[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1339
  • Last Modified:

Accessing a network behind a Watchguard X700 Firebox firewall using VNC

I have seen various posts on this but they are for different firebox and the directions don't work with the software we are using (Watchguard System Manager version 8)

We want to be able to use VNC enterprise edition to access one, possibly more, PCs on our network.

As I understand it, this involves setting up packet forwarding within the NAT configuration

If anyone knows how to do this, please let us know :-)

1 Solution
You're doing NAT configuration? You'll definitely have to port forward, but also you'll have to open the appropriate ports (5800 if you're using via browser, 5900 using the VNC viewer). But your life would probably be a lot easier if you had a network with public IPs.
Open the System Manager
Open the Policy Manager
Click on Edit -> Add Service
Click New
Type in VNC as Name
Click Add
For Port: 5900
To: 5900
Once created, Double click that and Click on Incoming...Change to Enabled and Allowed
In the From: Click Add
Add Other and choose appropriate...Host or whatever.
In the To: Click Add
Click NAT...Put the external and internal in.  Save to Firebox and that should have you set.

Let me know if you need any further help.
if you need to use multiple pc's you can forward the external port of the firewall 5901, 5902 and so on to internal port 5900 on the specified machine you would like to connect.  Example

firewall:5901 --> inside1:5900
firewall:5902 --> inside2:5901

where "firewall" is the firewall IP and "insideX" is the inside pc's ip address.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Paul197466Author Commented:
OK, because I could not get the NAT solution working I have added an additional adapter to the machine.

I have configured this adapter to have a valid external Class C IP address.

I have connected this adapter to the optional interface on the Firebox

I have created an alias for this adapter in the Firebox configuration

I have created a new service called TCP that that 5900 and 5800 ports open for tcp (just tcp not udp - is that right?)

I have created an instance of this service and set it to be "Enabaled and Allowed" for incoming from ANY to the new alias for the new adapter and outgoing from this alias to Any

However, when I try to connect from a VNC client on another network to the external ip address for the new adapter, it fails to connect

Have I missed something?
When I have worked on the fireboxes, You have to have the interfaces in transparent mode to be able to setup public IP's behind the firewall, or routing for those IP's...  That said, when I have worked on them, you either have to setup the entire firewall (ie both internal interfaces) in transparent mode, I don't think you can setup one or the other.

I suspect the most likely problem is the source port setting on the rules you are creating...  When you configure a rule, you have to set options for source and destination IP, and source and destination port.  Many people miss the destination port setting.  I usually set the source port to "Ignore".  Give that  a shot and let me know what you find.

Paul197466Author Commented:

I was setting the Client Port drop down to Port rather than leaving it as client

Many thanks
No problem...  FYI when you set it to port, it requires the source port to be the same as the destination port.  Since most protocols use a source port different from the destination port, that naturally doesn't work.  I can't count the number of times I've done the very same thing.  Glad you were able to get your rules going.

Paul197466Author Commented:
Sorry, i know this is a bit cheeky since I have already accepted the answer, but I did run into a problem with this solution.

The problem is that the VNC service I create is meant to only affect the filtering of the optional interface but I find that it affects the trusted interface too.

If you have any idea not to force it to only affect the optional interface I would really appreciate it.
I'm not near a system where I can look at this specifically, and won't be for a few weeks.  But to my recolection there are a few criteria for making the rules: source, destination, source port, destination port, layer 4 protocol and layer 5 protocol.  All of that said, you should be able to set the source to either be an IP address or an interface, likewise the destination can be an IP address or an interface.  Since you are using NAT or PAT or any of the other terms used to make a private service available publicly, you should be specifiying an internal IP address, which should negate the need to specify an acceptable interface as that would be assumed.

To summarize, I think you can specify an IP Address, or an Interface.  But I don't think you can specify both
(ie --> interface private)  I think it is an either/or.

That said, for the source, you could specify public interface, and that would disalow the traffic to originate from the optional interface.

Or perhaps I have misunderstood you question.  I am certainly happy to help you complete this issue.  Please let me know if this has helped, or if you have any further questions.


Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now