Re: How to allow WS FTP client behind Checkpoint NG with AI
From: Irfan (k.m.Irfan_at_gmail.com)
Date: 28 Oct 2004 00:45:52 -0700
Thanks for your valuable suggestions
The reason for using ISA server in Cache-only mode is because it has a
Single NIC. (sorry folks! i should have informed this earlier)
I agree to Memnoch suggestion of installing ISA server in
Integrated-mode. But because of Single NIC i need to go with
As there are not too many users using FTP clients, i think there is a
way for them to directly access the Firewall (i.e give checkpoint
firewall's setting in the WS FTP clients configuration) and defining a
rule in Checkpoint to allow FTP based on user authentication (i.e user
defined in the local database of checkpoint). As i said i am new
checkpoints administration, i need guidelines to achieve this.
I tried to create the user but the user is not listed in the Source
list of the rule, instead the list consists of User groups. I need to
select only single user as the source and define the rule.
Memnoch <email@example.com> wrote in message news:<firstname.lastname@example.org>...
> On 27 Oct 2004 01:08:06 -0700, k.m.Irfan@gmail.com (Irfan) wrote:
> >Here is the scenario,
> >LAN--->ISA Cache Mode--->Checkpoint NG with AI---> Internet
> You need to re-install ISA in Integrated mode so you can can have the web
> cache features plus the application filters. Just set it to allow all IP
> protocols and leave access rights to Checkpoint. We have this exact same issue
> at work recently.
> >There is a rule configured in Checkpoint to allow ISA server for
> >http, https, ftp and yahoo messenger traffic only.
> >LAN machines are able to browse internet with ISA servername as their
> >proxy address. They Can login to Yahoo mssgr and MSN messenger without
> >any issue.
> >I can visit FTP sites through browser.
> >The real problem is we are not able to connect FTP clients to any of
> >the FTP servers (i just checked WS FTP client, and assuming that it
> >will be same for all FTP clients)
> >I think this is the limitation of using ISA server in cache-mode (Its
> >my guess, correct me if i am wrong). If so, how to allow these cleints
> >I thought of allowing FTP clients to bypass the ISA server and go
> >directly through the checkpoint firewall. I am fairly new to
> >checkpoint administration. I want to create a username in checkpoint
> >firewall and give him FTP access then i will give the firewall address
> >and the username password in the WS FTP clients configuration
> >Is there any other way around
> >Any guidance will be highly apprecieated