Solved

Access Microsoft VPN through Watchguard XTM22-W

Posted on 2011-03-13
10
2,153 Views
Last Modified: 2013-11-16
I have a new Watchguard XTM22-W installed and created a policy to allow tcp 1723 from any-external to network ip 192.168.16.2/24 (My Microsoft SBS 2003 which is configured to accept VPN sessions by authenticated users. I've tried several different variations of this setup but none will allow a simple VPN connection from an XP workstation located outside the network. Is there a special way to setup something in the Watchguard VPN section to allow this to happen? I was just planning to by pass Watchguards VPN technology by setting the 1723 direct to my SBS server.
0
Comment
Question by:Terrymac_Computer_Guy
10 Comments
 
LVL 13

Expert Comment

by:NarendraG
ID: 35124789
If that xp machine in out side network(internet).do you added nat to forward vpn traffic to sbs server?
0
 

Author Comment

by:Terrymac_Computer_Guy
ID: 35124871
Looking at the advanced tab at this policy in the NAT section 1 to 1 is checked off
and Dynamic NAT is also checked and both are set to Use Network NAT Settings.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128365
Hi,

I believe that PPTP uses both port 1723 and GRE - you may need to allow GRE out for tunnel establishment?

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128428
Hi,

Doesn't the Watchguard XTM22-W support PPTP, IPSEC or SSL VPN connections to itself rather than passing-thru to your SBS box?

Regards,


RobMobility.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 35128448
Hi,

Chapter 21 of the following document describes the configuration for using the inbuilt PPTP VPN:

http://www.watchguard.com/help/docs/webui/11/en-US/v11_3_XTM_Web_UI_UserGuide_(en-US).pdf

Regards,


RobMobility.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:Terrymac_Computer_Guy
ID: 35143693
Rob,

It does support Mobile VPN's of different flavors. However I was hoping to just pass the VPN 1723 through to the SBS server to use Active directory for authentication.

Before XTM in the previous watchguards I just setup a policy to allow 1723 through to the ip address of the sbs server and this worked fine. I've done this in this in this case and GRE is also allowed but its either not letting it through or my SBS server is not answering the requests.

Just did an ISA firewall uninstall off the server before hooking up the Watchguard. I ran the connect to internet wizard because I had to change the two NIC configuration to a one NIC. I then ran the remote access wizard after I found I had trouble getting through the VPN but still the server is not answering VPN requests. All looks fine at the server (no error conditions and all autoservices are started)

I might have to setup the Mobile VPN on the Firebox if I can't get this to work. Is there a way to use the internal network AD for authentication through the Firebox?
0
 
LVL 3

Expert Comment

by:brd24gor
ID: 35199401
I think your best (and safest) bet is to configure a RADIUS server on your SBS box that authenticates to AD. Point your Mobile IPSec authentication server on the WatchGuard to your RADIUS server. You should never leave an AD server open to any port. Using the WG as a middle man will leave a layer of protection.
0
 

Expert Comment

by:dreamer69
ID: 35312890
As said by Robmobility:
You need to pass both the TCP and GRE protocol.
If you add the predefinede PPTP service it will pass both protocols to your SBS server.
0
 

Accepted Solution

by:
Terrymac_Computer_Guy earned 0 total points
ID: 35419938
Found the solution,

The policy maker will allow you add the predefined PPTP service or any filter and set it from any or any external to your internal ip address. This is what I did but traffic was getting denied.

The correct way to get it to work is to set (any) in the [From] and in the [To] create an SNAT (static NAT) going from any external to your internal IP.
0
 

Author Closing Comment

by:Terrymac_Computer_Guy
ID: 35452343
This worked for me
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ACLs per VPN User 12 81
SSL RA VPN 7 78
site to site tunnel not autostarting 5 37
Mobile VPN IPSEC Watchguard UTM for IOS Devices 4 29
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now