This is slightly off-topic, but I can't find a good answer anywhere
else, and I'm sure you folks can help me.

I'm currently running BM 3.7 (SP1) on NW 6 (SP2) with 1 private
(10.1.x.x) and 1 public (65.208.y.y) interface. My Internet
connection is fiber, so I don't have a router -- just Cat5 connected
to the ISP's hub (not in my space). The BM server is doing proxy,
firewall, and NAT. I've got 16 public addresses.

I have a remote client that wants to replace our current
secure-messaging system with a VPN connection. They are using
Checkpoint VPNs, and want me to join their existing site-to-site
configuration. I know that BM cannot yet do that (Argh!), but I want
to see what my options are for implementing a solution in my existing
environment by adding my own Checkpoint box. The main kink to this is
that I don't want to create a DMZ by putting the Checkpoint box in
front of the BM box, the difference being a 5-user Checkpoint license
vs. a 150-user Checkpoint license -- a few thousand dollars
difference. Checkpoint says that they can work from behind the NAT,
but they don't recommend it. So, I'm trying to figure out what the
architecture should be here.

1) Since I only have one interface to my ISP, I'd have to put up a
hub to get more than one public device connected. If I do this and
have both BM and Checkpoint on the same public hub, will
static-routing all traffic for that client from BM to Checkpoint be
effective, or will being on the same hub defeat the purpose? Also,
Checkpoint would only be using one interface then -- bad idea?

2) Also using a hub (as above), I could put both BM and Checkpoint on
the fiber. I could add a third NIC to the BM server, call it private,
and connect it directly to the Checkpoint box. Then static-route all
traffic destined for the client from BM to the Checkpoint box, after
which point it would hit the public hub already encrypted. Regular
traffic would still go out the BM Public interface. Sounds to me like
it should work, but I've never done anything like it before.

3) There's still the option of putting the Checkpoint box on the
private side. They say it will work, but that "your BM firewall won't
be able to inspect the packets going through, and most people don't
like that." Feh. If the only traffic there is VPN traffic to/from a
trusted client, I don't really see an issue there. What I don't
understand is how the routing would work, since the BM private
interface is everyone's default gateway. Would it be possible for
traffic to be routed from a workstation to BM Private, to Checkpoint
(still on private side), back to BM Private, out (via static NAT) to
BM Public, and then on to the Internet?

To my thinking, #2 seems like the best bet, although #3 would be
easiest (if it works). But, I'm not the expert, which is why I'm

Thanks for your time, and for any suggestions you might have.

Corey Webb