?
Solved

WatchGuard VPN Connecting to Internal LAN

Posted on 2008-10-10
7
Medium Priority
?
2,350 Views
Last Modified: 2013-11-16
We have Watchguard Firebox x1250e running Firebox v10.2
We have multi wan interface setup on firebox.
I have setup SSLVPN on one of the external Interface with active durectory authentication and client can initiate the connection to external interface on ip: 212.1.X.0
our internal lan ip range from: 172.1.x.x
my question is how do the client access resource/terminal services on internal lan (172.0.x.x)?
i have been told by one of techie guy that you must add the vpnssl user group to you internal active directory.
not sure if this is correct but can someone also guide me on hot to add vpnssl users to AD?
I'm new to watchguard- please give me step bt step guide?

regards
0
Comment
Question by:PeterMatthews
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22688680
To configure authentication server:
In Policy Manager; go to Setup->Authentication->Authentication Servers; go to Active Directory tab; specify the primary server settings; and/or add backup if needed. Make sure to check the box "Enable Active Directory server".

After this you would need to add the user/group:
In Policy Manager; go to Setup->Authentication->Authorized Users/Groups; click Add; specify the Name [as configured on server]; specify type as user/group and select Auth Server as Active Directory.

Finally, configure SSL VPN settings:
In Policy Manager; go to VPN->Mobile VPN->SSL; check the box "Activate Mobile VPN with SSL".
Under General; select Authentication Server as Active Directory; under IP address; you can leave the firebox external IP [select from drop-down box if you wish the incoming connections from remote clients on some other IP]; under Allowed Resources; select "Force all client traffic through tunnel" if you wish to create zero route tunnel; otherwise specify 172.1.x.x as the subnet.
Now specify the address pool; IP would be assigned to remote clients from this pool.
Under Advanced configure the authentication, encryption and other setting which you would configure on the client.

You would need to download client from the watchguard website and configure the VPN SSL client as per the settings configured.

WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured above.

Please implement and update.

Thank you.
0
 

Author Comment

by:PeterMatthews
ID: 22701351
Hi,
We have already done above task and client does initiase the connection and recieving ip address which was allocated at address pool.
unfortunaetly the client cannot access the resources on our network!!
we have already logged this case with Watchguard support and they asked us to Add a group called "SSLVPN-Users" to our active directory tree.
Please see the logs below which support team sent us:
2008-10-08 17:13:31 admd ADM auth get user group EVERYBODY msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Exchange Domain Servers msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Administrators msg_id="1100-1020" Event
2008-10-08 17:13:31 admd ADM auth get user group Domain Admins msg_id="1100-1020" Event

Can you please help me to add the group to our AD?

Regards,
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22701371
I am sorry, I would not be able to assist you with server configuration as I am not the best person.

Out of curiosity, what is the IP subnet of the client; is it same as the IP subnet behind firebox; if yes, this is the reason why the remote client is not able to access any shared network resources.

Thank you.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 

Author Comment

by:PeterMatthews
ID: 22701576
Our LAN ip range: 172.1.x.x
WatchGuard IP Adress Pool: 192.1.x.x. When client connects to the WatchGuard they do recieve ip address in the range of 192.1.x.x.

is there any rules to be added to policy manager to allow certain traffic from 192.1x.x to our internal lan?

Please guide me step by step?

thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22702102
WG ver 10.x would automatically create a policy which would access to the remote client to the resources as configured. Can you double check if you have this rule/policy in place.

Other than this if the user/group needs to be added to AD; then as I said I would not be able to help further; some other expert would be able to assist you with adding user in AD.

Thank you.
0
 
LVL 1

Accepted Solution

by:
nl4jy earned 2000 total points
ID: 22963960
In order to add the WG ssl group in AD, just create the group in AD.  The group name needs to match what WG gives you.  I believe it's "SSLVPN-Users".  You need to type this letter for letter in your AD infracture.  Then add the users accordingly to the group in AD that you want to have VPN access.
0
 
LVL 1

Expert Comment

by:nl4jy
ID: 22988496
The problem where your SSLVPN cannot connect to any internal lan resource could be related to your switches.  Can you try connect a pc directly to one of the watchguard interface and try getting your SSLVPN users to connect to that one pc?
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question