HummingBird Xceed Client

ambosta · ‎08-06-2004

Dear All,

Currently I have a PIX 515E. The users are connected to the inside interface and there are a few public servers connected to the external (outside) interface.

The users use HummingBird Xceed client to control these servers..

However for some reason the PIX firewall stops these connections..

Would appreciate if anyone could help with the rulebase for the same

Thanks in advance

Warm Regards

Rohit

gfullage · ‎08-08-2004

X-Windows usually starts another connection from server to client, which is being blocked by the PIX. Usually this connection is on port 6000 or the like.

Read up on the "established" command (and the XDMCP part specifically) to allow these connections to come back in:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/df.htm#wp1028903

If you want to be sure that this is the problem, enable logging on the PIX, then start an outbound connection, the logs should show this outbound connection being built, then a different inbound connection being denied straight away. This deny log message will tell you the destination port that you need to allow back in, but it'll probably be in the 6000 range.

jonathanstevens · ‎08-10-2004

There are also problems around NAT as well as the server (X Client) sometimes needs a export DISPLAY=x.x.x.x, with x.x.x.x being the NAT'd IP address.

One of the best ways we've found for using X through firewalls and NAT is to use SSH and tunnel the X sessions. This works well and is far more secure. Every SSH Client I've used has a tick box option to enable this, and quite often you have to enable the X Windows option on your SSH server daemon configuration.

PuTTY is freely available if SSH client costs are a problem, but make sure you get the latest version.