Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Win Fax pro connection failure via SSL VPN

Posted on 2009-05-07
Medium Priority
Last Modified: 2012-05-06
I'm trying to connect to a win fax pro server via an ssl vpn. I can't seem to get it to connect when ever I try to I get an "cannot connect to server" or "general failure" error message. I've put in a packet filter allowing any traffic on any service from my SSL VPN pool. I see traffic pass back and forth between the vpn connection and the server but the connection just fails. I've even changed the order of my network connections so that the VPN connection is the top one. I don't know where else to go short of setting up an workstation that the users will have to connect to on the network to use it.
Question by:Laz74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
LVL 35

Expert Comment

ID: 24329725
What has this to do with WinFax Pro?? You just want to establish a VPN connection, right? Where are the endpoints of the connection. Do you connect to a router in front of the server, to the server (RAS service) or to another on top service?

Try first to establish a PPTP connection before you try to use SSL. For a secured connection there are a few more conditions like certificates or preshared keys and so on.

Author Comment

ID: 24329989
It was to set up a Win Fax Pro connection via an SSL VPN, have to use that type of connection because it is secure. The VPN connection works fine thus the reason I see packets passing back and froth from my PC through the firewall that handles the ssl connection to the server. I have already established a VPN connection, it is after the connection is made and I try and access the Win Fax Pro server that I get the connection errors.
I know the Win Fax Pro server works and I can connect from the Laptop because when I use the  wireless on the laptop (and yes I am inside the network) I can log into the server just fine.
LVL 35

Expert Comment

ID: 24330892
So, what you want to say is:

You establish a VPN connection between your client and a server, where Win Fax Pro resides.
You can use the VPN connection (i.e. see files or shares and can access resource), but you cannot connect to WinFax Pro right?

How do you do this, via a Web-Interface? Or do you have a client on your machine, which connect to the server?.

VPN is an issue of its own, especially for all windows versions before Vista.
On the client, you have to make sure:
- Firewall settings must allow the traffic between your cleint and the server.
- Your client must be able to find the server, so if not an IP address is used, your client mus resolve the server name.
- the traffic for WinFaxPro must pass the VPN tunnel.

The lack on VPN connections is, that not all services are routed in the same way. Dependend on your settings (Internet connection as well as the VPN tunnel itself) some services will be routet through the tunnel, others not. Some rules:

- Web traffic is routed as configured within your Broser Proxy settings. If the setting is automatic, the brwoser may connect to the internet, not to the vpn tunnel ---> Check, if you can reach a web site on the other end of the vpn tunnel as well as xou can reach public web sites.

- DNS / WINS traffic is (mostly) routet as configured within the VPN tunnel network configuration. This may be overweitten by some providers. To check this, just type nslookup with an external address as well as with an internal address and see, if internal addresses can be resolved.

- All other traffic is following the default gateway. As a computer can have only one, the last connection should overwrite everthing before. As the vpn is the last connection, this setting should be valid, but some ISPs have some differnet opinions about this. To check, type route print at command promt and see, if the default gateway is internal or external.

Also relevant for the usage of the differnt settings is the binding order of the NICs. As your internet connection as well as the VPN are handled as NICs, the VPN tunnel should be before the internet connection. Otherwise the internet connection setting may overwrite the vpn settings.
To check: Start - Setting - Network connections --> menu Enhanced --> Enhanced settings. Disable Printer and file share / windows client on the internet connection and enable it on the VPN tunnel.

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 24331636
You establish a VPN connection between your client and a server, where Win Fax Pro resides.  No
I use an Open VPN client that the firewall handles, as well as hands out the address. I am able to make a secure connection, and access resources.
Once I launch the client and make a connection to the network, I can ping the server. So the laptop can find the server via the tunnel.
As I said before via watching the packet filter logs, and a tcp dump done on both interfaces I see traffic going to the server and the server responding to the laptop but the connection never gets made. This means routing is not a problem as they know about eacher and do "talk" to each other.
Oh and the packet capture was done by filtering for the Server's address, so I could see the packets going out to the laptop's VPN assigned address.
Packet traffic was not on Web traffic ports as Web Fax Pro uses randomly assigned ports and all the ones it was communicating on were not web based ports.
As far as a routing table as I said before packets do travel back and forth between the devices, which means they know the correct gateway (which is the firewall device).
It's not a matter of getting them to see each other, it's a matter of getting them to connect properly.
LVL 35

Expert Comment

ID: 24331820
OK so far, I understand.

You said, that WinFax Pro uses random ports:
This would point me always to a firewall issue. Random ports are not a problem for clients within the network, but are regularly a problem for any firewall as far as involved.

You said, that you can connect to the server (via Laptop) if you connect directly via WLAN.
You can not connect via your PC, if it is connected via VPN.

Also you said, that the VPN connection is made between a third party VPN client and your corp firewall.

1.) Some firewalls knows something like a quarantaine vpn client with limited access. Usually a full vpn connection ends behind the firewall, so that the corp firewall should not be involved. You are inside the corp network as you would use a cable or WLAN.

This I would check, if your vpn endpoints has any limitations.

2.) Check your local windows firewall (or just disable it). Especially as you have said "random ports". If the windows firewall is involved depends from your vpn client.  

3.) Any virus scanner other something on the client?

4.) Can the vpn client itself be the problem?

5.) Are there any other routers between your vpn endpoints and the WinFaxPro server? Means, are you directly attached via vpn to the subnet, where the WinFaxPro server resides?

6.) Last idea I have at the moment are the routers. They should usually have nothing to do with the vpn connection, nevertheless I observed especially with Cisco routers some problems where some IP protocols like GRE were blocked by default.


Author Comment

ID: 24339646
did some deeper digging and discovered that the issue is actually with Win Fax. It uses brodcast packets and since those aren't routable past the firewall (much less down the VPN connection) it isn't going to work via this method. I'll have to explore a different route other than a no longer supported software
LVL 35

Expert Comment

ID: 24341024
Maybe you can try the following:

Broadcasts are not routable, this is true.
Does your client get an IP from your corp network (i.e. DHCP) while connected via VPN?

Author Comment

ID: 24355947
The IP address comes from the firewall itself. The firewall will drop the packets. We could switch to some other sort of VPN system that has an endpoint behind the firewall, which is not an option. The only thing left is to switch to a different software program. Any suggestions on that?
Yes I know it's a change of topic, sort of.
LVL 35

Accepted Solution

Bembi earned 375 total points
ID: 24359074
OK, this is a hint. But usually, in most firewalls, you can configure everything. If the firewall drops packages, there maybe a few reasons.

One reason may be, that your vpn connection is limited. If you can seperate the IP ranges for your public interface (i.e. a seperate address space), you may be able to set differnt rules for these sources.

Onother reason may be, that the firewall allows the initiation over TCP, but drops subsequent connections, i.e. because this is UDP traffic. Usually, you should be able to allow subsequent ports, after the connection is estanblished.  Usually, you find some information from the manufacturer, if and which additional ports are needed.

But, found this:
If this is true so far, it is nearly impossible to get such an application run savely through a firewall as you never know which ports are used. if this is the case, the only possibility would be to tell your firewall, to get full access to the internal network for vpn clients.

Author Closing Comment

ID: 31579171
The firewall is already allowing all the traffic in from the VPN problem is the firewall won't forward broadcasts. Which means anything that uses broadcast won't work at all.

Expert Comment

ID: 24752007
It would be interesting to find out if you were successful at this.WinFax uses DCOM for fax sharing and it was designed for an internal windows LAN.   I'm sure if development had continued with WinFax there would be an option to have a WinFax server that was visible from the outside of the LAN, where you could log in and send faxes from anywhere...one option would be remotely connecting using VNC or similar to a client PC that has WinFax installed, or the actual WinFax Host PC, and then send the faxes you want.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question