How do I configure ISA to allow CheckPoint's SecuRemote Client out through ISA?
This is the KB article that CheckPoint publishes. Like everything else, it is maddeningly incomplete. --------------------------------------------- ...you should configure the other firewalls to allow FW-1 services to pass from the SecuRemote Client to the SecuRemote Server. You should allow the following services: - IKE - IPSEC and IKE (UDP on port 500) - IPSEC ESP (IP type 50) - IPSEC AH (IP type 51) - TCP/500 (if using IKE over TCP) - UDP 2746 or another port (if using UDP encapsulation) - SecureClient connections - FW1_scv_keep_alive (UDP port 18233) ù used for SCV keep-alive packets - FW1_pslogon_NG (TCP port 18231) ù used for SecureClient's logon to Policy Server protocol - FW1_sds_logon (TCP port 18232) ù used for SecureClient's Software Distribution Server download protocol --------------------------------------- How do you configure IKE? Should there be a packet filter? Bidirectional? Please help!
this are protocol definitions! So, just create them and allow them in a protocol rule.
BTW --- you can only pass IPSec traffic through ISA when the IPSec implementation supports the IETF NAT-T (NAT Traversal) drafts. In that case all IPSec traffic (ESP/AH) is encapsulated in UDP packets.
1. The IP of the clinet machine CANNOT be in the same subnet as the internal interface of the CheckPoint VPN Server. For example, if your corporate network is 10.x.x.x, your remote machine had better be something other than 10.x.x.x.
2. Set up the ports as was discussed in the thread earlier. Or, you can just cut and paste the script below, save it to a file named "SecuRemote.vbs" execute it on the ISA machine.
3. Buy a case of EKU24 and send it to "spouseele"
-----------------script follows-----------
Const ERROR_ALREADY_EXISTS = 183 Sub CheckError() On Error Resume Next If (Err.Number <> 0) And (Err.Number <> ERROR_ALREADY_EXISTS) Then MsgBox "An error has occured:" & vbCrLf & Err.Description & Err.Number WScript.Quit Err.Number End If End Sub
On Error Resume Next Set ISA = CreateObject("FPC.Root") ISA.Refresh Set Elements = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").PolicyElements Set APolicy = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").ArrayPolicy Set Publishing = ISA.Arrays("REPLACE WITH ISA SERVER MACHINE NAME").Publishing
'------------------------------------------------------- Set Protocols = Elements.Protocoldefinitions Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500) CheckError NewDefinition.Description = "CheckPoint Key Control port."
Set NewDefinition = Protocols.AddUDP ("005 FW1_PSLogon_NG",3,18231) CheckError NewDefinition.Description = "CheckPoint: used for SecureClient's logon to Policy Server protocol"
Set NewDefinition = Protocols.AddTCP ("005 FW1_SCV_Keep_Alive",1,18233) CheckError NewDefinition.Description = "CheckPoint: used for SCV keep-alive packets"
Set NewDefinition = Protocols.AddTCP ("005 FW1_SDS_Logon",1,18232) CheckError NewDefinition.Description = "CheckPoint: used for SecureClient's Software Distribution Server download protocol"
Protocols.Save CheckError MsgBox "SecuRemote Setup finished succesfully. It is recommended that you restart ISA services after importing."
very good to hear you got it working and many thanks for the script to automate the configuration!
BTW --- the caveat you mentioned about the possible IP address conflict is a general VPN networking issue because you are joining two networks together.
quote:Originally posted by wdPatterson: [QB]Got it to work, with some caveats.
1. The IP of the clinet machine CANNOT be in the same subnet as the internal interface of the CheckPoint VPN Server. For example, if your corporate network is 10.x.x.x, your remote machine had better be something other than 10.x.x.x.
2. Set up the ports as was discussed in the thread earlier. Or, you can just cut and paste the script below, save it to a file named "SecuRemote.vbs" execute it on the ISA machine.
I take it from your article that SecureNAT client represent the best solution.
But I am afraid that the section 5.1 regarding Checkpoint was not enough for me. The script above also created application filters that actually was even worse then the ones I made myself based on the Checkpoint port definitions.
A more detailed explenation from wdPatterson would be useful, as he is the only I have heard of that actually have done this in RL.
We have ip-filtering on the FW-1 gateway. Must this filter allow the internal ip-series from behind the ISA-server, or should the external ip be enough?
osl-rungok5 is trying to establish a Securemote VPN-connection with FIREWALL 1 at 10.10.20.2. The point of this vpn-connection is to access a database that resides on the 10.10.11.34-server.
After applying the application filters for Securemote as discussed earlier in this topic, I'm able to authenticate the client, but the client cannot telnet to 10.10.11.34 or access the database. It seems like the ip-tunnel is falling apart right after the authentication process.
There is also some ip-filtering on the vpn-gateway that only allows connections from the 10.20.4.0-net. Adding the 192.168-net had some effect, but not enough to establish a reliable connection for telnet or database-access.
Maybe I should use another 10.xxx.xxx.xxx-net series behind the ISA instead of the 192.168 or what?
Should the nearest router be configured to route the internal ip-range behind the ISA-server (192.168.xxx.xxx)?
a couple of other guys have implemented it as well, but no detailed setup posted. Keep in mind that the Checkpoint VPN client and gateway *must* be configured for NAT Traversal (or UDP encapsulation). The Checkpoint administrator should be able to do that. Also, check out the version the Checkpoint is running because it seems to be very important too.
It's rather difficult for me to answer the other questions because I have no first hand experience with the Checkpoint VPN solution. Normally, the VPN client should get some IP settings from the VPN gateway so it becomes a virtual member of the remote LAN. Is the VPN connection working when you place the VPN client outside of ISA?
The article from Spousele pointed out the importance of the UDP port 4500 for NAT traversal. This and the fact that any ip-filtering on Firewall 1 VPN-gateway has to allow the INTERNAL IP-RANGE behind the ISA-server (192.168-series on the drawing above), got my solution to work finally.
There are also two bugs in the script from wdPatterson. I took the liberty of correcting these bugs and add UDP 4500 and TCP 500 (for IKE over TCP) in the script and here it is: _________________________________________________
Const ERROR_ALREADY_EXISTS = 183 Sub CheckError() On Error Resume Next If (Err.Number <> 0) And (Err.Number <> ERROR_ALREADY_EXISTS) Then MsgBox "An error has occured:" & vbCrLf & Err.Description & Err.Number WScript.Quit Err.Number End If End Sub
On Error Resume Next Set ISA = CreateObject("FPC.Root") ISA.Refresh Set Elements = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").PolicyElements Set APolicy = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").ArrayPolicy Set Publishing = ISA.Arrays("<ISA SERVER NETBIOS MACHINE NAME>").Publishing
'------------------------------------------------------- Set Protocols = Elements.Protocoldefinitions
Set NewDefinition = Protocols.AddTCP ("001 IKE over TCP",1,500) CheckError NewDefinition.Description = "CheckPoint: IKE over TCP."
Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500) CheckError NewDefinition.Description = "CheckPoint Key Control port."
Set NewDefinition = Protocols.AddTCP ("005 FW1_PSLogon_NG",1,18231) CheckError NewDefinition.Description = "CheckPoint: used for SecureClient's logon to Policy Server protocol"
Set NewDefinition = Protocols.AddUDP ("006 FW1_SCV_Keep_Alive",3,18233) CheckError NewDefinition.Description = "CheckPoint: used for SCV keep-alive packets"
Set NewDefinition = Protocols.AddTCP ("007 FW1_SDS_Logon",1,18232) CheckError NewDefinition.Description = "CheckPoint: used for SecureClient's Software Distribution Server download protocol"
Set NewDefinition = Protocols.AddUDP ("008 IPSec_NAT-T",3,4500) CheckError NewDefinition.Description = "CheckPoint: used for IPSec NAT-T"
Protocols.Save CheckError MsgBox "SecuRemote Setup finished succesfully. It is recommended that you restart ISA services after importing." ________________________________________________
RE: CP SecuRemote Client can't get out - 24.Jun.2003 2:33:00 PM
Guest
I have cut and paste the above mentioned script and run it but no new protocol definition is being added to my ISA Server. Is there something else I need to do besides running the script?
Greetings, Rungok. I had no idea this thread was still active. To all, private message me if you need help with this.
I am NOT running Firewall Client on the client machine (The one with SecuRemote Client on it)
The script I posted was the minimum necessary for CheckPoint VPN to work through ISA. My ISA box is at home (I am at work here) I'll have to check what I have going there when I get home.
SecureRemote will ONLY go from one subnet to another (from 192.x.x.x to 10.x.x.x) Your drawing showed you trying to go from a 10.x.x.x. network to a 10.x.x.x network.
When I first tried to do this, I was trying to get a laptop with a 10 address to go from my internal network (a 10.x.x.x network) through ISA to my work network (10.x.x.x) I experienced the same thing - a successfull authentication, then nothing....until I figured out caveat #1.
At this point, I could either change my entire home network to a different private net address scheme, or I could just say "screw it" and add another subnet on the internal ISA NIC. I took the second option.
Now, my laptop sports a 169.254.x.x address, my ISA internal adapter has to (10.x and 169.254.x.x) and everyone is happy.
Now. Onto the two 'bugs' that you list. The UDP encapsulation port (UDP 500) is already in the protocol definitions:
Set NewDefinition = Protocols.AddUDP ("002 SecuRemote Auth",3,500)
Adding your rule would open TCP port 500. This is necessary if your client does NOT "Force UDP encapsulation"
Mine is set to force encapsulation, so I don't need the TCP rule. THis is entirely CLIENT-driven - nothing is required on the CheckPoint side, just the client.
The NAT Traversal rule: Again, The KB article does not explicitly state that you need port 4500 open. I don't require it open, and my config works fine. Perhaps if you forced UDP encapsulation, it would work without yet another port opening.
Note: It must be a client/server with a version of CheckPoint 4.1 SP6 or NG1 FP1 or greater. I tried SP5 with no luck and encapsulation has been featured since sp3 but never worked with ISA.
Posts: 1
Joined: 13.Nov.2003
From: UK
Status: offline
Hi
Thanks to the posts in this thread I have got my SecureRemote client to authenticate to a Checkpoint-1 (NG). However, it is not passing any IP traffic - can't ping or connect to the devices on the Checkpoint side that I should be able to.
I've used the .vbs scripts from here to open up the right ports on the ISA side. (thanks Rune!)
Does NAT-T need to be enabled on the Checkpoint side? Or is it automatically 'enabled' when the client side is set to use it?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> CP SecuRemote Client can't get out 
CP SecuRemote Client can't get out - 
RE: CP SecuRemote Client can't get out - ![[Smile]](/image/smiles/smile.gif)
![[Confused]](/image/smiles/confused.gif)
![[Cool]](/image/smiles/cool.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread