• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2410
  • Last Modified:

Access Microsoft VPN through Watchguard XTM22-W

I have a new Watchguard XTM22-W installed and created a policy to allow tcp 1723 from any-external to network ip 192.168.16.2/24 (My Microsoft SBS 2003 which is configured to accept VPN sessions by authenticated users. I've tried several different variations of this setup but none will allow a simple VPN connection from an XP workstation located outside the network. Is there a special way to setup something in the Watchguard VPN section to allow this to happen? I was just planning to by pass Watchguards VPN technology by setting the 1723 direct to my SBS server.
0
Terrymac_Computer_Guy
Asked:
Terrymac_Computer_Guy
1 Solution
 
NarendraGCommented:
If that xp machine in out side network(internet).do you added nat to forward vpn traffic to sbs server?
0
 
Terrymac_Computer_GuyAuthor Commented:
Looking at the advanced tab at this policy in the NAT section 1 to 1 is checked off
and Dynamic NAT is also checked and both are set to Use Network NAT Settings.
0
 
Rob KnightConsultantCommented:
Hi,

I believe that PPTP uses both port 1723 and GRE - you may need to allow GRE out for tunnel establishment?

Regards,


RobMobility.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Rob KnightConsultantCommented:
Hi,

Doesn't the Watchguard XTM22-W support PPTP, IPSEC or SSL VPN connections to itself rather than passing-thru to your SBS box?

Regards,


RobMobility.
0
 
Rob KnightConsultantCommented:
Hi,

Chapter 21 of the following document describes the configuration for using the inbuilt PPTP VPN:

http://www.watchguard.com/help/docs/webui/11/en-US/v11_3_XTM_Web_UI_UserGuide_(en-US).pdf

Regards,


RobMobility.
0
 
Terrymac_Computer_GuyAuthor Commented:
Rob,

It does support Mobile VPN's of different flavors. However I was hoping to just pass the VPN 1723 through to the SBS server to use Active directory for authentication.

Before XTM in the previous watchguards I just setup a policy to allow 1723 through to the ip address of the sbs server and this worked fine. I've done this in this in this case and GRE is also allowed but its either not letting it through or my SBS server is not answering the requests.

Just did an ISA firewall uninstall off the server before hooking up the Watchguard. I ran the connect to internet wizard because I had to change the two NIC configuration to a one NIC. I then ran the remote access wizard after I found I had trouble getting through the VPN but still the server is not answering VPN requests. All looks fine at the server (no error conditions and all autoservices are started)

I might have to setup the Mobile VPN on the Firebox if I can't get this to work. Is there a way to use the internal network AD for authentication through the Firebox?
0
 
brd24gorCommented:
I think your best (and safest) bet is to configure a RADIUS server on your SBS box that authenticates to AD. Point your Mobile IPSec authentication server on the WatchGuard to your RADIUS server. You should never leave an AD server open to any port. Using the WG as a middle man will leave a layer of protection.
0
 
dreamer69Commented:
As said by Robmobility:
You need to pass both the TCP and GRE protocol.
If you add the predefinede PPTP service it will pass both protocols to your SBS server.
0
 
Terrymac_Computer_GuyAuthor Commented:
Found the solution,

The policy maker will allow you add the predefined PPTP service or any filter and set it from any or any external to your internal ip address. This is what I did but traffic was getting denied.

The correct way to get it to work is to set (any) in the [From] and in the [To] create an SNAT (static NAT) going from any external to your internal IP.
0
 
Terrymac_Computer_GuyAuthor Commented:
This worked for me
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now