Re: [squid-users] Checkpoint FW1 & Securemote client

From: Wei Keong <chooweikeong@dont-contact.us>
Date: Thu, 30 May 2002 17:35:16 +0800

Hi All,

> No... As you have a transparent proxy the browser does not know that it's
> there and therefore will send packets destined for the destination as per
> normal. SecuRemote will spot these, hijack them and send them down the
> encrypted tunnel.

Pondon me guys... I dont know much about this SecuRemote... Actually, based
on my understanding, transparent proxy will have no effect on tunnelling (if
it is done properly). But, the strange thing is when the same user connect
through another ISP (no transparent proxy), he is able to connect to the
CheckPoint FW.

Emmm, what else could be the cause? Will check with the user on the
CheckPoint log...

Thanks.
Wei Keong

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Ward, John (GroupWare)" <john@metropolitan.co.za>
Cc: "'Wei Keong'" <chooweikeong@pacific.net.sg>; "Squid Users"
<squid-users@squid-cache.org>
Sent: Friday, May 31, 2002 5:15 PM
Subject: Re: [squid-users] Checkpoint FW1 & Securemote client

> "Ward, John (GroupWare)" wrote:
> >
> > it seems that everyone is missing the point of the secureremote
client....
>
> I don't think so, but it is true that at least I do not know for sure
> exactly how it tunnels the traffic and I appreciate your clarifications
> on this. There is a zillion ways one can tunnel traffic, and all have
> their problems.
>
> Some idiots do tunnel things on TCP port 80 as this port is usually
> allowed in firewalls etc. I am glad to hear that SecuRemote is not one
> of them.
>
> > It creates a secure tunnel to a firewall.... most/all packets are then
routed
> > through this tunnel to the firewall, which ends up being the tunnel
terminator.
> > On the firewall, there can be the following things in place ... routing,
nat,
> > rules for browsing etc. This is also important as if the user is given
an
> > "internal network" address ( like he gets nat'd to the internal firewall
> > address once his tunnel is established ... depending on configuration).
this
> > is not going through port 80.
>
> Good.
>
> > Setup ports are usually udp 500 and then a gre/similar tunnel is
established.
>
> Good.
>
> > Once he is connected to this tunnel ( usually an ipsec or des) he wont
be
> > using local network settings.
>
> Good.
>
> > Its important to look at the firewall logs and the configuration (yes,
> > firewall rules) that gets downloaded to the pc once secure remote is
setup.
>
> And the local firewall (if any) to ensure the needed traffic is allowed
> to get out on the internet and back...
>
> If what you describe above is true then the transparent proxy should
> have no effect on SecuRemote.
>
> If however any phase of the setup is using port 80 then a transparent
> proxy may disturb things.
>
> Regards
> Henrik
>
Received on Fri May 31 2002 - 03:35:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:18 MST