Remote into DMZ FTP

I have a Sonicwall TZ 215.  It has been set up for me and is working fine.  It has been set up with 2 subnets ( & for local traffic.  These 2 networks are designed to not talk to each other.  However, on the there is a DMZ that has our FTP site.  I need to occasionally maintenance that computer and would like to know a technique that would allow me to remote into it through the firewall.  I am familiar with NetExtender and have had great success remoting into my work PC from home using it.

Can anyone point me in the direction of what I need to do to allow only my PC to be able to remote into that computer?
Who is Participating?
Blue Street TechConnect With a Mentor Last KnightsCommented:
Hi lordzack,

Yes you have a few options here, A) a SonicWALL GVC (Global VPN Client) VPN, or SonicWALL SSL-VPN (NetExtender).

So, when you say, "...on the there is a DMZ that has our FTP site." Is that to say the network is in the DMZ Zone or is there a subinterface setup? If so, what's it's network?

Since you spoke about NetExtender here are the instructions in order to gain access to your DMZ PC:

In SSL-VPN > Client Routes just change your Client Routes to reflect the DMZ network.
Then under Users > Local users in the VPN Access Tab select the DMZ network object for the VPN Client Access Networks.

Let me know how it goes!
sonicwall has no ftp-specific support as far as i know

you can always NAT manually sets of ports to allow both passive and active ftp but it would be much simpler if you could use another protocol such as sftp which would operate using a single port

if you want to go the ftp way, this post describes a working setup
it could be made a little more restrictive, though and you obviously can restrict all of it to your home address if you do not want the ftp server to be world-accessible
lordzackAuthor Commented:
I was unable to get it to work but I'll continue to work on a solution.
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

i just reread your question and understood you're expecting to access the desktop and not the ftp.

using vnc
- install a vnc server on the host
- redirect WAN ports 5900 and 5800 on the firewall to the same ports on that host
- don't forget to allow the connection through

if you'd rather use terminal services or other remote desktop protocols, the same method should do but using different ports
Blue Street TechLast KnightsCommented:
FYI: It's a not a security best practice to open up ports for VNC or RDP. It's begging for an attack. A VPN (SSL or GVC) is your most secure bet in this case.

What issues are you running into? Error messages, etc.?
as long as the access is limited to one or a few known ips it seems acceptable.

additionally, most VPNs don't actually offer much better encryption then let's say vnc over SSH (which is built in tightvnc) or over SSL which is builtin most of them. and rdp features ssl and kerberos.

VPNs also make the client machine part of the server's network. chances that viruses transit through are roughly the same as between 2 machines in a local LAN. chances that a virus transit through a vnc connection is near zero.
Blue Street TechLast KnightsCommented:
@skullnobrains - All of those options are still susceptible to man-in-the-middle attacks. VNC, in general, has major security flaws/vulnerabilities - defcon 15-20. RDP is one of the worst offenders too plus it breaks the layered security architecture. With a VPN you only gain access to the then still have to access the resource layer. Irrespectively, it's not a security best practice to open RDP ports up even if you are limiting the scope to one ISP.

RE: virus outbreaks...last time we dealt with that was in 2005, literally. If you setup layered security properly with the right products; virus infections, proliferation & dissemination are really a thing of the least for us and our clients. Also, you can mitigate this using various methods but here are a few: a) SonicWALL tunnels have layered aggression and protection using CGSS, and/or b) simply use forced AV endpoint protection through SonicWALL - so in either case...there is nothing to worry about, but again even without implementing these methods, if you are using the right products with the correct configuration and have a properly layered security architecture...this is moot point.


P.S. we are hijacking this question a bit here.
we're not really hijacking too much since the thread is closed ;)

as far as security is concerned
- any security that the admin does not fully understand is a threat. using VPNs when you're not familiar with the pros and cons is not really a good idea... and it is really overkill in this situation
- opening a port, possibly over an ssh tunnel is globally less dangerous than putting a remote machine in your network. that is especially true when that machine has no reason to be in the network in the first place
- 2005 ? pretty good ! (actually i have not detected a virus since 2000-2001 and all the windows machines i dealt with went through sasser unharmed. including quite a few home computers directly facing the internet without a firewall). but as far as i know, more than 50% of the home computer running windows are infected worldwide even though most people are now behind a NAT router and even microsoft managed to put a little security in their os. the main difference since 2005 is that there were still a few viruses around that had a goal to just mess with your computer, while almost 100% malware today just want to turn your computer into a bot. these malware try to fly under the radar which is getting easy nowadays given the performance of home computers and internet connections.
- layered security with the right products ? sure i do agree with that : ban windows altogether, use a dedicated lan segment for each machine facing the internet. jail the corresponding processes. don't give those hosts any kind of access to other hosts (for example don't ever think of sticking a machine that is part of a domain in a DMZ), don't ever run a network service on a non dedicated account, make sure that account has no unneeded privilege (forget about root, system, network daemon, and other similar accounts), use reverse proxies, use open source software including for your firewall...

different views but perhaps they complete one another...

cheers to you
Blue Street TechLast KnightsCommented:
Good points & conversation!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.