Solved

Customizing PPTP WatchGuard Firebox

Posted on 2008-10-07
10
2,992 Views
Last Modified: 2013-11-16
I am having a little trouble customizing PPTP.  I want some PPTP users to have access to a certain network and not another.  However, I only can seem to VPN in if I have users in the "PPTP-Users" group.  The reason I don't want to keep using the PPTP-Users group is because I want some users to be able to access only certain parts of the network.  If I empty PPTP-Users group and make new groups and apply that in the TO section of particular PPTP policies rather than ANY, I am unable to log on.  Also, is it possible to only allow certain ports for those connecting via VPN?  I am working at a start up company that is trying to secure their network after having been hacked for the first time.
0
Comment
Question by:mansurw02
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22662973
Let's say you have user1-10; now they all have to be part of the pre-created pptp_users group. You can create your own user groups eg, grp1, grp2 and grp3; now distribute the users in these groups and configure the policy to allow access as below:
Service-1
Enabled and allowed; from grp1; to specific-ip-range/subnet/hosts
Service-2
Enabled and allowed; from grp2; to specific-ip-range/subnet/hosts
Service-3
Enabled and allowed; from grp3; to specific-ip-range/subnet/hosts

Please implement and update.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22663181
So keep the default PPTP policy that WatchGuard created and then make new policies with PPTP and GRE ports for each of the groups?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22663219
No that would not work till you get the order of the custom policy before the pre-created policy; or delete the pre-created policy.

Thank you.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mansurw02
ID: 22663558
I am making 3 new policies for 3 groups.  They all be PPTP policies (1723 and GRE) and placed above the pre-created PPTP.  I have filled the appropriate group in FROM and the relevant network in the TO field.  I will be testing it by logging in via VPN with one of the groups and trying to access a network that should not be accessible.  I am experiencing a delay because when I click Save to Firebox it says "There is a read/write session initiated from src IP X.X.X.X, Click Yes to terminate the r/w session and continue or click no to abort the entire operation.  When I click Yes, it stops at "Checking the version of Firebox and then returns with the error "An error occurred while retrieving all features keys from Firebox X.X.X.X. Message processing timeout.  Please try again.  Any idea what's wrong?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22663676
First thing are you using firebox as PPTP server; if yes; then you do not need the PPTP service with GRE; the service I mentioned was to allow access to the remote users to the trust network.

Make sure that the firebox is not locked by some other user; if problem persists and possible; reboot the unit and the session would be closed and you would be able to establish a read+write session to the unit.

Please let know if you need more details.

Thank you.
0
 

Author Comment

by:mansurw02
ID: 22663896
Let me start from the beginning.  We were not using VPNs at all.  Now are are trying to configure VPN for PC, Mac, and Linux through our Firebox x5500e.  PPTP seems to be the most universal and easiest to configure (so they say).  With your help, I have been able to establish a PPTP VPN connection.  All I used was the VPN>>Mobile VPN>PPTP and set an address pool.  Things work fine.  Now I would like to customize the PPTP so only certain networks behind the Firebox can be accessed by certain VPN users.  I have not touched any other settings.  I assume the Firebox is automatically my PPTP server.  You are saying that I do not need the PPTP service?  What do you mean?  How do I VPN via PPTP?  Where I am now is trying to configure 3 additional policies for 3 groups that will be accessing the VPN.  I want to control what they networks they are able to access once they are connected.  I am starting to get a hang of this device but seeing as I just began using it 2 days ago, I need a bit more detail in any instructions.  I can give you whatever details you want.  I appreciate all your help.
0
 

Author Comment

by:mansurw02
ID: 22663918
As for the lock up issue.  I am not physically at my device so I hope the issue will resolve itself soon.  Otherwise, I assume I will need to trek downtown to reboot the device.
0
 

Author Comment

by:mansurw02
ID: 22664002
I see there is a reboot option in Firebox System Manager.  Any idea how long this takes?  We are currently in business hours.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 22666191
Normally the device would get rebooted in 2-3 minutes; and yes you can reboot the device from System Manager.

As you are using firebox as PPTP server; there is no need for any PPTP service; because we are not using PPTP passthroug; when firebox acts as PPTP server it knows it needs to listen to incoming PPTP requests and there is no need of any service here.
To configure PPTP; we first enable the check as you have already done and configure virtual IP address/pool.
After this we need to create a policy which would determine which remote user/groups would have what access; with MUVPN [IPSec VPN implementation] you can configure remote network access parameters but with PPTP, the policy is the only thing which controls things.

So, if you wish all traffic on all ports/protocols to be allowed between the remote users and the firebox then we use ANY service. You would mutliple ANY services to have differential access to networks by different groups. You can also create a custom service instead of ANY, and you can restrict the user access based on protocol/port as well. The configuration for the services would remain as we have already discussed; you might even have ANY service for a specific group; HTTP Service for just one group and may a combination of HTTP.FTP and SMTP service for the third; these are hypothetical examples, please configure per your need.

Thank you.
0
 

Author Closing Comment

by:mansurw02
ID: 31503971
I got it working!  Thanks!  This is not the last time you will hear from me!
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question