Question

Zone Alarm Pro configuration

Asked by: jltari

Hi,

I'm working on a project that'd consist of installing Zone Alarm Pro 5.5 on 800 laptops.
I'm facing 2 problems at the moment :

1. VPN
We use a Cisco VPN, with the client installed on the computers.
This client has to connect to our servers on port 12345.
So the rule I'm trying to create would only allow that executable to go though the Internet zone, on that port, toward our 2 gateways. And that only.
But when I create this expert rule and leave a red checkmark on the access Internet zone (so to not allow anything but the expert rule to go through), the

client cannot connect. If I change it to a green checkmark, the client can go anywhere on any port it wants, even if I don't create an expert rule that

allows it. On the contrary, if I create an expert rule that specifically forbids the connection, this rule works and no connection is allowed, even with

the green checkmark on.
This puzzles me.
I tried a similar setup with IE, allowing it to go though on port 80, with the red checkmark on. Doesn't go though either.
What am I doing wrong here?

2. Automatic configuration
Once I'll have defined the right configuration, I'll need a way to automatically bring it to every computer. Once the first time when we'll install the

firewall, and then every time there's a change.
So far, I've found that I can manually export most of the configuration to an .xml file and manually import it on another computer. That doesn't help much,

apart from testing purposes.
I've also found that the configuration seems to be stored in c:\windows\internet logs\iamdb.rdb. But if this file is taken from a computer and put on an

other, the size shrinks to 73K and all configuration is lost. It looks like this file is linked to the machine it was created from.
I'm badly stuck with this, for this firewall cannot be installed without some automation.

Thanks for the help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-03-04 at 00:29:51ID21337503
Tags

zone

,

alarm

,

vpn

Topics

Network Software Firewalls

,

Enterprise Firewalls

,

Consumer Firewalls

Participating Experts
1
Points
125
Comments
6

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Difference between Cisco VPN client CPP and Zone Alarm I…
    Hi, We are currently investigating the client side for a security project with a Cisco VPN concentrator. I've heard that Cisco VPN client is great and is able to push some policy/rules to the client laptop. But I've also heard that it's possible to integrate Zone Alarm wit...
  2. Cisco VPN
    I installed a cisco vpn client and it messed with IPSEC. Now my ICS doesn't work. Any ideas what it may have changed? Cheers Dave
  3. Zone Alarm
    Can anyone point me to a tutorial that shows me how to program a product like zone alarm?
  4. Zone alarm or sygate?
    I've been using zone alarm now for about 4 years, and am pleased with it. Even formatted my own xml ip blocklist and imported it with great results. I tried sygate, and found it more of a hassle (Probably because I'm used to ZA) What in your opinion is the better firewall ZA ...
  5. Zone Alarm
    In one of my XP machine I have installed Zone Alarm. I need to uninstall it. Could you please provide manual instructions to remove it completely from system. I went into Safe Mode and tried uninstalling from there but it gives me error about "True Vetor Internet Monit...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: davidis99Posted on 2005-03-05 at 03:20:20ID: 13465302

1) I'm curious as to why you aren't using Checkpoint Integrity for a project of this size instead of ZoneAlarm (now also a Checkpoint product.)  Integrity offers a major advantage for enterprise use over ZoneAlarm in having a Checkpoint Integrity server to define policies which are then distributed to the clients, providing the automatic configuration/distribution mechanism you're looking for.   It's also has an integrated VPN client, so you wouldn't have to worry about a separate software component (though you could use the cisco client if you prefer that for working with Cisco's VPN server.)

2) In reading the manual for ZAP 5.5,

http://www.zonelabs.com/store/content/support/zap/zapMain.jsp?lid=ps_zap

I found nothing to indicate that you could create an application rule that restricts a particular application to a particular port.   You can create expert rules  governing specific ports, and you can create expert rules governing applications, but not a rule saying an application can only go out over a particular port.  

3)  If I were to make a recommendation regarding this, I would contact the ZoneAlarm sales rep. to ask the pricing on upgrading the ZAP licenses to the same number of Integrity licenses - I know from a prior conversation with my ZAP sales rep. that this is a feasible option.

 

by: jltariPosted on 2005-03-07 at 00:58:37ID: 13474685

Thanks for your help,

To your fisrt question, the answer is not easy.
I personnally tend to agree with you that a centrally managed firwall, be it Checkpoint Integrity or another, would better fit a large company's needs. But that isn't what's done here. On the contrary, they like using Tivoli to take care of every aspect of deployment and updates, no matter how big they could be. Apart from this, our security team wants to make sure, upon connection to our Cisco VPN server, that the client has the firewall we've decided with the configuration we've chosen. This particular need can only be met with either Cisco firewall (which come with the VPN client) or Zone Alarm.

I'll be working shortly on the second part of the question. For there might be a work-around : Instead of blocking evrything and then opening a specfic port, I could open everything, then create 2 rules : The first as mentionned earlier, and the second to block everything.

 

by: davidis99Posted on 2005-03-11 at 10:23:58ID: 13519667

"our security team wants to make sure, upon connection to our Cisco VPN server, that the client has the firewall we've decided with the configuration we've chosen."

For that reason alone, they should seriously consider Checkpoint integrity.  Integrity is not a firewall in the Cisco sense - it's a server application for centrally managing its desktop firewall client.   Once a set of desktop firewall policies are developed, those policies are rolled out to the desktop clients, and when systems connect to the network, the server checks the clients to make sure the configuration is correct.

If they're dead set on using ZoneAlarm Pro, you should be able to get an answer for this from Zonelabs - the paid client includes technical support for the duration of the license subscription.    I've been through the registry and the files ZoneAlarm uses, and don't know anyway of transferring the config. except as part of a complete image (Symantec Ghost, Acronis TrueImage)  of a Windows system with all drivers and programs installed.

 

by: jltariPosted on 2005-03-14 at 00:03:48ID: 13532731

Thanks for the help.
What you're saying about Checkpoint Integrity sounds like phase 2 of our mobile project, where we verify who connects to our network, by what means, and with which computer, itself setup such or such a way.
But for phase 1 we need a solution, and it does look like we're stuck with ZAP, unless I can prove it doesn't have the prérequesites (cannot be automatically updated, for example).
In any case, I'm going to look into Checkpoint Integrity, so I'll be ready for phase 2 when it does come up.
We're about to buy one licence for ZAP (the order process is quite long here) so we can use ZAP support.

Thanks a lot for the help.

 

by: jltariPosted on 2006-02-09 at 00:47:51ID: 15910750

Sorry about forgotting this question.
We did end up using Checkpoint Integrity, but the desktop version.
Thanks a lot for the help and pardon me for the delay accepting the answer.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...