Sonicwall
We have a Sonicwall 2400 and unfortunately it is managed by another company and I don't have access. But what I do want to know from those of you who are familiar with these firewalls... are there any known issues with the filter? I will have a user who is working great one day contact me the next day saying they can't get to half the websites they try. When I login as administrator (my login is basically unrestricted on the net) on the user's PC I can't access the sites either. Yet everyone else in the same filter group is on the net and working and my PC is accessing the Internet just fine.
Also, our workstations are XP Pro. Port 445 has to be open on the firewalls to allow access to the Internet. I've never seen this anywhere else. But sometimes it's not enough to just have port 445 open and I have to install file & printer sharing to allow the Internet to work.
Just curious if anyone else is having these issues with the Sonicwall.
Also, our workstations are XP Pro. Port 445 has to be open on the firewalls to allow access to the Internet. I've never seen this anywhere else. But sometimes it's not enough to just have port 445 open and I have to install file & printer sharing to allow the Internet to work.
Just curious if anyone else is having these issues with the Sonicwall.
Why on earth would you explicity need to allow 445 (which is SMB over TCP) open on the firewall for internet access. Sounds to me like you're using the Sonicwall unified threat management to acts like a proxy for browsing the internet. There should be no modification in the outgoing filter rules to allow or deny certain kinds of traffic. All outbound traffic is generally permitted through the proxy.
Why the system works sometimes and others not? Is the device patched with the latest firmware?
MO
Why the system works sometimes and others not? Is the device patched with the latest firmware?
MO
I've also never had problems like this with SonicWall, especially the NSA2400. You say Port 445? Do you mean 443 and 80?
Is there a proxy server involved?
Is there a proxy server involved?
This should have NOTHING to do with port 445. I manage 7 different SonicWalls including an NSA 2400 and haven't seen this issue at all. You are either having network related issues OR you are maxing out the number of connections to the Internet licensed to that firewall (but that would have to be HUGE).
When a website fails, do you get a SonicWall firewall screeen saying why it was blocked or just a page not found screen?
This sounds entirely like a DNS issue.
Next time you get a site that won't work, try this. Lets say the site is www.yahoo.com
Open a command window and try:
ping www.yahoo.com (if you get 100% packet loss or some other error)
ping 98.137.149.56 (see if the results change at all)
Additionally do nslookup www.yahoo.com.
Are you using DHCP? If so, from the firewall or from a server?
It might be helpful to post a ipconfig /all from one of the machines as well.
When a website fails, do you get a SonicWall firewall screeen saying why it was blocked or just a page not found screen?
This sounds entirely like a DNS issue.
Next time you get a site that won't work, try this. Lets say the site is www.yahoo.com
Open a command window and try:
ping www.yahoo.com (if you get 100% packet loss or some other error)
ping 98.137.149.56 (see if the results change at all)
Additionally do nslookup www.yahoo.com.
Are you using DHCP? If so, from the firewall or from a server?
It might be helpful to post a ipconfig /all from one of the machines as well.
ASKER
Mkris9: I can ping the websites. Windows Server 2008 is the DNS / DHCP server.
mgortega: & dbsg13: The individual that owns and manages our sonicwall device claims that Port 445 must be open on workstations to allow users to access the Internet. I've never heard of anything like this either. I just needed some ammunition from some of you pros to insist that this isn't necessary.
TravisT: I'll go down and try all of your suggestions and also check up on DNS on the server. We are using DHCP and it is from the 2008 server.
mgortega: & dbsg13: The individual that owns and manages our sonicwall device claims that Port 445 must be open on workstations to allow users to access the Internet. I've never heard of anything like this either. I just needed some ammunition from some of you pros to insist that this isn't necessary.
TravisT: I'll go down and try all of your suggestions and also check up on DNS on the server. We are using DHCP and it is from the 2008 server.
Content filtering works fine on Sonicwall but there are a few things that need to be configured, and there are a number of ways of configuring the nsa to do it.
Travis T advice will be good for understanding more. (however ping might not work at all if there is a lan>wan policy that blocks it, or if the ping checkbox on the lan interface is not checked.
The reason for the file and printer sharing could be to enable netbios on the pc's. This may be being used to identify the user logged into the pc if for example you are using the SSO (single sign on agent) on your LDAP server (SSO integrates Active Directory/LDAP users and groups onto the nsa).
As for port 445 I am also a little perplexed.
How are users identified by the nsa? do you get redirected to a login page on the nsa or can you get directly to the internet? Note Content Filtering can also be set up on ip address ranges so this might not be relevant at all.
There is also a checkbox that blocks web traffic if the sonicwall cfs server is not available for 5(configurable) seconds - if this pc has extremely heavy usage you could be getting some problems from this.
What version of SonicOS Enhanced is on the unit?
It would be very useful to know a few things about how the nsa is configured. You could ask for read only access to the nsa (easy for them to set up a local user on the unit to be able to just view the config and the logs)
Travis T advice will be good for understanding more. (however ping might not work at all if there is a lan>wan policy that blocks it, or if the ping checkbox on the lan interface is not checked.
The reason for the file and printer sharing could be to enable netbios on the pc's. This may be being used to identify the user logged into the pc if for example you are using the SSO (single sign on agent) on your LDAP server (SSO integrates Active Directory/LDAP users and groups onto the nsa).
As for port 445 I am also a little perplexed.
How are users identified by the nsa? do you get redirected to a login page on the nsa or can you get directly to the internet? Note Content Filtering can also be set up on ip address ranges so this might not be relevant at all.
There is also a checkbox that blocks web traffic if the sonicwall cfs server is not available for 5(configurable) seconds - if this pc has extremely heavy usage you could be getting some problems from this.
What version of SonicOS Enhanced is on the unit?
It would be very useful to know a few things about how the nsa is configured. You could ask for read only access to the nsa (easy for them to set up a local user on the unit to be able to just view the config and the logs)
FYI - if it were a content filtering issue, then user would see a screen saying that is was blocking the page based on the content filter/category setting.
If it stops all traffic while the content filter loads ( i have this disabled because it just sounds bad), then Ia m not sure if the SoncWall will give you a screen to look at.
If it stops all traffic while the content filter loads ( i have this disabled because it just sounds bad), then Ia m not sure if the SoncWall will give you a screen to look at.
It appears to NOT be DNS related, but if the issue is intermittent then it would need to be tested at the time that the problem occurs. You can ping yahoo.com now, but perhaps you can browse fine to yahoo.com now. You need to run the ping test when things are NOT working and see what happens. Make sure you ping the domain you're struggling to connect to.
Again, verify whether the user is getting a coached page from the SonicWall or if it's just a generic "Can't display the page" kind of message.
Opening 445 outbound just sounds wrong. Opening 445 inbound is ridiculous and opens up all kinds of concerns about security.
It could not be an Internet access license restricted because the 2400 has no node limits.
Find out about the possibility of a coached SonicWall page and what a ping test result is.
MO
Again, verify whether the user is getting a coached page from the SonicWall or if it's just a generic "Can't display the page" kind of message.
Opening 445 outbound just sounds wrong. Opening 445 inbound is ridiculous and opens up all kinds of concerns about security.
It could not be an Internet access license restricted because the 2400 has no node limits.
Find out about the possibility of a coached SonicWall page and what a ping test result is.
MO
LOL - agreed on the port 445 thing. Inbound would be WHACK!
LOL - I agree its strange but i might have an explination for the 445 port.
I think this is an SSO problem for a few reasons:
PC concerned has a problem once in a while that is not resolved by MrPicky2003 loging in with Administrator credentials
File and printer sharing is sometimes needed to enable internet access - this has to do with netAPI queries from the SSO agent to the pc needing netbios to be enabled
OK the 445 crazy bit - wmi could be forced onto port 445 - I have done this to use some microsoft audit tools in the past as wmi normally uses random ports via DCOM that is difficult to manage with firewalls on pc's. Interestingly the firewall in Win7 now has an allow wmi option to solve this.
MtPicky2003 here is a link to a sonicwall document that explains some methods for diagnosing wmi problems.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7363
The sso agent is probably installed on the 2008 AD server you mentioned.
Have a look on the server and see if there is any sonicwall software installed.
you are looking for Sonicwall configuration tool
You will need to do this when the problem occurs but try to query the ip of the problem pc when it is working to see the result. Try with both wmi and netAPI.
wow its 11 pm here, off to eat :)
I think this is an SSO problem for a few reasons:
PC concerned has a problem once in a while that is not resolved by MrPicky2003 loging in with Administrator credentials
File and printer sharing is sometimes needed to enable internet access - this has to do with netAPI queries from the SSO agent to the pc needing netbios to be enabled
OK the 445 crazy bit - wmi could be forced onto port 445 - I have done this to use some microsoft audit tools in the past as wmi normally uses random ports via DCOM that is difficult to manage with firewalls on pc's. Interestingly the firewall in Win7 now has an allow wmi option to solve this.
MtPicky2003 here is a link to a sonicwall document that explains some methods for diagnosing wmi problems.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7363
The sso agent is probably installed on the 2008 AD server you mentioned.
Have a look on the server and see if there is any sonicwall software installed.
you are looking for Sonicwall configuration tool
You will need to do this when the problem occurs but try to query the ip of the problem pc when it is working to see the result. Try with both wmi and netAPI.
wow its 11 pm here, off to eat :)
ASKER
OK -- When I went back down to the teacher's workstation to ping/nslookup/etc, everything was working. This is what's so frustrating. Nothing was changed on the PC.
I had the Sonicwall administrator blow away all groups on the filter and associate the filter groups with the groups that I specified. I kept it simple and only have three groups on the server. This way I can insert users into the groups and that dictates their Internet access rights. I can't even tell if this is working though...
I have students who can log into one computer and have access to particular sites and then not have access on another computer. Furthermore, if a student finds a computer that works for them, it may or may not continue accessing the website.
If I uninstall file and pinter sharing on a PC and uncheck file and printer sharing in the firewall, I get a cannot load website screen first and then the authentication message from sonicwall thereafter.
If I leave the file and printer sharing service disabled but open port 445 in the firewall, sometimes I can access the internet and sometimes I can't. Usually when the Internet quits working, I have to install file and printer sharing, enable all the ports and the Internet starts working again.
On another note, today, people are suddenly being blocked from sites they usually have access to. Give it some time and everything works again.
I had the Sonicwall administrator blow away all groups on the filter and associate the filter groups with the groups that I specified. I kept it simple and only have three groups on the server. This way I can insert users into the groups and that dictates their Internet access rights. I can't even tell if this is working though...
I have students who can log into one computer and have access to particular sites and then not have access on another computer. Furthermore, if a student finds a computer that works for them, it may or may not continue accessing the website.
If I uninstall file and pinter sharing on a PC and uncheck file and printer sharing in the firewall, I get a cannot load website screen first and then the authentication message from sonicwall thereafter.
If I leave the file and printer sharing service disabled but open port 445 in the firewall, sometimes I can access the internet and sometimes I can't. Usually when the Internet quits working, I have to install file and printer sharing, enable all the ports and the Internet starts working again.
On another note, today, people are suddenly being blocked from sites they usually have access to. Give it some time and everything works again.
ASKER
I'll throw another wrench in this. We found that when IE won't load a website and then displays the block page from Sonicwall, Firefox will load the page. What is going on with that?
That woudl be some sort of proxy setting in IE vs FireFox. IE probably gets this etting via Group Policy. FireFox, at least the vanilla version, does not have a GP plug-in.
ASKER
There are no proxy settings specified anywhere for IE.
And what about FF?
Also - what firmware version are you running? There were issues with this particular problem back on older versions.
TR
TR
ASKER
Travis T: I don't know. I am not allowed to access the firewall, so I will find out when we have our meeting with the vendor this week.
ASKER
I have a meeting on Wednesday with the vendor that provides our Sonicwall. I'll let everyone know what happens later Wednesday afternoon.
ASKER
I met with the vendor today who manages our SonicWall 2400. He insisted that there was no way for the Sonicwall to authenticate users without installing file and printer sharing & opening the associated ports in the firewall on the local PC. Indeed, we cannot cruise the net on PC's unless this is the case.
He assures me that he has spoken directly with Sonicwall support on this issue and this is the only way to authenticate. I still have my doubts as I have never seen this method used with any other hardware firewall/filtering system that is LDAP aware. Our previous hardware firewall/filter did not have this dependency on the local PC.
Also, as a school, we need to run reports on specific usernames and/or IP addresses so that we can monitor student browsing activity. I was told that this is not possible either.
He assures me that he has spoken directly with Sonicwall support on this issue and this is the only way to authenticate. I still have my doubts as I have never seen this method used with any other hardware firewall/filtering system that is LDAP aware. Our previous hardware firewall/filter did not have this dependency on the local PC.
Also, as a school, we need to run reports on specific usernames and/or IP addresses so that we can monitor student browsing activity. I was told that this is not possible either.
ASKER
OK - After some research I discovered that the 'Single Sign-On' feature of the NSA 2400 is what requires File and Printer Sharing to be enabled on the local PC.
I downloaded the administration guide to the 2400 and another PDF called 'SonicOS_5.5_Single_Sign_O
I downloaded the administration guide to the 2400 and another PDF called 'SonicOS_5.5_Single_Sign_O
LOL If you read my post above (19/08/2010) I had already told you that I thought it was an SSO issue.
SSO is useful in your type of environment because it means that users just have to authenticate once when they log into the domain. It also simplifies the atribution of rights by group membership.
You can create local users on the nsa but that would mean maintaining the users and groups in two places, and it would mean that users would have to login to the nsa to get internet access.
SSO is the way to go but it needs to be configured well and the pc's either need to be able to receive and respond to netAPI (netbios) or WMI requests from the SSO software that is probably installed on the server you mentioned in you original post (or another server that you didnt mention).
I am not sure what to suggest as you dont have access to the nsa 2400 so the only thing that I could think of was the sso agent software where there is a diagnostic tool that can be used to see if the pc is responding with the user name. (see post above and link for that). By the sounds of it the sso is using netAPI which is why you need file and printer sharing (netbios in xp is part of file an printer sharing). You will need to check there are exceptions opened up in the XP firewall for File and printer sharing and probably for remote management(which opens up port TCP 445 for RPC). You can quickly determine if it is a pc firewall problem by temporarily disabling it and seeing if the problems go away.
As for the filter policy groups you need to be carefull about how the policies are created and how group membership is atributed.
If user A is a member of 2 groups lets say "group see everything" and "group see nothing" then he will have access to everything as the most permissive right is applied.
Also there is a lag time of a few minutes when you are using netAPI where the permissions of the previous user can persist until the SSO agent queries the pc again. I have always used wmi for this reason but that brings other requirements with ports used for WMI which is a whole different conversation.
These problems can be solved but you will probably need the cooperastion of the guys that installed it.
As for the reporting about URL's visited it is possible. I have used GMS ( another sonicwall appliance ) to manage sonicwall TZ's and NSA UTM's and collect data for reporting, there is also a software called ViewPoint for doing this but I never used it.
I will keep on looking at this thread but I am not sure where this is going....????
SSO is useful in your type of environment because it means that users just have to authenticate once when they log into the domain. It also simplifies the atribution of rights by group membership.
You can create local users on the nsa but that would mean maintaining the users and groups in two places, and it would mean that users would have to login to the nsa to get internet access.
SSO is the way to go but it needs to be configured well and the pc's either need to be able to receive and respond to netAPI (netbios) or WMI requests from the SSO software that is probably installed on the server you mentioned in you original post (or another server that you didnt mention).
I am not sure what to suggest as you dont have access to the nsa 2400 so the only thing that I could think of was the sso agent software where there is a diagnostic tool that can be used to see if the pc is responding with the user name. (see post above and link for that). By the sounds of it the sso is using netAPI which is why you need file and printer sharing (netbios in xp is part of file an printer sharing). You will need to check there are exceptions opened up in the XP firewall for File and printer sharing and probably for remote management(which opens up port TCP 445 for RPC). You can quickly determine if it is a pc firewall problem by temporarily disabling it and seeing if the problems go away.
As for the filter policy groups you need to be carefull about how the policies are created and how group membership is atributed.
If user A is a member of 2 groups lets say "group see everything" and "group see nothing" then he will have access to everything as the most permissive right is applied.
Also there is a lag time of a few minutes when you are using netAPI where the permissions of the previous user can persist until the SSO agent queries the pc again. I have always used wmi for this reason but that brings other requirements with ports used for WMI which is a whole different conversation.
These problems can be solved but you will probably need the cooperastion of the guys that installed it.
As for the reporting about URL's visited it is possible. I have used GMS ( another sonicwall appliance ) to manage sonicwall TZ's and NSA UTM's and collect data for reporting, there is also a software called ViewPoint for doing this but I never used it.
I will keep on looking at this thread but I am not sure where this is going....????
ASKER
I was hoping that the nsa 2400 could be setup to authenticate without depending on file & printer sharing on workstations. The previous firewall/filter solution that we had didn't have this requirement and users did not have to log on to the filter separately. Frankly it was a much better solution for us and provided extensive reporting features as well. I wish we did not move to Sonicwall. I am not impressed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Elysithea - Thank you for all of your feedback. I'm going to accept your solution and finish off this thread. I have all of the information I need.
Just thought that i would add this in here. The sonicwall sso agent tries to communicate using either wmi or netapi. Netapi is a service that runs on port 445. He is talking about his client pcs firewall in the lan in the first post not the sonicwall itself. If the sso connector cannot determine who is logged onto a pc via netapi or wmi (ie. windows firewall is blocking the inbound port on the pc) then it will cause connectivity problems with your users because instead of passing a login they are waiting on the connector to timeout. This sounds like what you are experiencing. I am currently implementing SSO and LDAP integration on a NSA2400. Will update when finished.
Oh and the above theory only holds water if you don't have the firewall to block all access to anonymous users.
ASKER
I am currently trying to make the switch to WMI but have only been able to make it work on my test PC.
Are you able to ping those domains atleast ? If you can't, it might be a DNS issue. is sonicwall your DNS server ?