This is a multi-part message in MIME format. ------=_NextPart_000_00BA_01BD882E.60E2EE80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I have a customer that I'm working with using Check Point Firewall-1. I = have two (2) problems with it and was wondering if you might be able to = assist me. They are using Firewall-1 for NT. NT v4.0 has the latest = Service Pack (3) installed. Also, the latest patch (3064) for Firewall-1 = has been applied (Version 3.0b VPN+DES, build 3064). The first problem is dealing with the network neighborhood browser = between the internal network (10.1.1.0 with a subnet mask 255.255.255.0) = and the DMZ (a legally registered IP network ID with a subnet mask of = 255.255.255.240). The firewall, internal network, and DMZ are all in the = same WindowsNT domain. The firewall is a standalone server. The customer = would like the internal users to be able to use the network neighborhood = browser to see the ftp and application servers that are on the DMZ so = that they can see the shares that are available. By default, the user = will not see these because the NetBEUI protocol is not routable, (the = firewall HAS been enabled to do IP forwarding). I defined a WINS server = on the ftp server on the DMZ and also on a WindowsNT server on the = internal network. I define a peering between the two (2) WINS servers = and force a replication. The DMZ WINS server pushes and the internal = WINS server pulls. The Master Browser and PDC are located on the = internal network. The Master Browser should learn of the servers on the = DMZ via the internal WINS server and thus allow the internal users to = see the shares available.=20 I see entries in the firewall log and in the Event Viewers on the WINS = servers that a connection is made between the two (2) hosts. Through = various tries I sees messages that the connection has been accepted or = that the connection has been aborted by the remote WINS server, etc. No = matter what the messages are, my network neighborhood browsers don't = show the DMZ servers in their listing. I have rules that allow sources = on the DMZ and the internal network to go anywhere with any service so I = believe that this should work. I've also installed a rule base with a = single rule allowing any source to any destination with any service to = be accepted but have the same result. The appropriate address = translation is also present. Has anyone been able to do this? Are there additional ports that need to = be opened? The second problem is similar. The customer wishes for users that are = dialed into their local ISP to have access to the shares on the DMZ and = to see them from their network neighborhood browser, while using = SecuRemote. So far I have been able to access the ftp server and = application server via SecuRemote because I know that they are there, = i.e., I know the IP address ahead of time. This is fine for most of the = users but apparently there are users who require the ability to browse = the various shares. I have also been able to get the client to validate = on the PDC with the same username as SecuRemote with only a single = sign-on. Even though the user has been validated in the domain they = can't see the various machine in the network. NetBEUI over TCP/IP should = allow me to see them. Is this possible? Any thoughts, suggestions, or comments are greatly appreciated. Regards, Jim Hebert ------=_NextPart_000_00BA_01BD882E.60E2EE80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.2106.6"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV> <P align=3Djustify>Hi,</P> <P align=3Djustify></P> <P align=3Djustify>I have a customer that I'm working with using Check = Point=20 Firewall-1. I have two (2) problems with it and was wondering if you = might be=20 able to assist me. They are using Firewall-1 for NT. NT v4.0 has the = latest=20 Service Pack (3) installed. Also, the latest patch (3064) for Firewall-1 = has=20 been applied (Version 3.0b VPN+DES, build 3064).</P> <P align=3Djustify></P> <P align=3Djustify>The first problem is dealing with the network = neighborhood=20 browser between the internal network (10.1.1.0 with a subnet mask = 255.255.255.0)=20 and the DMZ (a legally registered IP network ID with a subnet mask of=20 255.255.255.240). The firewall, internal network, and DMZ are all in the = same=20 WindowsNT domain. The firewall is a standalone server. The customer = would like=20 the internal users to be able to use the network neighborhood browser to = see the=20 ftp and application servers that are on the DMZ so that they can see the = shares=20 that are available. By default, the user will not see these because the = NetBEUI=20 protocol is not routable, (the firewall HAS been enabled to do IP = forwarding). I=20 defined a WINS server on the ftp server on the DMZ and also on a = WindowsNT=20 server on the internal network. I define a peering between the two (2) = WINS=20 servers and force a replication. The DMZ WINS server pushes and the = internal=20 WINS server pulls. The Master Browser and PDC are located on the = internal=20 network. The Master Browser should learn of the servers on the DMZ via = the=20 internal WINS server and thus allow the internal users to see the shares = available. </P> <P align=3Djustify></P> <P align=3Djustify>I see entries in the firewall log and in the Event = Viewers on=20 the WINS servers that a connection is made between the two (2) hosts. = Through=20 various tries I sees messages that the connection has been accepted or = that the=20 connection has been aborted by the remote WINS server, etc. No matter = what the=20 messages are, my network neighborhood browsers don't show the DMZ = servers in=20 their listing. I have rules that allow sources on the DMZ and the = internal=20 network to go anywhere with any service so I believe that this should = work. I've=20 also installed a rule base with a single rule allowing any source to any = destination with any service to be accepted but have the same result. = The=20 appropriate address translation is also present.</P> <P align=3Djustify></P> <P align=3Djustify>Has anyone been able to do this? Are there additional = ports=20 that need to be opened?</P> <P align=3Djustify></P> <P align=3Djustify>The second problem is similar. The customer wishes = for users=20 that are dialed into their local ISP to have access to the shares on the = DMZ and=20 to see them from their network neighborhood browser, while using = SecuRemote. So=20 far I have been able to access the ftp server and application server via = SecuRemote because I know that they are there, i.e., I know the IP = address ahead=20 of time. This is fine for most of the users but apparently there are = users who=20 require the ability to browse the various shares. I have also been able = to get=20 the client to validate on the PDC with the same username as SecuRemote = with only=20 a single sign-on. Even though the user has been validated in the domain = they=20 can't see the various machine in the network. NetBEUI over TCP/IP should = allow=20 me to see them.</P> <P align=3Djustify></P> <P align=3Djustify>Is this possible?</P> <P align=3Djustify></P> <P align=3Djustify>Any thoughts, suggestions, or comments are greatly=20 appreciated.</P> <P align=3Djustify></P> <P align=3Djustify>Regards,</P> <P align=3Djustify></P> <P align=3Djustify>Jim Hebert</P></DIV></BODY></HTML> ------=_NextPart_000_00BA_01BD882E.60E2EE80--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:57 PDT