User profile for user: TH202
TH202 Author
User level: Level 1
0 points

How do I change firewall settings modified by VPN server?

(This actually happened while I was running Lion, but seems to be the same problem under Mountain Lion)


I installed Check Point Software Technologies Ltd. Endpoint Security VPN for Mac E75 VPN client on my iMac to access my employer's network. It worked, but after I logged onto my employer's network, I lost contact to both my Time Capsule and Airport Express (Airport Utility stops "seeing" them, even though I am still connected over wi-fi to the internet through the airport router in the Time Capsule), and iTunes stopped "seeing" my iPad and iPhone.


I looked on Check Point's support pages and saw this "Known Limitation":


Issue ID: 00885275


After Endpoint Security VPN is installed and a client is connected to the gateway, automatic sync with Time Capsule and iPhone Wi-Fi sync might not work correctly.

This can happen because of a restrictive Desktop Policy.

To resolve this issue, allow these services in the "Inbound rules" of the Desktop Policy:

  • SSDP: UDP, port 1900.
  • mDns: UDP, port 5353.


    • Further research in the Endpoint Security VPN for Mac E75 Administration Guide told me this about "Desktop Policy":


    The Desktop Firewall

    Endpoint Security VPN enforces a Desktop Security Policy on remote clients. You define the Desktop Security Policy in a Rule Base. Rules can be assigned to specific user groups, to customize a policy for different needs.

    Important - Before you begin to create a Desktop Security Policy, you must enable the Policy Server feature on the gateway.

    Endpoint Security VPN downloads the first policy from the gateway. It looks for and downloads new policies every time it connects or on re-authentication.

    When Endpoint Security VPN makes a VPN connection, it connects to the gateway and downloads its policy. Endpoint Security VPN enforces the policy: accepts, encrypts, or drops connections, depending on their source, destination, and service.


    So (I think) what happened is when I logged on to my employer's network, it re-configured my firewall to limit my network connections resulting in the above-described problems.


    Logging out did not change anything. Uninstalling the VPN client did not change anything. It looks like the changes "enforced" by the VPN client are persistent, and can only be changed "manually."


    I doubt I will be able to prevail upon my employer to change its desktop policy. So I'm ready to bail on using the VPN client, but how do I reverse the changes my employer's "desktop policy" made?


    The System Preferences Firewall options seem kind of high level. I would note that iTunes looks like it is open to all connections.


    Thoughts? HELP.

    Time Capsule-OTHER, OS X Mountain Lion

    Posted on Jul 28, 2012 10:05 AM

    Reply
    3 replies
    User profile for user: LaPastenague
    LaPastenague
    User level: Level 9
    67,262 points

    Jul 28, 2012 2:26 PM in response to TH202

    It is not something I have played with.. but I would turn off the Mac's firewall and see if that fixed the problem.. the firewall of the Mac is helping your security.. but the main security is actually the NAT router in the TC. It is extremely difficult to break NAT routing.. It is effectively a firewall itself. So turning off the firewall in the Mac is not a biggie. The reason I want you to do that even if just for a few minutes.. and perhaps turn it off and reboot the computer to make sure the rules have stopped being applied.. is to see if the firewall is actually the culprit.


    What I am reading from what you have posted is the vpn client itself is the software blocking connections. And I doubt a third party software would change rules to the internal firewall.. but i am guessing.


    Once you have tested it.. if the firewall off fixes it.. then you will need to hunt around.. perhaps in a TM backup for the actual file that is altered that contains the rules.. I have not looked.. and don't use firewall on the end client anyway as I have a firewall rated router.


    If the firewall off does not fix the problem.. which is what I suspect. Did you use the uninstall software correctly and did it give any error messages??


    Go to the activity monitor and check all the running processes.. anything there that is named after the vpn.. try to quit. See if you can stop the process.. If the issue is major.. and the process won't quit see if the Checkpoint support can help or google their knowledge base for info on how to get back to normal operations.

    Reply
    User profile for user: MartinOlof
    MartinOlof
    User level: Level 1
    0 points

    Nov 25, 2012 3:11 PM in response to TH202

    I just had the same problem, the Macs with endpoint VPN entered some kind of stealth mode meaning that they could not be seen by other Macs where it wasn't installed. In addition to this, the Macs with the VPN installed could not see other units on the network including time capsule. Stealth mode should never be used but the Checkpont VPN is using it anyway, what I think is against all good practices.


    Because the Endpoint VPN software is changing port and network settings in a non-standard way, and at a very low level, it becomes too difficult to uninstall it. You don't even see it in the system preferences. The solution for me was to go back to the backup I had from before installing the endpoint VPN software package. Problem was now that the time capsule could not be seen.


    I went to an apple store with the problematic unit and even if they could not solve the problem, they found out that the network settings were okay in safe mode.


    I thought about this and then I realized that I could reach the time machines backups by booting from a USB prepared for a clean mountain lion installation. The latest backup would then of course be the one where the network functioned properly. It took forever (= 4 or 5 hours) and after messing with a few account setting, it was back to normal.


    My conclusions:

    1. Time machine saved me.

    2. Don't use Endpoint VPN for Mac. Use it from a virtual windows machine in e.g. fusion instead.


    Hope this helps someone

    Martin

    Reply
    User profile for user: Maarten75
    Maarten75
    User level: Level 1
    0 points

    Jan 17, 2013 1:17 PM in response to TH202

    It is a fact that the Checkpoint Endpoint Security enforces a desktop policy. Its the same for MAC as Windows. I have been working on it for a while to get rid of this problem. Disabling the desktop policy after logging out is my goal.


    Im hoping that the clientless VPN possibilty of Checkpoint will avoid this problem, which i will be implementing in our Checkpoint environment (extra costs in licensing though). Untill then uninstall the client after use with the uninstall program included in the install package or use a VM to get rid of the desktop policy.


    Cheers

    Maarten

    Reply

    This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

    How do I change firewall settings modified by VPN server?

    Welcome to Apple Support Community
    A forum where Apple customers help each other with their products. Get started with your Apple Account.
    Learn more Sign up