'Re: [FW-1] Clientless VPNs and multiple certificates'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    Re: [FW-1] Clientless VPNs and multiple certificates
From:       Matthias Leu <mleu () AERASEC ! DE>
Date:       2005-09-28 13:23:05
Message-ID: 433A9939.1080604 () aerasec ! de
[Download RAW message or body]

Michael Kelly (HRG) wrote:
> Hi all,
> Our environment is Checkpoint Express NG AI R55
> Reading the documentation, it seems that the only way to do content
> inspection on inbound HTTPS traffic is to enable Clientless VPN.
> However I have two web servers in the DMZ  Each has a different FQDN which
> resolve to different public IP addresses. These addresses are NAT'ed on the
> firewall.
> Each server has its own X.509 certificate.
> Looking at the configuration options for Clientless VPN, it seems that I can
> only specify one certificate.
> Does this mean that I can't use Clientless VPN to do content inspection on
> more that one HTTPS server?
> Or have I completely misunderstood the concept of Clientless VPN?
>  
> Thanks in advance,
> Michael.
> 
Hi,
as far as I understood Clientless VPN is a protected access to a server 
behind the Firewall. Usually, this access is for web based protocols. 
With the SSL Network Extender you are able to tunnel any protocol over 
HTTPS (as in SecureClient Visitor Mode).

As an example: A server in the internal network is usually accessed with 
HTTP, which isn't good from the Internet. So the user initiates a 
connection from the Internet with HTTPS, which is authenticated and 
decrypted by the Firewall. The traffic in the internal network from the 
Firewall to the server is plain HTTP.
So the HTTPS traffic from a client to a server running HTTPS isn't 
inspected.
For inspecting HTTPS you will need a 'SSL-Proxy' which, in your case, 
has to be able to handle more than one server certificate.

Hope it helps,
best regards,
Matthias
http://www.fw-1.de
-- 
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic