Apple Remote Desktop Problem

I have 5 mac clients and a mac server (running latest the version on Mountain Lion) in a remote office from me.  I used to be able to access them all easily over VPN using ARD but over the past year I started having issues with some of the macs (I believe that it was after an OS upgrade).  I am using a SonicWall TZ210 router and the built in L2TP VPN to connect to the remote network.  The VPN seems to work great and I can access all remote network resources.  I also setup a port forward in the router and am able to access my server using ARD and the external IP address (no VPN needed).  The problem I have is when connecting through the VPN, I am only able to see one of the computers and connect to it.  All of the computers are on the same subnet and it is different from my home subnet.  I have tried turning remote management off and back on and even reinstalled ARD and nothing seems to work.  I installed ARD on the local server and all of the computers show up fine.  

So to summarize:
1.) ARD works great locally
2.) ARD is only able to see and connect to 1 of my 5 computers over the VPN

I would normally say that this is a VPN issue but one of my computers (not the server with the port forward) is working fine.  And then I would say that it was an ARD client issue but they all work great locally.

Any help would be greatly appreciated.
 

Thank you,


Brandon Joiner
bsjoinerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
L2TP VPN on SonicWALL may use a different IP range other than the LAN subnet, please double check if you have an individual address pool for L2TP clients.

the symptom also sounds like a routing and/or firewall rule issue. if the related network object has an incorrect subnet mask, this may happen. please check the NAT policies and firewall rules, accordingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bsjoinerAuthor Commented:
I check the VPN IP pool and it is in the same range as the LAN.

The one computer that I can connect to over VPN is the only wireless client in the office. I have the WLAN bridged to the LAN so they are on the same subnet.  Any ideas there?
0
bbaoIT ConsultantCommented:
is the wireless computer connecting to SoincWALL's WLAN?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

bsjoinerAuthor Commented:
Yes it is. The WLAN is bridged to the LAN on the SonicWall. They both have a 192.168.1.x IP scheme.
0
bbaoIT ConsultantCommented:
SonicWALL has individual rules for WLAN and LAN. it seems you also need to enable LAN access for the VPN clients.
0
bsjoinerAuthor Commented:
I have attached the Firewall Policies for both the VPN to LAN and the VPN to WLAN.  Can you tell me if i have any policy conflicts or what Policy I need to add.  I appears to me that all traffic is allow but maybe i am wrong.
VPN-LAN.PNG
VPN-WLAN.PNG
0
bbaoIT ConsultantCommented:
comparing to the VPN-WLAN rules, the last rule (#10) of VPN-LAN group should NOT be from Any to WLAN RemoteAccessNetworks. try changing it to the LAN subnet, accordingly.
0
bsjoinerAuthor Commented:
Unfortunately that rule was auto-added by the SonicWall and I am unable to change it or delete it.
0
bsjoinerAuthor Commented:
Okay so I have done some more digging and it seems that I cannot access anything on the LAN via VPN.  I can however access everything on the WLAN via VPN. The firewall rules seem okay but maybe there is something else I am missing.
0
bbaoIT ConsultantCommented:
OK. try moving your mouse over to the L2TP IP Pool, what does the hint say?
0
bsjoinerAuthor Commented:
Attached at the interfaces.  Everything looks good to me.
L2TP-IP-Pool.PNG
Network-Interfaces.PNG
0
bsjoinerAuthor Commented:
I figured out that the problem is that I had the WLAN in 2 Layer Bridge Mode to the LAN interface so that my Wireless clients would be on the same IP subnet as the LAN clients.  As soon as i turned this off everything started working with the VPN.  So my problem is solved but do you have any idea how to have the WLAN on the same subnet as the LAN without this issue?
0
bbaoIT ConsultantCommented:
what are the IP scopes for the LAN and WLAN? please also advise the subnet masks respectively.
0
bsjoinerAuthor Commented:
LAN is 192.168.1.1
255.255.255.0

WLAN is 192.168.2.1
255.255.255.0
0
bbaoIT ConsultantCommented:
you have an overlap 192.168.1.210 ~ 215 between the L2TP pool and the LAN. try to give a totally different range for the L2TP pool such as 192.168.3.0/24.
0
bsjoinerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for bsjoiner's comment #a39563119

for the following reason:

The problem was not with Apple Remote Desktop but with the SonicWall config
0
Blue Street TechLast KnightCommented:
Hi bsjoiner,

I know I'm late here but I recommend breaking the L2 Bridge and re-setup the WLAN. Then with Access Rules let the LAN >WLAN talk to each other. Remove the L2PT and setup SSL-VPN for the Macs - it's preferred and will be more stable.

The Layer 2 Tunneling Protocol (L2TP) was has its origins in PPTP. Since it does not provide security features such as encryption or strong authentication it is typically combined with IPsec. To avoid too much additional overhead ESP in transport mode is commonly used. This means first the IPsec channel is established, again using IKE, then this channel is used to establish the L2TP tunnel. Afterwards, the IPsec connection is also used to transport the L2TP encapsulated user data.

Compared to plain IPsec the additional encapsulation with L2TP (which adds an IP/UDP packet and L2TP header) makes it a little less efficient (more so if it is also used with ESP in tunnel mode, which some implementations do).

NAT traversal (NAT-T) is also more problematic with L2TP/IPsec due to the common use of ESP in transport mode.

One advantage L2TP has over plain IPsec is that it can transport protocols other than IP.

Security-wise IPSec is arguable better and depends on the authentication method, the mode of authentication (Main or Aggressive Mode), the strength of the keys, the used algorithms etc.
0
bbaoIT ConsultantCommented:
the symptom also sounds like a routing and/or firewall rule issue ... please check the NAT policies and firewall rules, accordingly.

i think i already pointed out the issue was related to firewall settings...
0
bbaoIT ConsultantCommented:
FYI

A C grade should be awarded only after the asker has replied to all expert comments, provided all requested information, tried all suggested solutions, given the experts ample time to reply, and received clarification about the answer given.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.