RE: CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange Server and Outlook

["Adam C. Hudson" <adam () inergy net>]

After doing some extensive testing, we are still unable to make this
work.  

SecuRemote should not enforce any desktop policy what-so-ever.
SecureClient definitely should though.  In this particular case,
SecuRemote is actually being used.

Since I have seen strange occurrences many times before with CheckPoint,
we went ahead and tested all the settings for the desktop policy,
including the Allow All type option.  None of these changes had any
affect.


Adam Hudson
Networking and Security Consultant
Office 720-348-0564
Fax 720-294-0778


-----Original Message-----
From: Chris Calabrese [mailto:chris_calabrese () merckmedco com] 
Sent: Monday, November 26, 2001 7:47 AM
To: Adam C. Hudson
Subject: Re: [fw-wiz] CheckPoint Firewall-1/VPN-1, SecuRemote, Exchange
Server and Outlook

The issue is related to the mini-firewall built into SecuRemote.  By
default, it rejects all inbound traffic streams ("Allow outgoing
only")..  You should be able to fix this by setting it to accept all
inbound encrypted packets ("Allow outgoing and encrypted").

Adam C. Hudson wrote:

> The problem environment:
>
> * Remote users connected via SecuRemote 4.1, build 4199 to firewall
> module
> * CheckPoint Firewall-1 4.1 with Service Pack 5, Windows NT 4.0 with
> Service Pack 6a
> * Microsoft Exchange Server 2000, Service Pack 1
>
> The network in question here has remote users connecting via SecuRemote
> to access Microsoft Exchange Server using Microsoft Outlook client
> software (97, 2000 and XP).  As many of you know, getting the ports
> nailed down on Exchange server and getting Firewall-1 to filter
> everything properly is a bit tricky, but having been through it many
> times, it was configured quickly and works perfectly for all the MAPI
> communication.
>
> However, we are experiencing one annoying side effect.  Microsoft
> Exchange server uses UDP packets to notify connected Outlook clients of
> new incoming mail and other relevant events.  While connected via
> SecuRemote, these notifications never make it properly to the client
> side.  Of course, Firewall-1 indicates the outbound packets are
accepted
> and encrypted, but they are never actually decoded and utilized on the
> client machine.  This renders the Outlook clients a little in the dark,
> as the users must perform other actions inside Outlook before their
mail
> is delivered (as it contacts the server).
>
> As a test, we had select users attach to the network via PPTP protocol
> to a Microsoft Windows 2000 server through the Firewall-1 module.  By
> doing this, the UDP new mail notifications from the Exchange server
work
> perfectly.  Therefore, we have narrowed it down to the something within
> Firewall-1 or SecuRemote.
>
> There is a REALLY ambiguous entry in the CheckPoint Knowledgebase, that
> may be related:
>
> ---------------------------------------------------
>
> Solution: UDP encapsulated packets do not reach the destination
> (skI4512) 
> Solution is yet not available. Currently under investigation.
>
> Problem Description 
> UDP encapsulated packets do not reach the destination 
>
> UDP Encapsulated packets report about incorrect packet size 
>
> UDP encapsulated packets are dropped by Cisco PIX with intrusion
> detection software installed
>
> ---------------------------------------------------
>
> Has anyone experienced this problem, or something loosely connected to
> it?  I would love to get this solved, as the users complain constantly
> about this side effect.
>
> Adam Hudson
> Networking and Security Consultant
> Office 720-348-0564
> Fax 720-294-0778
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

-- 
Chris Calabrese
Internet Security Analyst
MerckMedco.com



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards