Tip: Using iTunes Sharing (or anything on Bonjour) with Checkpoint SecureClient on Mac OS X
One of the strange things that took me a long time to notice about how OS X was working, or in this case wasn't, with Check Point Software's VPN-1 SecureRemote-SecureClient was the broken iTunes Sharing. And eventually it wasn't just iTunes Sharing, I noticed a lot of Bonjour-based (the technology formerly known as Rendezvous) applications would't work either, e.g. Airpot Admin Utility, iChat Bonjour. I just kinda accepted it, much like the other SecureClient issues I have written about.
So how did I solve this issue? It is actually mostly straightforward, if you are allowed to do it. I had talked to my company's Check Point administrator, and he informed me you could disable the security policy that is enforced by SecureClient, but that was only because they allowed people to do it. Click on the SecureClient icon in the menu bar, then Tools, then Disable Security Policy.
What does this do? Well the configuration is completely dependent on your company, but mine blocks most inbound connections to your machine, including all the Bonjour stuff. My firewall admin thought you would only have to click DIsable Security Policy once when SecureClient is first loaded, but I have found that I have to click it every time I make a VPN connection as well. That is annoying, and for anyone that doesn't know the Disable Security Policy trick, all Bonjour related functionality is broken. This is actually what most firewall admins want, they want to enforce some kind of control over your machine outside of the corporate network, this is clearly another way to do it. If firewall admins wanted though, they could make sure Bonjour/Rendezvous always work. The following Q&A is in release_notes.pdf distributed with SecureClient (not they still call this Rendezvous):
Q9: How can I use Rendezvous after applying a block inbound desktop security policy?
Q9: Block inbound desktop security policy doesn’t allow incoming connections to your
desktop machine. Rendezvous requires IP multicast traffic to function properly. To support
Rendezvous, add a desktop security rule above the block inbound rule:
Source: (IP: 224.0.0.0-224.0.0.255, 239.0.0.0-239.255.255.255)
Dest: All_Users@Any
Service: Tcp, Udp
Action: Accept
This will allow the necessary incoming multicast connections for Rendezvous.
2 comments:
This tip didn't help me as it had no effect on my config.
In the Mac OSX release notes I read : "Q3: How do I change the boot policy to a restrictive policy?
A3: The default boot policy, when installing SecureClient for Macosx is "accept all" (same
as Windows client). Macosx comes packaged with two policy files in the $SRDIR/conf
folder: sc_boot_acceptall.bin ("accept all") and sc_boot_blockinbound.bin (block inbound
connections). The link $SRDIR/default.bin points to one of them and is used as the effective
boot policy file. To change the boot policy one can change the link to point to
sc_boot_blockinbound.bin after the client is already installed."
So normally if you point to sc_boot_acceptall it should allow everything by default. But this doesn't work on my config either.
I really have to uninstall checkpoint in order to allow iTunes to share
My understanding is that when you VPN into your company, they can configure Checkpoint to always force the a restrictive policy, not necessarily the default on the system either, onto your machine. This is what my company's firewall administrator told me, and that they specifically hadn't done this so that people at home weren't blocked from doing things like using iTunes.
Post a Comment