This is simply a port 443 SSL/TLS rule that you need to make to pass this traffic through the firewall.
Agreed. I am aware of that. But I am not able to figure out how to get it done. My best attempts have not been successful. Do you know of an existing KB or other post that has the step by step in how to get this done? If not would you be willing to share step by step knowledge in doing so?
1 of 1 people found this helpful
Make rule with a Serive of HTTPS, Source burb Internal, Dest burb external, source/dest endpoints Any, NAT localhost, make sure it's above Deny All, and you should be good to go.
I did exactly just that. Still no go.
I'm in the position of having worked with both MFE and with the Aventail products - so I know that what you are trying to achieve does work.
What does the Audit Viewer screen show when you are trying to establish a connection?
Just make sure that any HTTPS-level application inspection is disabled. While the Aventail client operates over port 443 it is not true HTTPS (it's a form of Socks over 443, if I recall), so if you are trying to pass it through the Firewall as real HTTPS, it will fail and you will find that the audit will contain protocol violation errors.
As sliedl has said, as long as the rule is positioned above deny all it should work. I would add to that suggestion that you make sure that you assign the "connection settings" application defense to the rule. This will ensure that it is operating as a packet fitler and it shouldn't be blocked.
Of course if you have an existing outbound HTTPS (SSL/TLS) rule which is inspecting the traffic and positioned further up the ACL list this will get in the way of your Aventail rule. What you could do is lock-down the Aventail rule to a specific destination host (this will be the IP address configured in the Connect Tunnel client), and place the rule above any pre-exisiting outbound rules allowing HTTPS. Your Aventail client traffic shoudl then pass out through this rule (and without being inspected), but your normal outbound HTTPS traffic will not match and will pass out through your normal Internet Services rule.
Hope that helps.
Sliedl and PhilM, thank you very much for your help! You were both able to get me in the right direction. Both your answers were correct and I also found the KB Article at URL https://kc.mcafee.com/corporate/index?page=content&id=KB63186&cat=CORP_SIDEWINDE R&actp=LIST very helpful.
It is all working now. Thanks again.