Solved

Access Microsoft VPN through Watchguard XTM22-W

Posted on 2011-03-13
10
2,208 Views
Last Modified: 2013-11-16
I have a new Watchguard XTM22-W installed and created a policy to allow tcp 1723 from any-external to network ip 192.168.16.2/24 (My Microsoft SBS 2003 which is configured to accept VPN sessions by authenticated users. I've tried several different variations of this setup but none will allow a simple VPN connection from an XP workstation located outside the network. Is there a special way to setup something in the Watchguard VPN section to allow this to happen? I was just planning to by pass Watchguards VPN technology by setting the 1723 direct to my SBS server.
0
Comment
Question by:Terrymac_Computer_Guy
10 Comments
 
LVL 13

Expert Comment

by:NarendraG
ID: 35124789
If that xp machine in out side network(internet).do you added nat to forward vpn traffic to sbs server?
0
 

Author Comment

by:Terrymac_Computer_Guy
ID: 35124871
Looking at the advanced tab at this policy in the NAT section 1 to 1 is checked off
and Dynamic NAT is also checked and both are set to Use Network NAT Settings.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128365
Hi,

I believe that PPTP uses both port 1723 and GRE - you may need to allow GRE out for tunnel establishment?

Regards,


RobMobility.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 25

Expert Comment

by:RobMobility
ID: 35128428
Hi,

Doesn't the Watchguard XTM22-W support PPTP, IPSEC or SSL VPN connections to itself rather than passing-thru to your SBS box?

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128448
Hi,

Chapter 21 of the following document describes the configuration for using the inbuilt PPTP VPN:

http://www.watchguard.com/help/docs/webui/11/en-US/v11_3_XTM_Web_UI_UserGuide_(en-US).pdf

Regards,


RobMobility.
0
 

Author Comment

by:Terrymac_Computer_Guy
ID: 35143693
Rob,

It does support Mobile VPN's of different flavors. However I was hoping to just pass the VPN 1723 through to the SBS server to use Active directory for authentication.

Before XTM in the previous watchguards I just setup a policy to allow 1723 through to the ip address of the sbs server and this worked fine. I've done this in this in this case and GRE is also allowed but its either not letting it through or my SBS server is not answering the requests.

Just did an ISA firewall uninstall off the server before hooking up the Watchguard. I ran the connect to internet wizard because I had to change the two NIC configuration to a one NIC. I then ran the remote access wizard after I found I had trouble getting through the VPN but still the server is not answering VPN requests. All looks fine at the server (no error conditions and all autoservices are started)

I might have to setup the Mobile VPN on the Firebox if I can't get this to work. Is there a way to use the internal network AD for authentication through the Firebox?
0
 
LVL 3

Expert Comment

by:brd24gor
ID: 35199401
I think your best (and safest) bet is to configure a RADIUS server on your SBS box that authenticates to AD. Point your Mobile IPSec authentication server on the WatchGuard to your RADIUS server. You should never leave an AD server open to any port. Using the WG as a middle man will leave a layer of protection.
0
 

Expert Comment

by:dreamer69
ID: 35312890
As said by Robmobility:
You need to pass both the TCP and GRE protocol.
If you add the predefinede PPTP service it will pass both protocols to your SBS server.
0
 

Accepted Solution

by:
Terrymac_Computer_Guy earned 0 total points
ID: 35419938
Found the solution,

The policy maker will allow you add the predefined PPTP service or any filter and set it from any or any external to your internal ip address. This is what I did but traffic was getting denied.

The correct way to get it to work is to set (any) in the [From] and in the [To] create an SNAT (static NAT) going from any external to your internal IP.
0
 

Author Closing Comment

by:Terrymac_Computer_Guy
ID: 35452343
This worked for me
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question