RE: [squid-users] Checkpoint FW1 & Securemote client

From: Ward, John (GroupWare) <john@dont-contact.us>
Date: Fri, 31 May 2002 10:32:30 +0200

it seems that everyone is missing the point of the secureremote client....

It creates a secure tunnel to a firewall.... most/all packets are then routed through this tunnel to the firewall, which ends up being the tunnel
terminator. On the firewall, there can be the following things in place ... routing, nat, rules for browsing etc. This is also important as if the
user is given an "internal network" address ( like he gets nat'd to the internal firewall address once his tunnel is established ... depending on
configuration). this is not going through port 80.
Setup ports are usually udp 500 and then a gre/similar tunnel is established.

Once he is connected to this tunnel ( usually an ipsec or des) he wont be using local network settings.

Its important to look at the firewall logs and the configuration (yes, firewall rules) that gets downloaded to the pc once secure remote is setup.

I would suggest talking to the firewall engineer as he will understand your problem

-----Original Message-----
From: Wei Keong [mailto:chooweikeong@pacific.net.sg]
Sent: 31 May 2002 10:10
To: Henrik Nordstrom
Cc: Squid Users
Subject: Re: [squid-users] Checkpoint FW1 & Securemote client

> > The user is able to use telnet, ftp through Securemote. He should have
no
> > problem connect to the Checkpoint firewall. Moreover, the reply is not
> > 'authentication failed' but 'page cannot display'.
>
> Verify that the user hasn't configured his browser to use your proxy. If
> it has the proxy configuration of the broser will most likely bypass the
> secure tunnel set up by Securemote.

The browser has no proxy setting, as the tranparent proxy is in place.

> > The problem is the transparent proxy will 'hijack' all port 80 traffic
and
> > redirect to the Squid box. Seems that with TP will not work in this
case...
>
> If Securemote is doing it's job properly in the way described by others
> here, your systems should not see any longer that the traffic is for
> port 80...
>
> If securemote abuses port 80 for the encrypted tunnel traffic in order
> to more easily pass firewalls etc then that is the problem.

I think this is what they are doing... VPN over port 80, very bad
implementation.

> What you can do if securemote abuses port80 is to exclude the address of
> the firewall from your transparent proxying. You do not need to exlude
> the user, only this specific destination.

Another alternative is to ask the destination server to change the http page
to https page, thereby not hijacked by our squid box...

Thanks for helping...
Wei Keong

Received on Fri May 31 2002 - 02:39:49 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:17 MST