Solved

WatchGuard VPN Connecting to Internal LAN

Posted on 2008-10-10
7
2,297 Views
Last Modified: 2013-11-16
We have Watchguard Firebox x1250e running Firebox v10.2
We have multi wan interface setup on firebox.
I have setup SSLVPN on one of the external Interface with active durectory authentication and client can initiate the connection to external interface on ip: 212.1.X.0
our internal lan ip range from: 172.1.x.x
my question is how do the client access resource/terminal services on internal lan (172.0.x.x)?
i have been told by one of techie guy that you must add the vpnssl user group to you internal active directory.
not sure if this is correct but can someone also guide me on hot to add vpnssl users to AD?
I'm new to watchguard- please give me step bt step guide?

regards
0
Comment
Question by:PeterMatthews
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
To configure authentication server:
In Policy Manager; go to Setup->Authentication->Authentication Servers; go to Active Directory tab; specify the primary server settings; and/or add backup if needed. Make sure to check the box "Enable Active Directory server".

After this you would need to add the user/group:
In Policy Manager; go to Setup->Authentication->Authorized Users/Groups; click Add; specify the Name [as configured on server]; specify type as user/group and select Auth Server as Active Directory.

Finally, configure SSL VPN settings:
In Policy Manager; go to VPN->Mobile VPN->SSL; check the box "Activate Mobile VPN with SSL".
Under General; select Authentication Server as Active Directory; under IP address; you can leave the firebox external IP [select from drop-down box if you wish the incoming connections from remote clients on some other IP]; under Allowed Resources; select "Force all client traffic through tunnel" if you wish to create zero route tunnel; otherwise specify 172.1.x.x as the subnet.
Now specify the address pool; IP would be assigned to remote clients from this pool.
Under Advanced configure the authentication, encryption and other setting which you would configure on the client.

You would need to download client from the watchguard website and configure the VPN SSL client as per the settings configured.

WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured above.

Please implement and update.

Thank you.
0
 

Author Comment

by:PeterMatthews
Comment Utility
Hi,
We have already done above task and client does initiase the connection and recieving ip address which was allocated at address pool.
unfortunaetly the client cannot access the resources on our network!!
we have already logged this case with Watchguard support and they asked us to Add a group called "SSLVPN-Users" to our active directory tree.
Please see the logs below which support team sent us:
2008-10-08 17:13:31 admd ADM auth get user group EVERYBODY msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Exchange Domain Servers msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Administrators msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Domain Admins msg_id="1100-1020" Event

Can you please help me to add the group to our AD?

Regards,
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I am sorry, I would not be able to assist you with server configuration as I am not the best person.

Out of curiosity, what is the IP subnet of the client; is it same as the IP subnet behind firebox; if yes, this is the reason why the remote client is not able to access any shared network resources.

Thank you.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:PeterMatthews
Comment Utility
Our LAN ip range: 172.1.x.x
WatchGuard IP Adress Pool: 192.1.x.x. When client connects to the WatchGuard they do recieve ip address in the range of 192.1.x.x.

is there any rules to be added to policy manager to allow certain traffic from 192.1x.x to our internal lan?

Please guide me step by step?

thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured. Can you double check if you have this rule/policy in place.

Other than this if the user/group needs to be added to AD; then as I said I would not be able to help further; some other expert would be able to assist you with adding user in AD.

Thank you.
0
 
LVL 1

Accepted Solution

by:
nl4jy earned 500 total points
Comment Utility
In order to add the WG ssl group in AD, just create the group in AD.  The group name needs to match what WG gives you.  I believe it's "SSLVPN-Users".  You need to type this letter for letter in your AD infracture.  Then add the users accordingly to the group in AD that you want to have VPN access.
0
 
LVL 1

Expert Comment

by:nl4jy
Comment Utility
The problem where your SSLVPN cannot connect to any internal lan resource could be related to your switches.  Can you try connect a pc directly to one of the watchguard interface and try getting your SSLVPN users to connect to that one pc?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now