Accessing a network behind a Watchguard X700 Firebox firewall using VNC

I have seen various posts on this but they are for different firebox and the directions don't work with the software we are using (Watchguard System Manager version 8)

We want to be able to use VNC enterprise edition to access one, possibly more, PCs on our network.

As I understand it, this involves setting up packet forwarding within the NAT configuration

If anyone knows how to do this, please let us know :-)

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You're doing NAT configuration? You'll definitely have to port forward, but also you'll have to open the appropriate ports (5800 if you're using via browser, 5900 using the VNC viewer). But your life would probably be a lot easier if you had a network with public IPs.
Open the System Manager
Open the Policy Manager
Click on Edit -> Add Service
Click New
Type in VNC as Name
Click Add
For Port: 5900
To: 5900
Once created, Double click that and Click on Incoming...Change to Enabled and Allowed
In the From: Click Add
Add Other and choose appropriate...Host or whatever.
In the To: Click Add
Click NAT...Put the external and internal in.  Save to Firebox and that should have you set.

Let me know if you need any further help.
if you need to use multiple pc's you can forward the external port of the firewall 5901, 5902 and so on to internal port 5900 on the specified machine you would like to connect.  Example

firewall:5901 --> inside1:5900
firewall:5902 --> inside2:5901

where "firewall" is the firewall IP and "insideX" is the inside pc's ip address.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Paul197466Author Commented:
OK, because I could not get the NAT solution working I have added an additional adapter to the machine.

I have configured this adapter to have a valid external Class C IP address.

I have connected this adapter to the optional interface on the Firebox

I have created an alias for this adapter in the Firebox configuration

I have created a new service called TCP that that 5900 and 5800 ports open for tcp (just tcp not udp - is that right?)

I have created an instance of this service and set it to be "Enabaled and Allowed" for incoming from ANY to the new alias for the new adapter and outgoing from this alias to Any

However, when I try to connect from a VNC client on another network to the external ip address for the new adapter, it fails to connect

Have I missed something?
When I have worked on the fireboxes, You have to have the interfaces in transparent mode to be able to setup public IP's behind the firewall, or routing for those IP's...  That said, when I have worked on them, you either have to setup the entire firewall (ie both internal interfaces) in transparent mode, I don't think you can setup one or the other.

I suspect the most likely problem is the source port setting on the rules you are creating...  When you configure a rule, you have to set options for source and destination IP, and source and destination port.  Many people miss the destination port setting.  I usually set the source port to "Ignore".  Give that  a shot and let me know what you find.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul197466Author Commented:

I was setting the Client Port drop down to Port rather than leaving it as client

Many thanks
No problem...  FYI when you set it to port, it requires the source port to be the same as the destination port.  Since most protocols use a source port different from the destination port, that naturally doesn't work.  I can't count the number of times I've done the very same thing.  Glad you were able to get your rules going.

Paul197466Author Commented:
Sorry, i know this is a bit cheeky since I have already accepted the answer, but I did run into a problem with this solution.

The problem is that the VNC service I create is meant to only affect the filtering of the optional interface but I find that it affects the trusted interface too.

If you have any idea not to force it to only affect the optional interface I would really appreciate it.
I'm not near a system where I can look at this specifically, and won't be for a few weeks.  But to my recolection there are a few criteria for making the rules: source, destination, source port, destination port, layer 4 protocol and layer 5 protocol.  All of that said, you should be able to set the source to either be an IP address or an interface, likewise the destination can be an IP address or an interface.  Since you are using NAT or PAT or any of the other terms used to make a private service available publicly, you should be specifiying an internal IP address, which should negate the need to specify an acceptable interface as that would be assumed.

To summarize, I think you can specify an IP Address, or an Interface.  But I don't think you can specify both
(ie --> interface private)  I think it is an either/or.

That said, for the source, you could specify public interface, and that would disalow the traffic to originate from the optional interface.

Or perhaps I have misunderstood you question.  I am certainly happy to help you complete this issue.  Please let me know if this has helped, or if you have any further questions.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.