Solved

Allowing ActiveX control through Watchguard Firewall

Posted on 2011-09-15
17
1,748 Views
Last Modified: 2012-05-12
We are currently running a Watchguard 750e in-house for our main router/firewall.  As this is a new company, this network appliance is just providing basic functionality.........we do not have all of the extras of the UTM bundle.
We have also installed a very basic (cheap) 8 camera security system bundle with the DVR, etc.  This security system seems to be working fine when viewing it within our network.  We were approached by management, and they would like to be able to view the security cameras remotely over the internet.  That didn't seem like much of a problem.........since the DVR uses, by default, port 80.........and all I had to do was configure the HTTP Proxy on the Watchguard to redirect to the static internal IP of the DVR.
Everything seems to be working perfectly on this setup.  Anywhere there is internet available.........management can now type in our public static IP address, and it automatically redirects them to the login page of the DVR.

So far, so good.  Now the problem:
To view the live streaming footage of the cameras.............the DVR automatically downloads an ActiveX control the first time you log in to the system.  This ActiveX control is called "AMCCtrl Class", and the publisher is AVTECH.  This is no problem internally...........because the browser automatically prompts to download the ActiveX control.
However...........when I try to do this external to the company..........I can get to the login page, but the browser never prompts me for this ActiveX control.  Where the live camera footage should be, there is just a red X.  I know that the ActiveX control is what is causing this...........but I do not know how to allow the control through.  I have tried changing some of the settings of the browser, but all to no avail.  I really believe the Watchguard box is blocking this from coming through.  Any ideas on how to pass this control through, and allow the DVR to be able to be viewed remotely?
Thank you for any assistance.
0
Comment
Question by:dgreer1201
  • 8
  • 6
  • 3
17 Comments
 
LVL 9

Accepted Solution

by:
Brian earned 250 total points
ID: 36544213
You need to edit your HTTP Proxy. Edit the proxy and go to Setup > Actions > Content Type. There you can add the specifict type (see the link below) or set to allow known and unknown file types.

For most offices, I have found that allowing all works. It is not as secure, but locking down the network by file type causes more headaches than it is worth for most of my clients that do not need high level security.

Link to an Article abou the filtering you are runnign in to: http://www.watchguard.com/infocenter/editorial/38596.asp
0
 

Author Comment

by:dgreer1201
ID: 36545049
Thanks for the reply washburnma.
That corrected my problem partially.  It allowed me to download the ActiveX control.  However........now when logging in, it sits and spins a few seconds, then throws up an error message........"unknown error"
I don't know if the problem is on the Watchguard end...........or on the security system DVR end.
0
 
LVL 9

Expert Comment

by:Brian
ID: 36545264
I'm guessing it is a WatchGuard setting. Login to your WatchGuard and take a look at the Log while you try to connect. You should see something getting blocked is my guess. Does the DVR system specify any ports it wants open?
0
 

Author Comment

by:dgreer1201
ID: 36545581
I have not setup any of our servers to be a logging server.  So unless the Watchguard keeps an internal log somewhere, I don't know where to see this information.
The DVR does not specify any particular ports that it wants open.............it just has the default port 80 for web administration.
0
 
LVL 9

Expert Comment

by:Brian
ID: 36545660
It does keep an internal log. Do you use the WatchGuard System Manager to connect or the web interface? The WSM is free and I highly recommend it. Once you connect, you just hit the Log Viewer and you see a live view of your logging.
0
 

Author Comment

by:dgreer1201
ID: 36545809
Yes..........I do use the WSM.
But, once I log into the WSM, and click on LogViewer..........it brings up the LogViewer, but my only option is to connect to Log Server.  It asks for IP Address, username, and passphrase.
0
 

Author Comment

by:dgreer1201
ID: 36551886
Am I missing something?
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36551984
You should open wsm, connect to firebox ,open system mmanager (next to pol. Manager) , click traffic monitor tab , filter by ip for easier view
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 14

Expert Comment

by:setasoujiro
ID: 36551999
Also you should setup secure access (vpn) instead of just having that port open ,imo
0
 

Author Comment

by:dgreer1201
ID: 36563790
Sorry for the delayed reply.
I have been out of the office today until now.

I followed your advice, and watched the traffic monitor for the external IP.  What I did was.......opened up the Traffic monitor.........
then opened up LogMeIn, and remoted into my computer at home.  Once on my computer at home, I did at WhatIsMyIP (to get my public IP address).  Once I had this noted, I opened up the browser for the public IP address for the DVR at the company.  As usual, I got an error message after a few moments.
After this, I went back to the WSM and paused the traffic monitoring.........and then filtered the results by my public IP address at home.

I have attached a notepad document of the results of this.
I have also replaced the company's public IP address with (PUBLIC IP), and my home IP address with (External IP) for security purposes.
Can anyone make heads or tails of this?
Thanks again for your assistance.
DVRMonitor.txt
0
 
LVL 14

Assisted Solution

by:setasoujiro
setasoujiro earned 250 total points
ID: 36564914
IP 29841/udp 63243 29841 DENIED

I see that your pc tries to open some UDP ports to the dvr, you should try and open these ports as well with a custom rule, and NAT them to your DVR. ports (28941-28944 UDP)

Also you should modify your HTTP proxy to "http-server" under the proxy properties.

then later on, your ip gets blocked because of the denied packets which is normal
Hope it helps
0
 

Author Comment

by:dgreer1201
ID: 36570141
Hi setasoujiro,

Thanks for the reply.
I made the changes you suggested above.
I created a custom rule that opened the UDP ports 28941-28944.  
The Open UDP connection are from Any-External to a NAT of PUBLIC EXTERNAL IP -> 192.168.2.24 (IP of DVR).
I also changed the HTTP proxy to http-server.

I also recorded the traffic again.  I have attached a .txt document of the results on the traffic monitor.
DVRMonitor2.txt
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36570371
your HOME IP is on blocked sites , the tab next to traffic monitor.
there is your ip listed.
remove from list and try again
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36570406
also for some reason i see your pc tries another bunch of udp ports :
10155,10154, etc...

it could be that your dvr needs dynamic ports, although that seems weird.
The easiest way would be to contact the dvr manuf. and ask for a port list.

altnernatively you could setup PPTP/SSL/IPSec vpn which i reccomend doing anyway. Since this is much safer then exposing the dvr to internet.
0
 

Author Comment

by:dgreer1201
ID: 36570499
I just checked............and there are no IP's listed in the block list.
On the 7th tab over, is Blocked Sites...........which lists the blocked IP Addresses.
This list is completely empty.

I think, honestly, at this point...........I think I am ready to just setup a PC with something like LogMeIn or GoToMyPC, and can just put a link on the desktop to the DVR.
One of the big problems here is that this is a cheap DVR system that is sold off of TigerDirect and Amazon.  It is not a name-brand at all.  When I've tried to call them before for tech support, it is almost non-existant.  I thought I might could make this work just by redirecting port 80 on the Watchguard, but obviously, it is just not going to work.  And without having decent tech-support on the DVR system for technical support on issues such as the one you point out above on ports.........I'm at a loss.
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36570537
the reason your IP isn't there is because it has an auto-unblock limit of 20 minutes :)

Yeah i know these things can be a pain in the ... , that's why i suggested to setup a vpn, but indeed logmein could be used as well...

These things aren't really designed with firewalls/remote access in mind :(
0
 

Author Closing Comment

by:dgreer1201
ID: 36583796
You both really helped me on this...........so I decided to split the points.
Thanks!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSH commands for Nas4free 21 300
Cisco iWAN 8 45
how to access my server 9 27
ESXi VLAN Lab 2 32
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now