Link to home
Start Free TrialLog in
Avatar of mcse2007
mcse2007Flag for Australia

asked on

VPN inside LAN to External via FMGT


I've recently installed FMGT 2010 as firewall. Every few days, we connect to the head office via VPN client. But, the VPN clients are inside the LAN connecting to External but they need to pass FMGT 2010 to get out.

So I created the below Access Rule in FMGT:

Protocol: PPTP (also tried all outbound protocol w/out success)

From: Internal

Destination: External

The problem is the VPN clients cannot bypass FMGT to connect to External VPN server. Also, I checked the log report and the 'default rule' is denying the "NetBios Name Service" and it is picking up some unidentified IP address etc.  

I don't know how to get around with this.

Appreciate any help please.
Avatar of pwindell
Flag of United States of America image

You mean FTMG?

The Access Rule would seem fine
The PPTP Protocol would seem fine
"Allow All" would seem fine if you limited to the specific Public IP on the other end the "tunnel" connects to.

However only SecureNAT Clients can use PPTP.  The Web Proxy Service and the Firewall Service (a "winsock proxy" service) are industry standards (not simply an MS thing) and will not handle PPTP. The Web Proxy only does HTTP, HTTPS, FTP-over-HTTP, and Gopher.  The Firewall Service (winsock service) only does TCP and UDP based protocols,...PPTP is not based on those, it is based on GRE.

So,...the Clients have to be SecureNAT Clients,...and since SecureNAT Clients cannot authenticate,...the Rule must be anonymous.

Lastly, will have to find out what Private IP Range they use on the Other End and add that range to the Addresses Tab of the Internal Network Properties.  If you fail to do that then after the VPN is established the Firewall Client Software, and possibly even the Browser's proxy settings, will get in the way of the communication because they will interpret those Private Addresses as being on the "outside" (aka External) and try to proxy them,...which would force you to disable the FWC and the browser's proxy setting while the VPN was "up".

One more "lastly",...if they use the same IP range on their end that you use on your LAN then you are flat out screwed,'d have an address range overlap,...and it will not ever work.
Avatar of mcse2007
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mcse2007


Access rule is correct