Solved

Win Fax pro connection failure via SSL VPN

Posted on 2009-05-07
11
594 Views
Last Modified: 2012-05-06
I'm trying to connect to a win fax pro server via an ssl vpn. I can't seem to get it to connect when ever I try to I get an "cannot connect to server" or "general failure" error message. I've put in a packet filter allowing any traffic on any service from my SSL VPN pool. I see traffic pass back and forth between the vpn connection and the server but the connection just fails. I've even changed the order of my network connections so that the VPN connection is the top one. I don't know where else to go short of setting up an workstation that the users will have to connect to on the network to use it.
0
Comment
Question by:Laz74
  • 5
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
What has this to do with WinFax Pro?? You just want to establish a VPN connection, right? Where are the endpoints of the connection. Do you connect to a router in front of the server, to the server (RAS service) or to another on top service?

Try first to establish a PPTP connection before you try to use SSL. For a secured connection there are a few more conditions like certificates or preshared keys and so on.
0
 

Author Comment

by:Laz74
Comment Utility
It was to set up a Win Fax Pro connection via an SSL VPN, have to use that type of connection because it is secure. The VPN connection works fine thus the reason I see packets passing back and froth from my PC through the firewall that handles the ssl connection to the server. I have already established a VPN connection, it is after the connection is made and I try and access the Win Fax Pro server that I get the connection errors.
I know the Win Fax Pro server works and I can connect from the Laptop because when I use the  wireless on the laptop (and yes I am inside the network) I can log into the server just fine.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
So, what you want to say is:

You establish a VPN connection between your client and a server, where Win Fax Pro resides.
You can use the VPN connection (i.e. see files or shares and can access resource), but you cannot connect to WinFax Pro right?

How do you do this, via a Web-Interface? Or do you have a client on your machine, which connect to the server?.

VPN is an issue of its own, especially for all windows versions before Vista.
On the client, you have to make sure:
- Firewall settings must allow the traffic between your cleint and the server.
- Your client must be able to find the server, so if not an IP address is used, your client mus resolve the server name.
- the traffic for WinFaxPro must pass the VPN tunnel.

The lack on VPN connections is, that not all services are routed in the same way. Dependend on your settings (Internet connection as well as the VPN tunnel itself) some services will be routet through the tunnel, others not. Some rules:

- Web traffic is routed as configured within your Broser Proxy settings. If the setting is automatic, the brwoser may connect to the internet, not to the vpn tunnel ---> Check, if you can reach a web site on the other end of the vpn tunnel as well as xou can reach public web sites.

- DNS / WINS traffic is (mostly) routet as configured within the VPN tunnel network configuration. This may be overweitten by some providers. To check this, just type nslookup with an external address as well as with an internal address and see, if internal addresses can be resolved.

- All other traffic is following the default gateway. As a computer can have only one, the last connection should overwrite everthing before. As the vpn is the last connection, this setting should be valid, but some ISPs have some differnet opinions about this. To check, type route print at command promt and see, if the default gateway is internal or external.

Also relevant for the usage of the differnt settings is the binding order of the NICs. As your internet connection as well as the VPN are handled as NICs, the VPN tunnel should be before the internet connection. Otherwise the internet connection setting may overwrite the vpn settings.
To check: Start - Setting - Network connections --> menu Enhanced --> Enhanced settings. Disable Printer and file share / windows client on the internet connection and enable it on the VPN tunnel.


 
0
 

Author Comment

by:Laz74
Comment Utility
You establish a VPN connection between your client and a server, where Win Fax Pro resides.  No
I use an Open VPN client that the firewall handles, as well as hands out the address. I am able to make a secure connection, and access resources.
Once I launch the client and make a connection to the network, I can ping the server. So the laptop can find the server via the tunnel.
As I said before via watching the packet filter logs, and a tcp dump done on both interfaces I see traffic going to the server and the server responding to the laptop but the connection never gets made. This means routing is not a problem as they know about eacher and do "talk" to each other.
Oh and the packet capture was done by filtering for the Server's address, so I could see the packets going out to the laptop's VPN assigned address.
Packet traffic was not on Web traffic ports as Web Fax Pro uses randomly assigned ports and all the ones it was communicating on were not web based ports.
As far as a routing table as I said before packets do travel back and forth between the devices, which means they know the correct gateway (which is the firewall device).
It's not a matter of getting them to see each other, it's a matter of getting them to connect properly.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
OK so far, I understand.

You said, that WinFax Pro uses random ports:
This would point me always to a firewall issue. Random ports are not a problem for clients within the network, but are regularly a problem for any firewall as far as involved.

You said, that you can connect to the server (via Laptop) if you connect directly via WLAN.
You can not connect via your PC, if it is connected via VPN.

Also you said, that the VPN connection is made between a third party VPN client and your corp firewall.

1.) Some firewalls knows something like a quarantaine vpn client with limited access. Usually a full vpn connection ends behind the firewall, so that the corp firewall should not be involved. You are inside the corp network as you would use a cable or WLAN.

This I would check, if your vpn endpoints has any limitations.

2.) Check your local windows firewall (or just disable it). Especially as you have said "random ports". If the windows firewall is involved depends from your vpn client.  

3.) Any virus scanner other something on the client?

4.) Can the vpn client itself be the problem?

5.) Are there any other routers between your vpn endpoints and the WinFaxPro server? Means, are you directly attached via vpn to the subnet, where the WinFaxPro server resides?

6.) Last idea I have at the moment are the routers. They should usually have nothing to do with the vpn connection, nevertheless I observed especially with Cisco routers some problems where some IP protocols like GRE were blocked by default.

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:Laz74
Comment Utility
did some deeper digging and discovered that the issue is actually with Win Fax. It uses brodcast packets and since those aren't routable past the firewall (much less down the VPN connection) it isn't going to work via this method. I'll have to explore a different route other than a no longer supported software
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Maybe you can try the following:

Broadcasts are not routable, this is true.
Does your client get an IP from your corp network (i.e. DHCP) while connected via VPN?
0
 

Author Comment

by:Laz74
Comment Utility
The IP address comes from the firewall itself. The firewall will drop the packets. We could switch to some other sort of VPN system that has an endpoint behind the firewall, which is not an option. The only thing left is to switch to a different software program. Any suggestions on that?
Yes I know it's a change of topic, sort of.
0
 
LVL 35

Accepted Solution

by:
Bembi earned 125 total points
Comment Utility
OK, this is a hint. But usually, in most firewalls, you can configure everything. If the firewall drops packages, there maybe a few reasons.

One reason may be, that your vpn connection is limited. If you can seperate the IP ranges for your public interface (i.e. a seperate address space), you may be able to set differnt rules for these sources.

Onother reason may be, that the firewall allows the initiation over TCP, but drops subsequent connections, i.e. because this is UDP traffic. Usually, you should be able to allow subsequent ports, after the connection is estanblished.  Usually, you find some information from the manufacturer, if and which additional ports are needed.

But, found this:
http://www.computing.net/answers/windows-2003/windows-2003-and-winfax-pro/807.html
If this is true so far, it is nearly impossible to get such an application run savely through a firewall as you never know which ports are used. if this is the case, the only possibility would be to tell your firewall, to get full access to the internal network for vpn clients.
0
 

Author Closing Comment

by:Laz74
Comment Utility
The firewall is already allowing all the traffic in from the VPN problem is the firewall won't forward broadcasts. Which means anything that uses broadcast won't work at all.
0
 
LVL 3

Expert Comment

by:GetFaxingdotcom
Comment Utility
It would be interesting to find out if you were successful at this.WinFax uses DCOM for fax sharing and it was designed for an internal windows LAN.   I'm sure if development had continued with WinFax there would be an option to have a WinFax server that was visible from the outside of the LAN, where you could log in and send faxes from anywhere...one option would be remotely connecting using VNC or similar to a client PC that has WinFax installed, or the actual WinFax Host PC, and then send the faxes you want.





0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now