discussed in the thread earlier. Or, you can just cut and paste the script below, save it to a file named "SecuRemote.vbs" execute it on the ISA machine.

3. Buy a case of EKU24 and send it to "spouseele"

-----------------script follows-----------
XXXXXXXXXXXXXX

Was Firewall Client installed on the VPN Client?

Did you enable any NAT options on the securemote client (like udp encapsulation etc.)?

(in reply to wdPatterson)
Post #: 8
RE: CP SecuRemote Client can't get out - 18.Jun.2003 9:31:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi rungok,

check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html .

HTH,
Stefaan

(in reply to wdPatterson)
Post #: 9
RE: CP SecuRemote Client can't get out - 19.Jun.2003 2:54:00 PM   
rungok

 

Posts: 22
Joined: 19.Feb.2001
From: Oslo, Norway
Status: offline
quote:
Originally posted by spouseele:
Hi rungok,

check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html .

HTH,
Stefaan

I take it from your article that SecureNAT client represent the best solution.

But I am afraid that the section 5.1 regarding Checkpoint was not enough for me. The script above also created application filters that actually was even worse then the ones I made myself based on the Checkpoint port definitions.

A more detailed explenation from wdPatterson would be useful, as he is the only I have heard of that actually have done this in RL.

We have ip-filtering on the FW-1 gateway. Must this filter allow the internal ip-series from behind the ISA-server, or should the external ip be enough?

(in reply to wdPatterson)
Post #: 10
RE: CP SecuRemote Client can't get out - 19.Jun.2003 4:07:00 PM   
rungok

 

Posts: 22
Joined: 19.Feb.2001
From: Oslo, Norway
Status: offline
My test-lab is set up like this:



osl-rungok5 is trying to establish a Securemote VPN-connection with FIREWALL 1 at 10.10.20.2. The point of this vpn-connection is to access a database that resides on the 10.10.11.34-server.

After applying the application filters for Securemote as discussed earlier in this topic, I'm able to authenticate the client, but the client cannot telnet to 10.10.11.34 or access the database. It seems like the ip-tunnel is falling apart right after the authentication process.

There is also some ip-filtering on the vpn-gateway that only allows connections from the 10.20.4.0-net. Adding the 192.168-net had some effect, but not enough to establish a reliable connection for telnet or database-access.

Maybe I should use another 10.xxx.xxx.xxx-net series behind the ISA instead of the 192.168 or what?

Should the nearest router be configured to route the internal ip-range behind the ISA-server (192.168.xxx.xxx)?

Help me. I'm running out of options..... [Confused]

(in reply to wdPatterson)
Post #: 11
RE: CP SecuRemote Client can't get out - 20.Jun.2003 12:15:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi rungok,

a couple of other guys have implemented it as well, but no detailed setup posted. Keep in mind that the Checkpoint VPN client and gateway *must* be configured for NAT Traversal (or UDP encapsulation). The Checkpoint administrator should be able to do that. Also, check out the version the Checkpoint is running because it seems to be very important too.

It's rather difficult for me to answer the other questions because I have no first hand experience with the Checkpoint VPN solution. Normally, the VPN client should get some IP settings from the VPN gateway so it becomes a virtual member of the remote LAN. Is the VPN connection working when you place the VPN client outside of ISA?

HTH,
Stefaan

(in reply to wdPatterson)
Post #: 12
RE: CP SecuRemote Client can't get out - 20.Jun.2003 1:04:00 PM   
rungok

 

Posts: 22
Joined: 19.Feb.2001
From: Oslo, Norway
Status: offline
The article from Spousele pointed out the importance of the UDP port 4500 for NAT traversal. This and the fact that any ip-filtering on Firewall 1 VPN-gateway has to allow the INTERNAL IP-RANGE behind the ISA-server (192.168-series on the drawing above), got my solution to work finally.

There are also two bugs in the script from wdPatterson. I took the liberty of correcting these bugs and add UDP 4500 and TCP 500 (for IKE over TCP) in the script and here it is:
_________________________________________________

Const ERROR_ALREADY_EXISTS = 183
Sub CheckError()
On Error Resume Next
If (Err.Number <> 0) And (Err.Number <> ERROR_ALREADY_EXISTS) Then
MsgBox "An error has occured:" & vbCrLf & Err.Description & Err.Number
WScript.Quit Err.Number
End If
End Sub

On Error Resume Next
Set ISA = CreateObject("FPC.Root")
ISA.Refresh
Set Elements = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").PolicyElements
Set APolicy = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").ArrayPolicy
Set Publishing = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").Publishing

'-------------------------------------------------------
Set Protocols = Elements.Protocoldefinitions

Set NewDefinition = Protocols.AddTCP ("001 IKE over TCP",1,500)
CheckError
NewDefinition.Description = "CheckPoint: IKE over TCP."

Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500)
CheckError
NewDefinition.Description = "CheckPoint Key Control port."

Set NewDefinition = Protocols.AddUDP ("003 CheckPoint UDP Encapsulation",3,2746)
CheckError
NewDefinition.Description = "CheckPoint UDP Encapsulation port"

Set NewDefinition = Protocols.AddTCP ("004 SecuRemote Topo",1,264)
CheckError
NewDefinition.Description = "CheckPoint: Topology port"

Set NewDefinition = Protocols.AddTCP ("005 FW1_PSLogon_NG",1,18231)
CheckError
NewDefinition.Description = "CheckPoint: used for SecureClient's logon to Policy Server protocol"

Set NewDefinition = Protocols.AddUDP ("006 FW1_SCV_Keep_Alive",3,18233)
CheckError
NewDefinition.Description = "CheckPoint: used for SCV keep-alive packets"

Set NewDefinition = Protocols.AddTCP ("007 FW1_SDS_Logon",1,18232)
CheckError
NewDefinition.Description = "CheckPoint: used for SecureClient's Software Distribution Server download protocol"

Set NewDefinition = Protocols.AddUDP ("008 IPSec_NAT-T",3,4500)
CheckError
NewDefinition.Description = "CheckPoint: used for IPSec NAT-T"

Protocols.Save
CheckError
MsgBox "SecuRemote Setup finished succesfully. It is recommended that you restart ISA services after importing."
________________________________________________

Good luck to the next fellow...... [Cool]

(in reply to wdPatterson)
Post #: 13
RE: CP SecuRemote Client can't get out - 20.Jun.2003 11:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Rune,

good to hear you have it working and thanks for the follow up! [Smile]

Stefaan

(in reply to wdPatterson)
Post #: 14
RE: CP SecuRemote Client can't get out - 23.Jun.2003 10:58:00 PM   
Guest
after running the script what is the next step. thx

(in reply to wdPatterson)
  Post #: 15
RE: CP SecuRemote Client can't get out - 24.Jun.2003 2:33:00 PM   
Guest
I have cut and paste the above mentioned script and run it but no new protocol definition is being added to my ISA Server. Is there something else I need to do besides running the script?

Thanks

(in reply to wdPatterson)
  Post #: 16
RE: CP SecuRemote Client can't get out - 2.Jul.2003 7:22:00 PM   
wdPatterson

 

Posts: 12
Joined: 8.Nov.2002
Status: offline
Greetings, Rungok. I had no idea this thread was still active. To all, private message me if you need help with this.

I am NOT running Firewall Client on the client machine (The one with SecuRemote Client on it)

The script I posted was the minimum necessary for CheckPoint VPN to work through ISA. My ISA box is at home (I am at work here) I'll have to check what I have going there when I get home.

SecureRemote will ONLY go from one subnet to another (from 192.x.x.x to 10.x.x.x) Your drawing showed you trying to go from a 10.x.x.x. network to a 10.x.x.x network.

When I first tried to do this, I was trying to get a laptop with a 10 address to go from my internal network (a 10.x.x.x network) through ISA to my work network (10.x.x.x) I experienced the same thing - a successfull authentication, then nothing....until I figured out caveat #1.

At this point, I could either change my entire home network to a different private net address scheme, or I could just say "screw it" and add another subnet on the internal ISA NIC. I took the second option.

Now, my laptop sports a 169.254.x.x address, my ISA internal adapter has to (10.x and 169.254.x.x) and everyone is happy.

Now. Onto the two 'bugs' that you list. The UDP encapsulation port (UDP 500) is already in the protocol definitions:

Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500)

Adding your rule would open TCP port 500. This is necessary if your client does NOT "Force UDP encapsulation"

SecureRemote Client->Tools->Configure Connection profile->Advanced

Mine is set to force encapsulation, so I don't need the TCP rule. THis is entirely CLIENT-driven - nothing is required on the CheckPoint side, just the client.

The NAT Traversal rule: Again, The KB article does not explicitly state that you need port 4500 open. I don't require it open, and my config works fine. Perhaps if you forced UDP encapsulation, it would work without yet another port opening.

Good luck, all!

(in reply to wdPatterson)
Post #: 17
RE: CP SecuRemote Client can't get out - 27.Oct.2003 6:47:00 PM   
frihani

 

Posts: 21
Joined: 19.Sep.2001
Status: offline
Hey guys I jsut have to post to confirm that this configuration does work for the Checkpoint VPN solution.

Big thanks to Stefaan as usual for continually contributing valuable information on vpn configs.

For any who missed it here is his article:
http://www.isaserver.org/articles/IPSec_Passthrough.html

Note: It must be a client/server with a version of
CheckPoint 4.1 SP6 or NG1 FP1
or greater. I tried SP5 with no luck and encapsulation has been featured since sp3 but never worked with ISA.

Good luck,
.frihani

(in reply to wdPatterson)
Post #: 18
RE: CP SecuRemote Client can't get out - 27.Oct.2003 10:13:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi frihani,

glad I could help and thanks for the kind words! [Smile]

Stefaan

(in reply to wdPatterson)
Post #: 19
RE: CP SecuRemote Client can't get out - 13.Nov.2003 1:09:00 PM   
Trevc80

 

Posts: 1
Joined: 13.Nov.2003
From: UK
Status: offline
Hi

Thanks to the posts in this thread I have got my SecureRemote client to authenticate to a Checkpoint-1 (NG). However, it is not passing any IP traffic - can't ping or connect to the devices on the Checkpoint side that I should be able to.

I've used the .vbs scripts from here to open up the right ports on the ISA side. (thanks Rune!)

Does NAT-T need to be enabled on the Checkpoint side? Or is it automatically 'enabled' when the client side is set to use it?

I am using the ISA Firewall Client.

Thanks for any further help [Confused]
Trevor

(in reply to wdPatterson)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> CP SecuRemote Client can't get out Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts