Checkpoint gurus...

[N11]

Checkpoint 3.0b on NT workstation. Interesting situation


Having a little difficulty regulating traffic between DMZ and LAN in a Windows 2000 environment.

Followed this article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q280132

With no luck. Only option is to allow all traffic to pass through (unacceptable).

Any recommendations from experience or perusing the article?

 

[n0cmonkey]

I didnt think it worked on workstations. That would be one thing Id work on fixing immediately.

What traffic do you want to allow?

Its been a while since I looked at Checkpoint (horrid product), but Ill try and help.

pass between LAN network source port greater than 1023 object to DMZ network object service/port 80/http

Something like that should allow http traffic through? Is it not working? Microsoft OSes may not restrict themselves to ports >1023 (which I think that article was talking about, not sure, just glanced over it). You can remove that if you want.

If you give me a little more information Ill try and get a look at a checkpoint management station in the near future (if no one else helps) so I can figure out what it looks like again

 

[N11]

Traffic to allow would be enough for authentication, as well as communication between an exchange 2000 frontend and an exchange 2000 server in the local area network. In this particular environment checkpoint does appear to have been running sucessfully on NT4 workstation for several years.

I'm not checkpoing certified so anything past what microsoft recommends for success would not be first hand knowledge for me. I would simply like to see consistent authentication and passing through of data between exchange servers without having to allow everything...

thanks for the help in advance.

 

[n0cmonkey]

That article mentions some of the ports and protocols for some of the services. Try opening up them between your DMZ and local lan network objects.

 

[N11]

n0cmonkey,

I did try opening up every listed port between the exchange frontend in the dmz and the lan, with no success. The exchange frontend is an outlook web access server requiring these various methods of communication with the exchange server in the lan and the active directory.

I'm not really impressed with microsoft's solution to the problem. As far as I've heard this is supposed to work and in this situation it clearly is not. Really the only solution is to let all traffic pass, which is one of the most frustrating things to have happen.

Security is not my primary expertise but I may make it a significant priority to to replace this in the next week.

What are your thoughts on the sonicwall 300?

 

[n0cmonkey]

Ive never messed with a sonicwall.