Win Fax pro connection failure via SSL VPN
I'm trying to connect to a win fax pro server via an ssl vpn. I can't seem to get it to connect when ever I try to I get an "cannot connect to server" or "general failure" error message. I've put in a packet filter allowing any traffic on any service from my SSL VPN pool. I see traffic pass back and forth between the vpn connection and the server but the connection just fails. I've even changed the order of my network connections so that the VPN connection is the top one. I don't know where else to go short of setting up an workstation that the users will have to connect to on the network to use it.
ASKER
It was to set up a Win Fax Pro connection via an SSL VPN, have to use that type of connection because it is secure. The VPN connection works fine thus the reason I see packets passing back and froth from my PC through the firewall that handles the ssl connection to the server. I have already established a VPN connection, it is after the connection is made and I try and access the Win Fax Pro server that I get the connection errors.
I know the Win Fax Pro server works and I can connect from the Laptop because when I use the wireless on the laptop (and yes I am inside the network) I can log into the server just fine.
I know the Win Fax Pro server works and I can connect from the Laptop because when I use the wireless on the laptop (and yes I am inside the network) I can log into the server just fine.
So, what you want to say is:
You establish a VPN connection between your client and a server, where Win Fax Pro resides.
You can use the VPN connection (i.e. see files or shares and can access resource), but you cannot connect to WinFax Pro right?
How do you do this, via a Web-Interface? Or do you have a client on your machine, which connect to the server?.
VPN is an issue of its own, especially for all windows versions before Vista.
On the client, you have to make sure:
- Firewall settings must allow the traffic between your cleint and the server.
- Your client must be able to find the server, so if not an IP address is used, your client mus resolve the server name.
- the traffic for WinFaxPro must pass the VPN tunnel.
The lack on VPN connections is, that not all services are routed in the same way. Dependend on your settings (Internet connection as well as the VPN tunnel itself) some services will be routet through the tunnel, others not. Some rules:
- Web traffic is routed as configured within your Broser Proxy settings. If the setting is automatic, the brwoser may connect to the internet, not to the vpn tunnel ---> Check, if you can reach a web site on the other end of the vpn tunnel as well as xou can reach public web sites.
- DNS / WINS traffic is (mostly) routet as configured within the VPN tunnel network configuration. This may be overweitten by some providers. To check this, just type nslookup with an external address as well as with an internal address and see, if internal addresses can be resolved.
- All other traffic is following the default gateway. As a computer can have only one, the last connection should overwrite everthing before. As the vpn is the last connection, this setting should be valid, but some ISPs have some differnet opinions about this. To check, type route print at command promt and see, if the default gateway is internal or external.
Also relevant for the usage of the differnt settings is the binding order of the NICs. As your internet connection as well as the VPN are handled as NICs, the VPN tunnel should be before the internet connection. Otherwise the internet connection setting may overwrite the vpn settings.
To check: Start - Setting - Network connections --> menu Enhanced --> Enhanced settings. Disable Printer and file share / windows client on the internet connection and enable it on the VPN tunnel.
You establish a VPN connection between your client and a server, where Win Fax Pro resides.
You can use the VPN connection (i.e. see files or shares and can access resource), but you cannot connect to WinFax Pro right?
How do you do this, via a Web-Interface? Or do you have a client on your machine, which connect to the server?.
VPN is an issue of its own, especially for all windows versions before Vista.
On the client, you have to make sure:
- Firewall settings must allow the traffic between your cleint and the server.
- Your client must be able to find the server, so if not an IP address is used, your client mus resolve the server name.
- the traffic for WinFaxPro must pass the VPN tunnel.
The lack on VPN connections is, that not all services are routed in the same way. Dependend on your settings (Internet connection as well as the VPN tunnel itself) some services will be routet through the tunnel, others not. Some rules:
- Web traffic is routed as configured within your Broser Proxy settings. If the setting is automatic, the brwoser may connect to the internet, not to the vpn tunnel ---> Check, if you can reach a web site on the other end of the vpn tunnel as well as xou can reach public web sites.
- DNS / WINS traffic is (mostly) routet as configured within the VPN tunnel network configuration. This may be overweitten by some providers. To check this, just type nslookup with an external address as well as with an internal address and see, if internal addresses can be resolved.
- All other traffic is following the default gateway. As a computer can have only one, the last connection should overwrite everthing before. As the vpn is the last connection, this setting should be valid, but some ISPs have some differnet opinions about this. To check, type route print at command promt and see, if the default gateway is internal or external.
Also relevant for the usage of the differnt settings is the binding order of the NICs. As your internet connection as well as the VPN are handled as NICs, the VPN tunnel should be before the internet connection. Otherwise the internet connection setting may overwrite the vpn settings.
To check: Start - Setting - Network connections --> menu Enhanced --> Enhanced settings. Disable Printer and file share / windows client on the internet connection and enable it on the VPN tunnel.
ASKER
You establish a VPN connection between your client and a server, where Win Fax Pro resides. No
I use an Open VPN client that the firewall handles, as well as hands out the address. I am able to make a secure connection, and access resources.
Once I launch the client and make a connection to the network, I can ping the server. So the laptop can find the server via the tunnel.
As I said before via watching the packet filter logs, and a tcp dump done on both interfaces I see traffic going to the server and the server responding to the laptop but the connection never gets made. This means routing is not a problem as they know about eacher and do "talk" to each other.
Oh and the packet capture was done by filtering for the Server's address, so I could see the packets going out to the laptop's VPN assigned address.
Packet traffic was not on Web traffic ports as Web Fax Pro uses randomly assigned ports and all the ones it was communicating on were not web based ports.
As far as a routing table as I said before packets do travel back and forth between the devices, which means they know the correct gateway (which is the firewall device).
It's not a matter of getting them to see each other, it's a matter of getting them to connect properly.
I use an Open VPN client that the firewall handles, as well as hands out the address. I am able to make a secure connection, and access resources.
Once I launch the client and make a connection to the network, I can ping the server. So the laptop can find the server via the tunnel.
As I said before via watching the packet filter logs, and a tcp dump done on both interfaces I see traffic going to the server and the server responding to the laptop but the connection never gets made. This means routing is not a problem as they know about eacher and do "talk" to each other.
Oh and the packet capture was done by filtering for the Server's address, so I could see the packets going out to the laptop's VPN assigned address.
Packet traffic was not on Web traffic ports as Web Fax Pro uses randomly assigned ports and all the ones it was communicating on were not web based ports.
As far as a routing table as I said before packets do travel back and forth between the devices, which means they know the correct gateway (which is the firewall device).
It's not a matter of getting them to see each other, it's a matter of getting them to connect properly.
OK so far, I understand.
You said, that WinFax Pro uses random ports:
This would point me always to a firewall issue. Random ports are not a problem for clients within the network, but are regularly a problem for any firewall as far as involved.
You said, that you can connect to the server (via Laptop) if you connect directly via WLAN.
You can not connect via your PC, if it is connected via VPN.
Also you said, that the VPN connection is made between a third party VPN client and your corp firewall.
1.) Some firewalls knows something like a quarantaine vpn client with limited access. Usually a full vpn connection ends behind the firewall, so that the corp firewall should not be involved. You are inside the corp network as you would use a cable or WLAN.
This I would check, if your vpn endpoints has any limitations.
2.) Check your local windows firewall (or just disable it). Especially as you have said "random ports". If the windows firewall is involved depends from your vpn client.
3.) Any virus scanner other something on the client?
4.) Can the vpn client itself be the problem?
5.) Are there any other routers between your vpn endpoints and the WinFaxPro server? Means, are you directly attached via vpn to the subnet, where the WinFaxPro server resides?
6.) Last idea I have at the moment are the routers. They should usually have nothing to do with the vpn connection, nevertheless I observed especially with Cisco routers some problems where some IP protocols like GRE were blocked by default.
You said, that WinFax Pro uses random ports:
This would point me always to a firewall issue. Random ports are not a problem for clients within the network, but are regularly a problem for any firewall as far as involved.
You said, that you can connect to the server (via Laptop) if you connect directly via WLAN.
You can not connect via your PC, if it is connected via VPN.
Also you said, that the VPN connection is made between a third party VPN client and your corp firewall.
1.) Some firewalls knows something like a quarantaine vpn client with limited access. Usually a full vpn connection ends behind the firewall, so that the corp firewall should not be involved. You are inside the corp network as you would use a cable or WLAN.
This I would check, if your vpn endpoints has any limitations.
2.) Check your local windows firewall (or just disable it). Especially as you have said "random ports". If the windows firewall is involved depends from your vpn client.
3.) Any virus scanner other something on the client?
4.) Can the vpn client itself be the problem?
5.) Are there any other routers between your vpn endpoints and the WinFaxPro server? Means, are you directly attached via vpn to the subnet, where the WinFaxPro server resides?
6.) Last idea I have at the moment are the routers. They should usually have nothing to do with the vpn connection, nevertheless I observed especially with Cisco routers some problems where some IP protocols like GRE were blocked by default.
ASKER
did some deeper digging and discovered that the issue is actually with Win Fax. It uses brodcast packets and since those aren't routable past the firewall (much less down the VPN connection) it isn't going to work via this method. I'll have to explore a different route other than a no longer supported software
Maybe you can try the following:
Broadcasts are not routable, this is true.
Does your client get an IP from your corp network (i.e. DHCP) while connected via VPN?
Broadcasts are not routable, this is true.
Does your client get an IP from your corp network (i.e. DHCP) while connected via VPN?
ASKER
The IP address comes from the firewall itself. The firewall will drop the packets. We could switch to some other sort of VPN system that has an endpoint behind the firewall, which is not an option. The only thing left is to switch to a different software program. Any suggestions on that?
Yes I know it's a change of topic, sort of.
Yes I know it's a change of topic, sort of.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The firewall is already allowing all the traffic in from the VPN problem is the firewall won't forward broadcasts. Which means anything that uses broadcast won't work at all.
It would be interesting to find out if you were successful at this.WinFax uses DCOM for fax sharing and it was designed for an internal windows LAN. I'm sure if development had continued with WinFax there would be an option to have a WinFax server that was visible from the outside of the LAN, where you could log in and send faxes from anywhere...one option would be remotely connecting using VNC or similar to a client PC that has WinFax installed, or the actual WinFax Host PC, and then send the faxes you want.
Try first to establish a PPTP connection before you try to use SSL. For a secured connection there are a few more conditions like certificates or preshared keys and so on.