?
Solved

Access Microsoft VPN through Watchguard XTM22-W

Posted on 2011-03-13
10
Medium Priority
?
2,320 Views
Last Modified: 2013-11-16
I have a new Watchguard XTM22-W installed and created a policy to allow tcp 1723 from any-external to network ip 192.168.16.2/24 (My Microsoft SBS 2003 which is configured to accept VPN sessions by authenticated users. I've tried several different variations of this setup but none will allow a simple VPN connection from an XP workstation located outside the network. Is there a special way to setup something in the Watchguard VPN section to allow this to happen? I was just planning to by pass Watchguards VPN technology by setting the 1723 direct to my SBS server.
0
Comment
Question by:Terrymac_Computer_Guy
10 Comments
 
LVL 13

Expert Comment

by:NarendraG
ID: 35124789
If that xp machine in out side network(internet).do you added nat to forward vpn traffic to sbs server?
0
 

Author Comment

by:Terrymac_Computer_Guy
ID: 35124871
Looking at the advanced tab at this policy in the NAT section 1 to 1 is checked off
and Dynamic NAT is also checked and both are set to Use Network NAT Settings.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128365
Hi,

I believe that PPTP uses both port 1723 and GRE - you may need to allow GRE out for tunnel establishment?

Regards,


RobMobility.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 25

Expert Comment

by:RobMobility
ID: 35128428
Hi,

Doesn't the Watchguard XTM22-W support PPTP, IPSEC or SSL VPN connections to itself rather than passing-thru to your SBS box?

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128448
Hi,

Chapter 21 of the following document describes the configuration for using the inbuilt PPTP VPN:

http://www.watchguard.com/help/docs/webui/11/en-US/v11_3_XTM_Web_UI_UserGuide_(en-US).pdf

Regards,


RobMobility.
0
 

Author Comment

by:Terrymac_Computer_Guy
ID: 35143693
Rob,

It does support Mobile VPN's of different flavors. However I was hoping to just pass the VPN 1723 through to the SBS server to use Active directory for authentication.

Before XTM in the previous watchguards I just setup a policy to allow 1723 through to the ip address of the sbs server and this worked fine. I've done this in this in this case and GRE is also allowed but its either not letting it through or my SBS server is not answering the requests.

Just did an ISA firewall uninstall off the server before hooking up the Watchguard. I ran the connect to internet wizard because I had to change the two NIC configuration to a one NIC. I then ran the remote access wizard after I found I had trouble getting through the VPN but still the server is not answering VPN requests. All looks fine at the server (no error conditions and all autoservices are started)

I might have to setup the Mobile VPN on the Firebox if I can't get this to work. Is there a way to use the internal network AD for authentication through the Firebox?
0
 
LVL 3

Expert Comment

by:brd24gor
ID: 35199401
I think your best (and safest) bet is to configure a RADIUS server on your SBS box that authenticates to AD. Point your Mobile IPSec authentication server on the WatchGuard to your RADIUS server. You should never leave an AD server open to any port. Using the WG as a middle man will leave a layer of protection.
0
 

Expert Comment

by:dreamer69
ID: 35312890
As said by Robmobility:
You need to pass both the TCP and GRE protocol.
If you add the predefinede PPTP service it will pass both protocols to your SBS server.
0
 

Accepted Solution

by:
Terrymac_Computer_Guy earned 0 total points
ID: 35419938
Found the solution,

The policy maker will allow you add the predefined PPTP service or any filter and set it from any or any external to your internal ip address. This is what I did but traffic was getting denied.

The correct way to get it to work is to set (any) in the [From] and in the [To] create an SNAT (static NAT) going from any external to your internal IP.
0
 

Author Closing Comment

by:Terrymac_Computer_Guy
ID: 35452343
This worked for me
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question