VPN inside LAN to External via FMGT

mcse2007 used Ask the Experts™

I've recently installed FMGT 2010 as firewall. Every few days, we connect to the head office via VPN client. But, the VPN clients are inside the LAN connecting to External but they need to pass FMGT 2010 to get out.

So I created the below Access Rule in FMGT:

Protocol: PPTP (also tried all outbound protocol w/out success)

From: Internal

Destination: External

The problem is the VPN clients cannot bypass FMGT to connect to External VPN server. Also, I checked the log report and the 'default rule' is denying the "NetBios Name Service" and it is picking up some unidentified IP address etc.  

I don't know how to get around with this.

Appreciate any help please.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2011

You mean FTMG?

The Access Rule would seem fine
The PPTP Protocol would seem fine
"Allow All" would seem fine if you limited to the specific Public IP on the other end the "tunnel" connects to.

However only SecureNAT Clients can use PPTP.  The Web Proxy Service and the Firewall Service (a "winsock proxy" service) are industry standards (not simply an MS thing) and will not handle PPTP. The Web Proxy only does HTTP, HTTPS, FTP-over-HTTP, and Gopher.  The Firewall Service (winsock service) only does TCP and UDP based protocols,...PPTP is not based on those, it is based on GRE.

So,...the Clients have to be SecureNAT Clients,...and since SecureNAT Clients cannot authenticate,...the Rule must be anonymous.

Lastly,...you will have to find out what Private IP Range they use on the Other End and add that range to the Addresses Tab of the Internal Network Properties.  If you fail to do that then after the VPN is established the Firewall Client Software, and possibly even the Browser's proxy settings, will get in the way of the communication because they will interpret those Private Addresses as being on the "outside" (aka External) and try to proxy them,...which would force you to disable the FWC and the browser's proxy setting while the VPN was "up".

One more "lastly",...if they use the same IP range on their end that you use on your LAN then you are flat out screwed,...you'd have an address range overlap,...and it will not ever work.
My access rule was correct...the issue was incorrect credentials from the client's point of view.


Access rule is correct

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial