Solved

Watchguard XTM PPTP VPN

Posted on 2011-02-10
21
3,819 Views
Last Modified: 2012-07-27
I need to create a Firewall policy on a Watchguard VPN that allows access to an internal server.

There is a config right now that has users setup but there's a DC on the network I'd like to use for authentication.

Is there a step by step process I can use? I am familar with older Watchguards but this one has a lot more to it and I'd like a little guidence.
0
Comment
Question by:underIce
  • 11
  • 10
21 Comments
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34865651
I look after Watchguaard Fireboxes across multiple sites from head offices to regional offices so i have experience with the VPN options.

How do the current VPN's work and how are they configured?
what are they using for authentication at the moment?
are the remote users all scattered about or from the same remote office?
0
 

Author Comment

by:underIce
ID: 34865821
(This is a XTM23)

-There are no Mobile VPN policies set
-There's an SSLVPN which is set at any - any (I don't need this anymore)
-There's a BOVPN (in and out) It's set at BOVPN-Allow In [In: our company - any] BOVPN Allow Out  [out: any - our company]. I don't know what this does but I'm sure we don't need it

The RADIUS is not enabled (in the firewall's  authentication settings) but on the firewall there is a user group configured.

Let me know if there's anything else...Thanks!
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34866045
Are you using WEBUI (web user interface) to see the watchguard setup or WSM (watchguard system manager) and if WSM what version are you runing on both WSM and XTM?

How many user do you require the VPN for?
Are they all from the same remote office or do they all work from different locations?

This is definatly something that I can help you configure correctly once we have the information as there are a couple of ways to achieve this.

0
 

Author Comment

by:underIce
ID: 34866096
I'm using the Web UI.

The firewall itself is a  XTM23 version 11.3.2

I'm guessing I'd need no mare than 10 users, at the moment I bet we'd need less than 5. The users are basically spread out and aren't working in a remote office together.
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34866281
ok the first thing you need to do is log into www.watchguard.com with your details and go the the software downloads section and download the WSM 11.3.2 and insstall on the system you work from.

once you have done this let me know and i can talk you through setting the access up to the watchguard and you will have a clearer view of the firewall policies and you will be able to follow it a lot easier.

as this is not a simple set of instructions like click a tick box i may need to speak to you but we can sort this at the time.
0
 

Author Comment

by:underIce
ID: 34866471
I'm not able to access that account right now (after hours and the account holder is gone). I find the Web UI fairly clear though. I've used the System Manager though and it does seem a little easier to use.

But I think the WebUI should be fine...and in any case it's the only tool I have at the moment.

Can I not configure a Mobile VPN Policy and use the Windows 2008 server for network authentication?

One question I have it if I need to delete the SSLVPN in the firewall policy in order to do this.
0
 

Author Comment

by:underIce
ID: 34868257
Ok, here's where I'm at:

-I've activated the Mobile VPN with PPTP
-I've created a user and put it into the PPTP-Users group
-I Created a PPTP policy in the firewall policy section (any - any)

I'm using the firewall username to connect and it seems to connect ok. But the problem I'm having it that I don't seem to be picking up a gateway on the local VPN client connection. The IP is on the remote range but I can't access the network because I don't have a gatewat...

Must be something simple....ideas?
0
 

Author Comment

by:underIce
ID: 34868327
Now it's back to not working....it doesn't appear to be accepting my login. The login screen pops back up after a few moments.

I get a error 619 after a couple attempts.

It worked once....
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34869587
i dont use the WEBUI as it is not as informative and harder to see what policy is doing what but I will log into our WEBUI and try and find the right config for you.

Are the clients using windows VPN software to connect in?
just so that I can looking at the right settings can you please comfirm the following:-

1) you want user to use their network authentication (AD) to connect through the WG
2) with this authentication you want them to have access to the internal network and data

thanks.
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34871022
i have had a thought and we might be over thinking this slightly.

Do your users have accounts setup in AD?

If so, all we need is to make sure that your router is forwarding port 1723 to the external interface of the WG and there is a firewall policy on the WG for a packet filter for PPTP (1723) and is configured FROM=ANY TO=NAT x.x.x.x->x.x.x.x (WG external interface IP -> server internal ip)

this will then enable user to use Windows VPN software to connect to your External IP Address with their Network username and password.  once connected this will act the same as a VPN without the WG inplace so they will have access to company shares and exchange server.

does this sound like what you are wanting?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:underIce
ID: 34871222
That's how I'd love to do it actually. It's how I've setup other VPNs into Windows networks.

Let me ask you this, do I need to enable routing and remote access on the Windows 2008 server? Or can they just login against the AD?
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34871861
in order for the VPN to authenticate on the DC it will require the Routing and Remote Access service to be running.

On SBS 2008 there is a seperate VPN setting that needs to be set but you may have already done this.

open Windows SBS Console. Select NETWORK, connectivity tab, the 3rd from bottom option is VPN.
If this is OFF then on the right hand panel click 'Configure a Virtual private network', select 'Allow users to connect to the server using a VPN'
the wizard will complete and there may be a warning on the Internet Router stage but you can ignore this as it is just because the server can not re-configure the router, but you dont have to worry about this if you have set the port 1723 to forward.
click finish and bobs your uncle !!

with this enable, the only thing to check is in each users properties, under the Remote Access section, there is a tick in the box for 'Users can access VPN'

let me know how this goes.

PS.  are you ok with adding the packet filter for this in the WG firewall policy as mentioned in the comment above?
0
 

Author Comment

by:underIce
ID: 34873389
My server will only allow that sort config through the remote access wizard.

Yes, I'm fine with a packet filter.

I'd expect to enable Mobile VPN with PPTP and then add a Mobile VPN policy. When I try to do that I don't seen to be able to add any groups in the Mobile VPN policy properties box. It's blank or read only...not sure which. But I'm stopped there...

I can enable  Mobile VPN with PPTP ok so I have write access to the firewall. I'm hoping to get access to a system download manager but we'll see..
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34877931
if you activeate the Mobile VPN with PPTP then all you can specify here is the IP Address Pool and the MTU/MRU settings, also if you want to allow a weaker encrytion.

this is worth doing as you know that your remote users will then be using a specified range of addresses (max of 50 to a pool) and not getting mixed up with local users IP addresses.
this also helps with the fault finding process if required.

the actual policy itself is controlled through the packet filter you created for PPTP(1723).
if you want tocompletely lock this policy down, you could create a security group in your AD called PPTPUSERS, add the users that you want the access to this group.

then add an Autherized Users/Groups (in the left panel, Authentication -> Users and Groups)
Select Group
NAME = *same as AD name ie PPTPUSERS*
DESCRIPTION = *optional*
AUTH SERVER = Active Directory

once this has been done, back in your packet filter for PPTP you could remove the FROM=ANY and make it FROM=PPTPUSERS (in the FROM field click ADD and then in the drop down list select group created)

is this the sort of security you need for the remote users?
If so give it a try and let me know what happens.
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34877941
you mentioned at that you are hoping to get acces to system download manager?

do you mean WSM?

if so tell me what version you need and I will try and get this for you and try to get you access to my FTP to pull it from until you get the details.
0
 

Author Comment

by:underIce
ID: 34880702
Yes, you had mentioned WSM as a much better way to manage the interface. I've tried the WEB UI and it's a little lacking. I'm in the process of trying to get the login info for the site account but they are not sure where it is.

If there's a way to download it from you that'd be great...this is a XTM 23 Watchguard. I'm not sure which version I'm looking for. The latest I assume, but I don't know what that is.

It'll run on a Windows 2008 file server.

Thanks!
0
 

Author Comment

by:underIce
ID: 34880727
Regarding your instructions above, I'm assuming that if I enable Mobile VPN and configure an address range, and then create a packet filter, those connecting will be able to access network resources (dependant upon a AD login once they are attemption to access a file share).

So the sequence as I understand it is that a user would connect to the PPTP VPN on the firewall and once authenticated there would have PPTP VPN established to the firewall.

Once that occurs, they would have access to network resources as long as they have a valid AD login. They would be prompted with a login box when accessing a share and once logged in they would have access.

So there's 2 authentication steps, one to the Mobile PPTP VPN and one to the AD.

That seems simpler than configuring remote access on the Windows server...but maybe I need to do that as well.

I'm going to try and get a hold of WSM and do the config with that....the WEB UI seems a little flakey to me...
0
 
LVL 2

Expert Comment

by:chris_cox11
ID: 34884075
i will sort this out for you ready for tuesday as i am out of my office for a few days.

in the webui it will tell you what version you are running.
i would assume the xtm23 is 11.3.2 or 11.4
0
 

Author Comment

by:underIce
ID: 34892461
Thanks! It's 11.3.2
0
 
LVL 2

Accepted Solution

by:
chris_cox11 earned 500 total points
ID: 34895339
can you please contact me on chris@alliband.co.uk so that I can send you our FTP details for the software download.

thanks
0
 

Author Closing Comment

by:underIce
ID: 34913423
Thanks for the great help!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now