[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2380
  • Last Modified:

WatchGuard VPN Connecting to Internal LAN

We have Watchguard Firebox x1250e running Firebox v10.2
We have multi wan interface setup on firebox.
I have setup SSLVPN on one of the external Interface with active durectory authentication and client can initiate the connection to external interface on ip: 212.1.X.0
our internal lan ip range from: 172.1.x.x
my question is how do the client access resource/terminal services on internal lan (172.0.x.x)?
i have been told by one of techie guy that you must add the vpnssl user group to you internal active directory.
not sure if this is correct but can someone also guide me on hot to add vpnssl users to AD?
I'm new to watchguard- please give me step bt step guide?

regards
0
PeterMatthews
Asked:
PeterMatthews
  • 3
  • 2
  • 2
1 Solution
 
dpk_walCommented:
To configure authentication server:
In Policy Manager; go to Setup->Authentication->Authentication Servers; go to Active Directory tab; specify the primary server settings; and/or add backup if needed. Make sure to check the box "Enable Active Directory server".

After this you would need to add the user/group:
In Policy Manager; go to Setup->Authentication->Authorized Users/Groups; click Add; specify the Name [as configured on server]; specify type as user/group and select Auth Server as Active Directory.

Finally, configure SSL VPN settings:
In Policy Manager; go to VPN->Mobile VPN->SSL; check the box "Activate Mobile VPN with SSL".
Under General; select Authentication Server as Active Directory; under IP address; you can leave the firebox external IP [select from drop-down box if you wish the incoming connections from remote clients on some other IP]; under Allowed Resources; select "Force all client traffic through tunnel" if you wish to create zero route tunnel; otherwise specify 172.1.x.x as the subnet.
Now specify the address pool; IP would be assigned to remote clients from this pool.
Under Advanced configure the authentication, encryption and other setting which you would configure on the client.

You would need to download client from the watchguard website and configure the VPN SSL client as per the settings configured.

WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured above.

Please implement and update.

Thank you.
0
 
PeterMatthewsAuthor Commented:
Hi,
We have already done above task and client does initiase the connection and recieving ip address which was allocated at address pool.
unfortunaetly the client cannot access the resources on our network!!
we have already logged this case with Watchguard support and they asked us to Add a group called "SSLVPN-Users" to our active directory tree.
Please see the logs below which support team sent us:
2008-10-08 17:13:31 admd ADM auth get user group EVERYBODY msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Exchange Domain Servers msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Administrators msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Domain Admins msg_id="1100-1020" Event

Can you please help me to add the group to our AD?

Regards,
0
 
dpk_walCommented:
I am sorry, I would not be able to assist you with server configuration as I am not the best person.

Out of curiosity, what is the IP subnet of the client; is it same as the IP subnet behind firebox; if yes, this is the reason why the remote client is not able to access any shared network resources.

Thank you.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
PeterMatthewsAuthor Commented:
Our LAN ip range: 172.1.x.x
WatchGuard IP Adress Pool: 192.1.x.x. When client connects to the WatchGuard they do recieve ip address in the range of 192.1.x.x.

is there any rules to be added to policy manager to allow certain traffic from 192.1x.x to our internal lan?

Please guide me step by step?

thanks
0
 
dpk_walCommented:
WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured. Can you double check if you have this rule/policy in place.

Other than this if the user/group needs to be added to AD; then as I said I would not be able to help further; some other expert would be able to assist you with adding user in AD.

Thank you.
0
 
nl4jyCommented:
In order to add the WG ssl group in AD, just create the group in AD.  The group name needs to match what WG gives you.  I believe it's "SSLVPN-Users".  You need to type this letter for letter in your AD infracture.  Then add the users accordingly to the group in AD that you want to have VPN access.
0
 
nl4jyCommented:
The problem where your SSLVPN cannot connect to any internal lan resource could be related to your switches.  Can you try connect a pc directly to one of the watchguard interface and try getting your SSLVPN users to connect to that one pc?
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now