FireWall-1 FAQ: SecuRemote and Sharing and Internet Connection
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
The short answer is, yes, this can be done. You are implementing what I like to call the “Poor Man’s VPN.”
WARNING: The following, while technically possible, is something that SecuRemote was never intended to do. At the times I did this (FireWall-1 3.0, SecuRemote 3.0, FireWall-1 4.1), this worked. It may not work with current versions of SecuRemote and FireWall-1. Doing this sort of implementation may violate your license agreement or your site’s security policy. This document is for informational purposes only and is to be used at your own risk.
First, a general description about how SecuRemote works. When SecuRemote notices you wish to connect to an host within your encryption domain (defined on the firewall), the SecuRemote client initiates a key-exchange and authentication session. Once the authentication and key exchange take place successfully, connections initiated from the SecuRemote client are encrypted and sent to thru the firewall to the intended hosts. Reply packets for these connections are encrypted by the firewall and sent back to the client.
Here’s how I had it set up at one time:
_____________ | | | | Win 3.1 | | | 192.168.1.2 |------| |_____________| | _____________ | 192.168.1.1 | | _____________ |--------------| Win95 w/ |_______ (PPP to Internet) | | | | SecuRemote | | Macintosh |------| |_____________| | 192.168.1.3 | | |_____________| | | _____________ | | | | | Unix |------| | 192.168.1.4 | | |_____________| |
My “LAN” machines are using private (RFC1918) network addresses. In order for them to talk to the Internet, they had to access it thru a Proxy Server that ran on the Windows 95 machine. The local machines would connect to the proxy server on the Win95 machine which, in turn, talked to the Internet. Thru this proxy server, I could read email and news, surf the web, listen to Real Audio, telnet to hosts, and more. All the applications I used had to be “proxy-aware”, however. I could also set up the proxy so that if you connected to, say, the SMTP port on the Win95 machine, it would actually connect you to the SMTP port of my ISP.
Whenever I wanted to connect to the corporate network from any of the machines on the LAN, I would connect through the proxy server on the Win95 machine and it would connect via SecuRemote to the corporate network. The prompt for authentication would come up on the Win95 machine, though, so I had to walk over to the Win95 machine to type in my SecuRemote password. Once I did that, it worked just fine.
There is a wide range of proxies for Win95 and NT on www.winfiles.com. It really doesn’t matter which proxy server you use so long as it is a true proxy server (i.e. it does not do Network Address Translation) and it supports the services you need to use through it. I would also recommend a proxy server that supports mapping arbitrary TCP and UDP ports, which will allow you to support more than just the pre-defined services. SOCKS support is also a good thing to have. Make sure that whatever applications you need to use will work with the proxy server or can be set up to work with a simple “plug” proxy.
There are also products that do transparent NAT. These include, but are not limited to WinRoute, SyGate, and Windows Internet Connection Sharing (available since Win98SE). These products are designed to work with applications that can not use proxy servers and reduces and/or eliminates the need for proxies in many cases. The general experience is that none of these will work correctly on the same machine that has SecuRemote installed. Many of the products I have tried this with cause the system to no longer boot correctly and it was necessary to boot in “Safe Mode” to uninstall the offending products. I’ve heard reports this can be done with AllAboard. I have not personally verified this. I’ve also heard reports that WinRoute Pro works too, provided you start up WinRoute Pro after SecuRemote is started and you have authenticated. Also, Internet Connection Sharing in Win2k appears to work with Secure Client build 4185.