Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Herselman
Advisor

Security policy inconsistently applied when using Proxy

We have an application layer which allows access to TeamViewer for members of an AD security group:

Everything works perfectly, in that users that are members of this security group can use both the TeamViewer application and navigate to www.teamviewer.com whilst others can't.

If we however then configure an explicit proxy, the application continues to work but members of this security group can no longer navigate to www.teamviewer.com.

Am I missing something or should I log this with TAC?

0 Kudos
4 Replies
Danny
Champion Champion
Champion

The Teamviewer application will always try to find ways through your network to successfully reach the internet.

To identify users behind a proxy to the firewall, the proxy must be configured to add the X-Forwarded-For (XFF) flag to the connections. Only then the rule can match as the user identification succeeds. Check Point can delete the XFF flag within the IA settings of your gateway object.

0 Kudos
David_Herselman
Advisor

The opposite is however true, users that are members of the AD security group are NOT able to access the www.teamviewer.com website whilst they can use the application. Reviewing log records for the rule correctly matches against packets from the application but requests for the website are blocked on a subsequent rule which denies access using the 'Remote Administration' categorisation.

Disabling the explicit proxy and sending traffic directly results in everything working as it should, users that are members of the security group can use the application and browse to the www.teamviewer.com website.

ie: Browsing to www.teamviewer.com, when configuring the browser to send connections DIRECTLY to the security gateway's proxy port, does not match the 'TeamViewer' application in a policy rule whilst it does when one disables the proxy settings in the browser.

0 Kudos
Danny
Champion Champion
Champion

I don't see a custom web application for the website www.teamviewer.com in your rule.

0 Kudos
David_Herselman
Advisor

I'm not aware of a requirement to specifically list sites when using the proxy interface on a Check Point security gateway.

If I do not configure the security gateway as an explicit proxy and navigate to www.teamviewer.com via a web browser the site is correctly associated with the rule:

If all I subsequently do is point the browser directly at the Check Point security gateway's proxy interface, browsing sessions to www.teamviewer.com are not matched by the rule that references the TeamViewer application. Herewith the log record from the subsequent rule which blocks Remote Administration category for everyone else in the network:

PS: We've been using Squid for 20+ years and are used to referencing a proxy on port 3128. We subsequently configured the Check Point Security Gateway to listen on this port as well. There are NO intermediary proxy servers between the browser and the security gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events