Re: [squid-users] Checkpoint FW1 & Securemote client

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 31 May 2002 11:15:05 +0200

"Ward, John (GroupWare)" wrote:
>
> it seems that everyone is missing the point of the secureremote client....

I don't think so, but it is true that at least I do not know for sure
exactly how it tunnels the traffic and I appreciate your clarifications
on this. There is a zillion ways one can tunnel traffic, and all have
their problems.

Some idiots do tunnel things on TCP port 80 as this port is usually
allowed in firewalls etc. I am glad to hear that SecuRemote is not one
of them.

> It creates a secure tunnel to a firewall.... most/all packets are then routed
> through this tunnel to the firewall, which ends up being the tunnel terminator.
> On the firewall, there can be the following things in place ... routing, nat,
> rules for browsing etc. This is also important as if the user is given an
> "internal network" address ( like he gets nat'd to the internal firewall
> address once his tunnel is established ... depending on configuration). this
> is not going through port 80.

Good.

> Setup ports are usually udp 500 and then a gre/similar tunnel is established.

Good.

> Once he is connected to this tunnel ( usually an ipsec or des) he wont be
> using local network settings.

Good.

> Its important to look at the firewall logs and the configuration (yes,
> firewall rules) that gets downloaded to the pc once secure remote is setup.

And the local firewall (if any) to ensure the needed traffic is allowed
to get out on the internet and back...

If what you describe above is true then the transparent proxy should
have no effect on SecuRemote.

If however any phase of the setup is using port 80 then a transparent
proxy may disturb things.

Regards
Henrik
Received on Fri May 31 2002 - 03:26:26 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:17 MST