[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 975
  • Last Modified:

Checkpoint Securemote VPN connection over enterprise network.

We have been asked to connect to an application hosted on the Internet using Checkpoint Securemote and will need to install the client software on some of our users' PCs. Obviously as we are not authenticating the client request, we just need to route the connection request across our LAN/WAN and out through our firewalls (a mix of Checkpoint FW1 and Gauntlet). My question is:-

Do we just have to enable TCP port 264 on the firewall to pass the request out to the big wide world, or is there a different/better way of doing this?

2 Solutions
You enable it on the firewall, but what you enable depends on the client settings.

Your best bet is to get it working in a non-firewalled lab environment and then use a sniffer to see exactly what protocols and ports are in use.

You're likely to see UDP/500 for IKE and also IP/ESP for data transfer.
If "IKE over TCP" is turned on, add TCP/500 to the list, and if "NAT traversal"="UDP encapsulation" is turned on, add UDP/2746 as well.
If you're using SecuRemote NG R56, it has this new mode, called "Visitor Mode". It passes all traffic, including Key exchange, etc. through a regular tcp/443. To turn it on, go to Settings->Properties->Advanced tab->Visitor mode. Keep in mind ~50% traffic rate drop penalty.... (No free lunch) :-)


Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now