Bypassing Content Policies during VPN Session

We have two locations with SonicWALL TZ170-series firewalls (“HQ” & “Remote Office”). Both are running CGSS (Comprehensive Gateway Security Suite) which have CFS (Content Filtering Services) filtering content and websites.

The issue is that when we VPN into the HQ network, the HQ CFS policy is being applied to our browsing sessions, which is prohibiting us from going to the sites we need to because they have a different (more strict) policy than we do. I can put my IP in the Exclusion List, but once logged into the VPN, the server (SBS 2k3) in HQ is running DHCP so it just randomly issues me one. Next time I VPN in I will probably be issued a different internal IP.

The HQ has a static external IP. All of the PCs & server have static internal IPs. The Remote Office has dynamic DNS in place.

Are there some rules I can set in the server and/or SonicWALL so that when I log into their network it recognizes us via dynamic DNS and issues us a specific IP or issues a specific pool of IPS to us? That way I can simply put that specific IP or the specific pool of IPs into the Exclusion List and thereby keep our (the Remote Office) CFS policy the entire session.

Thanks!
LVL 32
Blue Street TechLast KnightAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

digitapCommented:
you could have the sonicwall issue you the IP address rather than having an internal DHCP server. also, if you get the MAC of the GVC, you can create a dhcp reservation for your laptop.

i wrote an EE article for setting up the sonicwall to assign IPs to GVC hosts.

http://www.experts-exchange.com/viewArticle.jsp?articleID=4160
0
Blue Street TechLast KnightAuthor Commented:
@digitap: Thanks for your reply. Your article looks great! The only issue here is that they are using WIndows for VPN and GVC cannot be used because one end-user uses a MAC to gain VPN access and GVC does not support MAC. Its a TZ170 so there is no SSL-VPN functinoality either.

Do you know of a way to do this using Windows VPN?

Also in your article it predominately deals with WLAN. I would assume for desktops I would perform the same steps but using LAN instead of WLAN, correct?
0
Blue Street TechLast KnightAuthor Commented:
Becasue they are using DHCP along with AD its all running onthe server rather than DHCP on the SW. SW is handling DHCP for all WLAN traffic though.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

digitapCommented:
ok...thanks for the extra information. most times, not all, WLAN zone is already in use. so, i use it to allow GVC hosts to get an IP from the sonicwall. if the WLAN zone isn't setup, a new zone using any name desired could be utilized.

Have you looked at using L2TP on the sonicwall to allow vpn connectivity. you could still use the windows vpn client and the MACs can utilize L2TP. see the article below.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3544


otherwise, i think you can make dhcp reservations for the MAC address of the vpn client created on the windows machine. the only problem is i don't know how to do that. what is the OS of the windows server performing the vpn function?
0
Blue Street TechLast KnightAuthor Commented:
Their WLAN is in use and its DHCP is handled by SonicWALL. We connect to their network on laptops (occasionally) and workstations (predominately).

The server OS is SBS 2k3.
0
Blue Street TechLast KnightAuthor Commented:
I forgot to mention their SonicWALL OS is Standard and our's is Enhanced.

So if i understand the L2TP document right, it is saying that we would setup the vpn control on the sonicwall therby allowing GVC to connect and with the configuration of L2TP that will allow the MAC or Windows clients to connect. Im i correct?
0
digitapCommented:
l2tp for standard isn't available.

when you enable l2tp on the sonicwall, you don't need to use the gvc. you can continue to use the windows vpn client. essentially, l2tp is a gvc-less function of the sonicwall.

regarding the MAC address question, i tried getting the MAC address from a session setup on my windows xp tablet, but could not figure out what it was. i'm guessing that within the sbs settings, there are some options for statically assigning IPs to hosts based on user login.

now that i think through the l2tp setup, you have to specify the ip address range that you want l2tp to use for l2tp clients. whichever range you use, you could add this range to the exclusion for CFS.
0
Blue Street TechLast KnightAuthor Commented:
Shoot then it sounds like we are up a creek with no paddle, since the HQ firewall is standard OS and thus does not support L2TP.
0
digitapCommented:
not necessarily. i have a number of tz170 standard OS sonicwall appliances in the field. i'm going to confirm tomorrow if they have l2tp functionality. i'll let you know on that.

also, another ray of hope, i've placed an inquiry with my associate who has way more sbs knowledge than i have. i think this will be the ideal solution for you. set dhcp reservations at the sbs vpn server and use those reservations in your exclusions.
0
digitapCommented:
ok...done some digging and come up with a couple of possible options.

see how this works for you. If you look in AD Users and computers look at the properties for the
particular Users account and navigate to the DIAL-IN Tab you will find the facility to assign a static IP address here. Remember to exclude these static IP addresses from your DHCP scope.

you'd then add that static IP to the exclusion within CFS.
0
Rob WilliamsCommented:
Unfortunately the Static IP option on the dial-up tab doesn't work as one would expect. Assigning a static IP to a VPN client unfortunately is not as straight forward as one would like with Windows. Please see my blog:
http://msmvps.com/blogs/robwill/archive/2009/11/15/static-ip-for-windows-vpn-client.aspx
0
digitapCommented:
so, you'd have to create a policy per static IP that you wanted to assign? am i reading that properly?
0
Rob WilliamsCommented:
Yes, it is really not practical at all, especially if you have a lot of users. In reality Windows does not have a native way of doing so. That is pretty much a work around, but it does work.
0
digitapCommented:
@RobWill :: bummer. well, you've certainly confirmed what i'd originally thought based on what i saw on the internet. thanks...

@diverseit :: i was wrong about the standard OS. you do have the option for L2TP. i just checked with one of my 170 standard SW appliances. so, with the information that RobWill provided, seems your best option is to move the VPN services to the sonicwall. in order to maintain compatibility with the Macs and not really change anything with the vpn clients, then i'd recommend you give the L2TP option on the sonicwall a try. thoughts?
0
Blue Street TechLast KnightAuthor Commented:
@RobWill: Thanks for your clarification - i was unable to view your comments until today my appologies.

@digitap: Are there security issues with L2TP or is it less secure in any way. I will try this later today and post my results. Thank you again for your input! - i was unable to view your comments until today my appologies.
0
digitapCommented:
L2TP is a tunneling protocol for VPN connectivity and does not provide any encription. the WAN GroupVPN is what provides that. the instructions i provided above will walk you through the whole process.
0
Blue Street TechLast KnightAuthor Commented:
Thanks! I will do this later today.
0
m-batesCommented:
If your authenticating to the SonicWALL just add your user to the "content filter bypass" user group.
0
Blue Street TechLast KnightAuthor Commented:
@digitap & @RobWill: I humbly apologize for the delay...I’ve been buried in work w/a new project. :(

In this article (https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3544) it talks about items that are not present in Standard OS, e.g. (in the first step…Address Objects) I searched the web and SW KB but could not find anything dealing with Standard OS step-by-step article. Can you advise me. Thanks!

@m-bates: Are you talking about users or IP addresses? We are not authenticating on a per user basis.
0
Rob WilliamsCommented:
Sorry diverseit I am not at all familiar with Sonicwall router configs. Perhaps digitap can assisit there.
--Rob
0
digitapCommented:
I believe you need the Enhanced OS to customize as the article says. You could simply disable the CFS security service for the VPN zone. Also, why are you needing to access the Internet via the VPN session? Why aren't you able to access the Internet via your local connection instead?
0
Blue Street TechLast KnightAuthor Commented:
It is not justified to purchase OS enhanced for the reasons we need unfortunately –not my call. That’s a good idea to disable CFS on VPN zone.
When i connect to the VPN and got to xyz site their CFS policy kicks in and blocks me. When i close the VPN session i can access xyz site. I don't really understand why this is. Is there something i am missing in the setup?

I will try to disable CFS in VPN not sure i can as i recall I can only enable WAN, WLAN, and LAN on OS STD.
0
Blue Street TechLast KnightAuthor Commented:
@RobWill: Thanks for your input on the SBS VPN session info though...much appreciated!
0
digitapCommented:
they must have tunnel all enabled forcing all your traffic over the vpn. if that were the case then your should not be able to get to local resources. with the vpn enab led, go to the command line and run ipconfig /all. if tunnel all is enabled then the gvc nic will have a gateway specified.
0
Blue Street TechLast KnightAuthor Commented:
i have both local & their resources available. The PPP adapter shows 0.0.0.0 as the gateway & my NIC shows our FW as gateway (194.168.145.1) w/netBios over tcpip enabled.
0
digitapCommented:
Sorry. I keep thinking you are using the GVC, but you're not. You're using the Windows VPN client.
0
Blue Street TechLast KnightAuthor Commented:
I was correct earlier Standard only allows you to enable on LAN and WLAN. There are not Zones etiher. :(
0
Blue Street TechLast KnightAuthor Commented:
@digitap: So is there no clean way around this?
0
digitapCommented:
so, if you go to the TCP/IP settings of the windows VPN connection and click advanced, is the box under the General tab checked (use default gateway on remote network)?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightAuthor Commented:
Yes it is checked.
0
Blue Street TechLast KnightAuthor Commented:
Yes it is checked.
0
digitapCommented:
That check box means that when your vpn is selected, traffic will be routed out that vpn connection. Remove that check box, establish a vpn and test your local resource access.
0
digitapCommented:
also check that you have access to the vpn. i'm sure you will, but should test just the same.
0
Blue Street TechLast KnightAuthor Commented:
@digitap: Brilliant. It worked! Such a wonderfully simple solution! Many thanks.
0
digitapCommented:
I don't know why it didn't click at first. Sorry for the delay. Thanks for the points!
0
Blue Street TechLast KnightAuthor Commented:
No problem...just glad you thougt of it. Thanks again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.