Solved

Secure Remote NG - What ports does it use??

Posted on 2002-06-28
7
7,467 Views
Last Modified: 2007-11-27
I had to upgrade to Secure Remote NG because the server on the other side was upgraded.  It seems that NG uses a different set of ports to communicate than the older version did.  I am not able to connect to the secure server with my firewall up.  When I bring my firewall down, I can telnet in just fine.

I need to know which ports that Secure Remote NG uses to communicate with the server, so I can open them up on my firewall.  I have had a hard time finding this info.

Thanks.
0
Comment
Question by:barthalamu
7 Comments
 
LVL 16

Expert Comment

by:The--Captain
ID: 7119725
I avoid checkpoint for just these reasons [it's crappy], but maybe this link will help...

http://www.firewall-1.org/2002-05/msg00318.html

In any case, can't you just resolve this with an appropriately-situated packet-sniffer?

Cheers,
-Jon





0
 

Author Comment

by:barthalamu
ID: 7120931
I didn't find what I was looking for from that link.  Thanks though.

Yes, I can use a packet sniffer, and will do that if no one knows or knows where to find out the exact ports that Secure Remote NG uses to communicate on.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7121301
If you can't find documentation on the ports in use, then a packet sniffer may be one of your only options - let me know how things proceed...

Cheers.
-Jon
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 1

Expert Comment

by:roman0_mx
ID: 7122613
barthalamu

Download one sniffer / Scanner port, for example the Nmap (its free)

And run them again your firewall ( or other devices), to see the open ports an then try these open ports to connect.

http://www.insecure.org/

Ciao.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 7125158
No change - should just be the same ones as with 4.1.
From Check Point SecureKnowledge:

Which ports need to be opened for a SecuRemote session to be allowed through a filtering device such as FireWall-1?
 
Solution ID: 3.0.135325.2193947
Creation Date: 06/18/1999
Revised Date: 05/23/2002
       Email this solution
 Rate this solution
 
 
Environment: SecuRemote 4.0, SecuRemote 4.1, SecureClient 4.1, SecuRemote NG, SecureClient NG, VPN-1/ FireWall-1, Ports, Protocol 50, Protocol 51, Protocol 94
 
Symptoms:
Unable to establish SecuRemote session with a remote Firewall-1 through a filtering device
 
Cause:
The filtering device has the following ports blocked: -TCP Port 264 -TCP Port 256 -UDP Port 259 -UDP Port 500 -Protocol 94, 50 and 51.
 
Solution:
1. To download the topology, you need to open TCP port 256, whatever encryption scheme is used .

*  If using SecuRemote 4.1 or NG, then by default the topology will be downloaded on TCP port 264.

*  If using SecuRemote 4.1 with FireWall-1 3.0b or 4.0, SecuRemote will first try to get the topology on port 264; if it is not successful after 30 seconds, it will try on port 256.
See the Solution: Topology Download problems with SecuRemote 4.1/FireWall-1 4.1 to learn more about this issue.

*  If using SecuRemote 3.0 or 4.0 with FireWall-1 4.1, add a rule in FireWall-1, that accepts connections from SecuRemote users to the SecuRemote server on port 256.

2. To establish a connection between SecuRemote Client and the server:
If using the FWZ encryption scheme, open UDP port 259 for the Authentication.

NOTE: If not using encapsulation, create rules to allow the actual traffic.
If using encapsulation, just add one rule allowing traffic on protocol 94 (0x5e) which is the new IP protocol number.
For ISAKMP, open UDP port 500 (ISAKMP service) for Authentication, and allow traffic on protocol 50 (0x32) and 51 (0x33) which are the new protocol numbers for ISAKMP.

NOTE:  If the Firewall in the middle is FireWall-1 then you need to allow IPSEC and fw1-topo services.




0
 

Author Comment

by:barthalamu
ID: 7125230
Thank you so much.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7128220
A packet sniffer would have gotten you your answer in 4 minutes, not four days

roman0_mx - nmap is not a sniffer, unless you know something I don't.

Kudos to tim, though for finding the info...

Cheers,
-Jon
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now