Friday, February 02, 2007

Tip: Using iTunes Sharing (or anything on Bonjour) with Checkpoint SecureClient on Mac OS X

One of the strange things that took me a long time to notice about how OS X was working, or in this case wasn't, with Check Point Software's VPN-1 SecureRemote-SecureClient was the broken iTunes Sharing. And eventually it wasn't just iTunes Sharing, I noticed a lot of Bonjour-based (the technology formerly known as Rendezvous) applications would't work either, e.g. Airpot Admin Utility, iChat Bonjour. I just kinda accepted it, much like the other SecureClient issues I have written about.

So how did I solve this issue? It is actually mostly straightforward, if you are allowed to do it. I had talked to my company's Check Point administrator, and he informed me you could disable the security policy that is enforced by SecureClient, but that was only because they allowed people to do it. Click on the SecureClient icon in the menu bar, then Tools, then Disable Security Policy.

What does this do? Well the configuration is completely dependent on your company, but mine blocks most inbound connections to your machine, including all the Bonjour stuff. My firewall admin thought you would only have to click DIsable Security Policy once when SecureClient is first loaded, but I have found that I have to click it every time I make a VPN connection as well. That is annoying, and for anyone that doesn't know the Disable Security Policy trick, all Bonjour related functionality is broken. This is actually what most firewall admins want, they want to enforce some kind of control over your machine outside of the corporate network, this is clearly another way to do it. If firewall admins wanted though, they could make sure Bonjour/Rendezvous always work. The following Q&A is in release_notes.pdf distributed with SecureClient (not they still call this Rendezvous):
Q9: How can I use Rendezvous after applying a block inbound desktop security policy? Q9: Block inbound desktop security policy doesn’t allow incoming connections to your desktop machine. Rendezvous requires IP multicast traffic to function properly. To support Rendezvous, add a desktop security rule above the block inbound rule: Source: (IP:, Dest: All_Users@Any Service: Tcp, Udp Action: Accept This will allow the necessary incoming multicast connections for Rendezvous.