Solved

Customizing PPTP WatchGuard Firebox

Posted on 2008-10-07
10
2,982 Views
Last Modified: 2013-11-16
I am having a little trouble customizing PPTP.  I want some PPTP users to have access to a certain network and not another.  However, I only can seem to VPN in if I have users in the "PPTP-Users" group.  The reason I don't want to keep using the PPTP-Users group is because I want some users to be able to access only certain parts of the network.  If I empty PPTP-Users group and make new groups and apply that in the TO section of particular PPTP policies rather than ANY, I am unable to log on.  Also, is it possible to only allow certain ports for those connecting via VPN?  I am working at a start up company that is trying to secure their network after having been hacked for the first time.
0
Comment
Question by:mansurw02
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Let's say you have user1-10; now they all have to be part of the pre-created pptp_users group. You can create your own user groups eg, grp1, grp2 and grp3; now distribute the users in these groups and configure the policy to allow access as below:
Service-1
Enabled and allowed; from grp1; to specific-ip-range/subnet/hosts
Service-2
Enabled and allowed; from grp2; to specific-ip-range/subnet/hosts
Service-3
Enabled and allowed; from grp3; to specific-ip-range/subnet/hosts

Please implement and update.

Thank you.
0
 

Author Comment

by:mansurw02
Comment Utility
So keep the default PPTP policy that WatchGuard created and then make new policies with PPTP and GRE ports for each of the groups?
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
No that would not work till you get the order of the custom policy before the pre-created policy; or delete the pre-created policy.

Thank you.
0
 

Author Comment

by:mansurw02
Comment Utility
I am making 3 new policies for 3 groups.  They all be PPTP policies (1723 and GRE) and placed above the pre-created PPTP.  I have filled the appropriate group in FROM and the relevant network in the TO field.  I will be testing it by logging in via VPN with one of the groups and trying to access a network that should not be accessible.  I am experiencing a delay because when I click Save to Firebox it says "There is a read/write session initiated from src IP X.X.X.X, Click Yes to terminate the r/w session and continue or click no to abort the entire operation.  When I click Yes, it stops at "Checking the version of Firebox and then returns with the error "An error occurred while retrieving all features keys from Firebox X.X.X.X. Message processing timeout.  Please try again.  Any idea what's wrong?
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
First thing are you using firebox as PPTP server; if yes; then you do not need the PPTP service with GRE; the service I mentioned was to allow access to the remote users to the trust network.

Make sure that the firebox is not locked by some other user; if problem persists and possible; reboot the unit and the session would be closed and you would be able to establish a read+write session to the unit.

Please let know if you need more details.

Thank you.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:mansurw02
Comment Utility
Let me start from the beginning.  We were not using VPNs at all.  Now are are trying to configure VPN for PC, Mac, and Linux through our Firebox x5500e.  PPTP seems to be the most universal and easiest to configure (so they say).  With your help, I have been able to establish a PPTP VPN connection.  All I used was the VPN>>Mobile VPN>PPTP and set an address pool.  Things work fine.  Now I would like to customize the PPTP so only certain networks behind the Firebox can be accessed by certain VPN users.  I have not touched any other settings.  I assume the Firebox is automatically my PPTP server.  You are saying that I do not need the PPTP service?  What do you mean?  How do I VPN via PPTP?  Where I am now is trying to configure 3 additional policies for 3 groups that will be accessing the VPN.  I want to control what they networks they are able to access once they are connected.  I am starting to get a hang of this device but seeing as I just began using it 2 days ago, I need a bit more detail in any instructions.  I can give you whatever details you want.  I appreciate all your help.
0
 

Author Comment

by:mansurw02
Comment Utility
As for the lock up issue.  I am not physically at my device so I hope the issue will resolve itself soon.  Otherwise, I assume I will need to trek downtown to reboot the device.
0
 

Author Comment

by:mansurw02
Comment Utility
I see there is a reboot option in Firebox System Manager.  Any idea how long this takes?  We are currently in business hours.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
Normally the device would get rebooted in 2-3 minutes; and yes you can reboot the device from System Manager.

As you are using firebox as PPTP server; there is no need for any PPTP service; because we are not using PPTP passthroug; when firebox acts as PPTP server it knows it needs to listen to incoming PPTP requests and there is no need of any service here.
To configure PPTP; we first enable the check as you have already done and configure virtual IP address/pool.
After this we need to create a policy which would determine which remote user/groups would have what access; with MUVPN [IPSec VPN implementation] you can configure remote network access parameters but with PPTP, the policy is the only thing which controls things.

So, if you wish all traffic on all ports/protocols to be allowed between the remote users and the firebox then we use ANY service. You would mutliple ANY services to have differential access to networks by different groups. You can also create a custom service instead of ANY, and you can restrict the user access based on protocol/port as well. The configuration for the services would remain as we have already discussed; you might even have ANY service for a specific group; HTTP Service for just one group and may a combination of HTTP.FTP and SMTP service for the third; these are hypothetical examples, please configure per your need.

Thank you.
0
 

Author Closing Comment

by:mansurw02
Comment Utility
I got it working!  Thanks!  This is not the last time you will hear from me!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now