Avatar of mcse2007
mcse2007
Flag for Australia asked on

VPN inside LAN to External via FMGT

Hi,

I've recently installed FMGT 2010 as firewall. Every few days, we connect to the head office via VPN client. But, the VPN clients are inside the LAN connecting to External but they need to pass FMGT 2010 to get out.

So I created the below Access Rule in FMGT:

Protocol: PPTP (also tried all outbound protocol w/out success)

From: Internal

Destination: External

The problem is the VPN clients cannot bypass FMGT to connect to External VPN server. Also, I checked the log report and the 'default rule' is denying the "NetBios Name Service" and it is picking up some unidentified IP address etc.  



I don't know how to get around with this.



Appreciate any help please.
Microsoft Forefront ISA ServerHardware FirewallsVPN

Avatar of undefined
Last Comment
mcse2007

8/22/2022 - Mon
pwindell

You mean FTMG?

The Access Rule would seem fine
The PPTP Protocol would seem fine
"Allow All" would seem fine if you limited to the specific Public IP on the other end the "tunnel" connects to.

However only SecureNAT Clients can use PPTP.  The Web Proxy Service and the Firewall Service (a "winsock proxy" service) are industry standards (not simply an MS thing) and will not handle PPTP. The Web Proxy only does HTTP, HTTPS, FTP-over-HTTP, and Gopher.  The Firewall Service (winsock service) only does TCP and UDP based protocols,...PPTP is not based on those, it is based on GRE.

So,...the Clients have to be SecureNAT Clients,...and since SecureNAT Clients cannot authenticate,...the Rule must be anonymous.

Lastly,...you will have to find out what Private IP Range they use on the Other End and add that range to the Addresses Tab of the Internal Network Properties.  If you fail to do that then after the VPN is established the Firewall Client Software, and possibly even the Browser's proxy settings, will get in the way of the communication because they will interpret those Private Addresses as being on the "outside" (aka External) and try to proxy them,...which would force you to disable the FWC and the browser's proxy setting while the VPN was "up".

One more "lastly",...if they use the same IP range on their end that you use on your LAN then you are flat out screwed,...you'd have an address range overlap,...and it will not ever work.
ASKER CERTIFIED SOLUTION
mcse2007

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
mcse2007

ASKER
Access rule is correct
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck