MATTJWILLIAMS
asked on
AV enforcement on VPN Zone stops all traffic on Sonicwall NSA 3500 Enhanced
When AV enforcement is enabled on the VPN zone it stops all traffic. We route all traffic via the tunnel including Internet. The VPN tunnel remains open - just doesn't pass traffic. All remote computers have the AV client installed. The Sonicwall does not prompt for the AV to be updated or installed. I have ran packet captures and the packet never reaches the client from the firewall to check the status of the remotes AV status.
Computers on the LAN side of the firewall work fine.
Computers on the LAN side of the firewall work fine.
Is this a site-to-site VPN or a Global VPN client?
ASKER
This is a site-to-site vpn.
There is also nothing in the logs of the sonicwall that show that it is blocking udp port 59152 or 59153 which sends the mcafee status messages from the client and firewall that makes sure it is installed, updated, and running.
There is also nothing in the logs of the sonicwall that show that it is blocking udp port 59152 or 59153 which sends the mcafee status messages from the client and firewall that makes sure it is installed, updated, and running.
I will check with support in the morning. I think the issue is to do with the company key being checked via VPN and then further more via Internet on different device.
Do you have enforced client licenced on seperate firewalls?
Do you have enforced client licenced on seperate firewalls?
ASKER
We did try enforcing the AV on the remote firewall - We tried moving some licenses (share) to the remote firewall.
What is most puzzling is the Main Sonicwall does send out the request - but it never reaches the machine on the remote VPN.
What is most puzzling is the Main Sonicwall does send out the request - but it never reaches the machine on the remote VPN.
ASKER
Any ideas?
If this is site-to-site VPN then why are you trying to work in this way? You should have the Enforcement on each Sites LAN and not VPN. The SonicWALL at each site will then be responsible for its own AV. As long as both devices are registered in the same MySonicWALL.COM account then you can go into Manage Licences on one of the firewalls and split the licences to each devices. Say you have 50 licences, you could put 30 on the first device and 20 on the other. That way, you don't need to increase the VPN traffic.
ASKER
Thats how it was originally set up. It was not working that way either. The techs at Sonicwall then suggested I needed to move these to the firewall where all Internet traffic was channeled through the VPN since this is the firewall that checks for AV status.
Since all traffic is defaulted through the tunnel - the VPN updates would go through the tunnel anyway
Since all traffic is defaulted through the tunnel - the VPN updates would go through the tunnel anyway
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.