3000 Concentrator and Integrity.

Unanswered Question

Guys:

We have Cisco Concentrator 3000 for our VPN users and Checkpoint Integrity for firewall for these users' computers. It works fine for XP and MAC.

But it won't work with Vista. Everytime when a user connects to VPN concentrator,

it'd be "restricted" by the integrity server. But our integrity support can't find the problem. Anyone has idea about this?

Thanks and Happy New Year!

Han

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carenas123 Tue, 01/06/2009 - 07:06

Here is some steps it may help you for the integrity server.

Step 1 Configure firewall policy on the Integrity Server (IS).

Step 2 On the VPN Concentrator, go to Configuration | System | Servers | Firewall Server. For the Zone Labs Integrity Server, enter the host name or IP address and the port number.

Step 3 Under Configuration | User Management | Base Group or Groups | Client FW tab, configure the following:

a. Firewall Setting = Firewall Required

b. Firewall = Zone Labs Integrity

c. Firewall Policy = Policy from Server

Step 4 Save the configuration.

Here is the URL for the Configuring the VPN Client on a VPN 3000 Series Concentrator follow the guide it may help you

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch4.html

sachinraja Tue, 01/06/2009 - 13:22

Han

You mean to say, the vista users are connected onto vpn 3000, get an ip address , but are blocked by checkpoint firewall ? do you have ur setup ? is the firewall parallel to vpn 3000, or on inside ? do vista users get ip address from the same ip pool as XP users ?

Raj

are blocked by checkpoint firewall ? Yes. The VPN restricts it because the Integrity server tells it(How I am trying to figure out)

do you have ur setup ? Yes, Which part of configuration?

is the firewall parallel to vpn 3000, or on inside ? They are on the same subnet inside out network.

do vista users get ip address from the same ip pool as XP users ? Yes. Except they got restircted.

sachinraja Wed, 01/07/2009 - 12:33

can you bypass the integrity server configuration and check if it works ? why is this integrity needed ? how is it cascaded with the vpn concentrator ? i think without the integrity part, it should work fine, as the layer 3 connecitivity is established, and the users would be able to access applications..

Let us know

Raj

sachinraja Thu, 01/08/2009 - 06:41

Han.. so , it is clearly a problem with the integrity stuff and i think they will have to solve this.. am i not right ?

honestly, I cannot tell.

The ZL client and server use Heartbeat for commnication. but they never received by the client. therefore the server doesnt put the policy to the client. as a result, the PC is restricted.

I can, however, connect to the VPN with the ZL.

I aslo can, get the ZL policy pushed correctly without a VPN.

So, all i can tell from this so far is there is a communication problem between this two servers that drops certian traffic of ZL.

thanks,

Han

sachinraja Mon, 01/12/2009 - 17:40

I really dont understand this ZL client server setup :( do u have any diagrams to depict that ? I would run a sniffer on the ZL server port, and see what exactly is happening. If the firewall drops the communication, it can only be due to some NAT, ACL statements on it.. otherwise it should allow it ! Let us know..

Raj

Actions

This Discussion