• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1880
  • Last Modified:

Allowing ActiveX control through Watchguard Firewall

We are currently running a Watchguard 750e in-house for our main router/firewall.  As this is a new company, this network appliance is just providing basic functionality.........we do not have all of the extras of the UTM bundle.
We have also installed a very basic (cheap) 8 camera security system bundle with the DVR, etc.  This security system seems to be working fine when viewing it within our network.  We were approached by management, and they would like to be able to view the security cameras remotely over the internet.  That didn't seem like much of a problem.........since the DVR uses, by default, port 80.........and all I had to do was configure the HTTP Proxy on the Watchguard to redirect to the static internal IP of the DVR.
Everything seems to be working perfectly on this setup.  Anywhere there is internet available.........management can now type in our public static IP address, and it automatically redirects them to the login page of the DVR.

So far, so good.  Now the problem:
To view the live streaming footage of the cameras.............the DVR automatically downloads an ActiveX control the first time you log in to the system.  This ActiveX control is called "AMCCtrl Class", and the publisher is AVTECH.  This is no problem internally...........because the browser automatically prompts to download the ActiveX control.
However...........when I try to do this external to the company..........I can get to the login page, but the browser never prompts me for this ActiveX control.  Where the live camera footage should be, there is just a red X.  I know that the ActiveX control is what is causing this...........but I do not know how to allow the control through.  I have tried changing some of the settings of the browser, but all to no avail.  I really believe the Watchguard box is blocking this from coming through.  Any ideas on how to pass this control through, and allow the DVR to be able to be viewed remotely?
Thank you for any assistance.
0
dgreer1201
Asked:
dgreer1201
  • 8
  • 6
  • 3
2 Solutions
 
BrianCommented:
You need to edit your HTTP Proxy. Edit the proxy and go to Setup > Actions > Content Type. There you can add the specifict type (see the link below) or set to allow known and unknown file types.

For most offices, I have found that allowing all works. It is not as secure, but locking down the network by file type causes more headaches than it is worth for most of my clients that do not need high level security.

Link to an Article abou the filtering you are runnign in to: http://www.watchguard.com/infocenter/editorial/38596.asp
0
 
dgreer1201Author Commented:
Thanks for the reply washburnma.
That corrected my problem partially.  It allowed me to download the ActiveX control.  However........now when logging in, it sits and spins a few seconds, then throws up an error message........"unknown error"
I don't know if the problem is on the Watchguard end...........or on the security system DVR end.
0
 
BrianCommented:
I'm guessing it is a WatchGuard setting. Login to your WatchGuard and take a look at the Log while you try to connect. You should see something getting blocked is my guess. Does the DVR system specify any ports it wants open?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
dgreer1201Author Commented:
I have not setup any of our servers to be a logging server.  So unless the Watchguard keeps an internal log somewhere, I don't know where to see this information.
The DVR does not specify any particular ports that it wants open.............it just has the default port 80 for web administration.
0
 
BrianCommented:
It does keep an internal log. Do you use the WatchGuard System Manager to connect or the web interface? The WSM is free and I highly recommend it. Once you connect, you just hit the Log Viewer and you see a live view of your logging.
0
 
dgreer1201Author Commented:
Yes..........I do use the WSM.
But, once I log into the WSM, and click on LogViewer..........it brings up the LogViewer, but my only option is to connect to Log Server.  It asks for IP Address, username, and passphrase.
0
 
dgreer1201Author Commented:
Am I missing something?
0
 
setasoujiroCommented:
You should open wsm, connect to firebox ,open system mmanager (next to pol. Manager) , click traffic monitor tab , filter by ip for easier view
0
 
setasoujiroCommented:
Also you should setup secure access (vpn) instead of just having that port open ,imo
0
 
dgreer1201Author Commented:
Sorry for the delayed reply.
I have been out of the office today until now.

I followed your advice, and watched the traffic monitor for the external IP.  What I did was.......opened up the Traffic monitor.........
then opened up LogMeIn, and remoted into my computer at home.  Once on my computer at home, I did at WhatIsMyIP (to get my public IP address).  Once I had this noted, I opened up the browser for the public IP address for the DVR at the company.  As usual, I got an error message after a few moments.
After this, I went back to the WSM and paused the traffic monitoring.........and then filtered the results by my public IP address at home.

I have attached a notepad document of the results of this.
I have also replaced the company's public IP address with (PUBLIC IP), and my home IP address with (External IP) for security purposes.
Can anyone make heads or tails of this?
Thanks again for your assistance.
DVRMonitor.txt
0
 
setasoujiroCommented:
IP 29841/udp 63243 29841 DENIED

I see that your pc tries to open some UDP ports to the dvr, you should try and open these ports as well with a custom rule, and NAT them to your DVR. ports (28941-28944 UDP)

Also you should modify your HTTP proxy to "http-server" under the proxy properties.

then later on, your ip gets blocked because of the denied packets which is normal
Hope it helps
0
 
dgreer1201Author Commented:
Hi setasoujiro,

Thanks for the reply.
I made the changes you suggested above.
I created a custom rule that opened the UDP ports 28941-28944.  
The Open UDP connection are from Any-External to a NAT of PUBLIC EXTERNAL IP -> 192.168.2.24 (IP of DVR).
I also changed the HTTP proxy to http-server.

I also recorded the traffic again.  I have attached a .txt document of the results on the traffic monitor.
DVRMonitor2.txt
0
 
setasoujiroCommented:
your HOME IP is on blocked sites , the tab next to traffic monitor.
there is your ip listed.
remove from list and try again
0
 
setasoujiroCommented:
also for some reason i see your pc tries another bunch of udp ports :
10155,10154, etc...

it could be that your dvr needs dynamic ports, although that seems weird.
The easiest way would be to contact the dvr manuf. and ask for a port list.

altnernatively you could setup PPTP/SSL/IPSec vpn which i reccomend doing anyway. Since this is much safer then exposing the dvr to internet.
0
 
dgreer1201Author Commented:
I just checked............and there are no IP's listed in the block list.
On the 7th tab over, is Blocked Sites...........which lists the blocked IP Addresses.
This list is completely empty.

I think, honestly, at this point...........I think I am ready to just setup a PC with something like LogMeIn or GoToMyPC, and can just put a link on the desktop to the DVR.
One of the big problems here is that this is a cheap DVR system that is sold off of TigerDirect and Amazon.  It is not a name-brand at all.  When I've tried to call them before for tech support, it is almost non-existant.  I thought I might could make this work just by redirecting port 80 on the Watchguard, but obviously, it is just not going to work.  And without having decent tech-support on the DVR system for technical support on issues such as the one you point out above on ports.........I'm at a loss.
0
 
setasoujiroCommented:
the reason your IP isn't there is because it has an auto-unblock limit of 20 minutes :)

Yeah i know these things can be a pain in the ... , that's why i suggested to setup a vpn, but indeed logmein could be used as well...

These things aren't really designed with firewalls/remote access in mind :(
0
 
dgreer1201Author Commented:
You both really helped me on this...........so I decided to split the points.
Thanks!
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 8
  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now