VPN & XWin Client

James Conz james at FIRETOWER.COM
Fri May 12 13:47:18 EDT 2000


This is a quirk of Check Point's SecuRemote product. SecuRemote only
allows connections to be initiated from the SecuRemote
client. Protocols like X11 also initiate connections back -- and the
firewall subsequently drops them (not recognizing them as part of an
existing connection).

In a nutshell, you've got to have a rule in place to handle the traffic
initiated from the internal UNIX server. Luckily, SecuRemote clients thast
have authenticated with the firewall are kept track of in a table called
userc_rules. The firewall will automatically encrypt data bound for any
IP address listed in that table, provided it originates from the
firewall's encryption domain (and rules permit).

So, to get X working through the firewall, you need to do the following:

1. Create a service of type "Other" -- call it "SecuRemoteX11" and specify
the following string in the match field:

tcp,dport>=6000,dport<=6063,<dst,0> in userc_rules

This basically sets up a service that will match X11 traffic (TCP ports
6000 - 6063) destined for any host in the userc_rules table (authenticated
SecuRemote clients).

2. Create a rule allowing your internal UNIX server access to any host via
the SecuRemoteX11 service, with an action of "ACCEPT."

Note that the firewall automatically encrypts traffic between your
encryption domain and hosts in the userc_rules table.  The service is what
enforces the encryption in this case, rather than the action. Make sure
you've established your SecuRemote session with the firewall (via telnet,
ping, ftp, or some other application) before trying to launch an X app, as
you've got to be in the userc_rules table.

And that's that!

JC

-----------------------------------------
James Conz      james at firetower.com
FireTower , Inc.
Network and Security Consulting
http://www.firetower.com

On Thu, 11 May 2000, Jeff Blinn wrote:

> I'm wondering if anyone else has run across the following:
>
> I'm using Win98 and Checkpoint's SecureRemote client to connect
> to a unix box behind our firewall. We have IP's from a designated
> pool assigned to users when they authenticate.
>
> If I telnet into the box things work fine and I can see that my IP
> appears to be the one assigned by the firewall. When I try to
> connect using X-WinPro or Exceed - my non-nat'ed address shows
> up in the log???
>
> I'm wondering if the X-Win client is passing the IP as part of the
> data packet or something like that . . . or is there a problem with
> the VPN client/software nat'ing this type of traffic?
>
> TIA,
> Jeff
>
> VPN is sponsored by SecurityFocus.COM
>

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list