Welcome to ISAserver.org

SonicWall VPN

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> SecureNAT Client >> SonicWall VPN

Page: [1]

Message

<< Older Topic Newer Topic >>

SonicWall VPN - 9.Oct.2002 2:42:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

Hi

I have a PC with SonicWall client installed. I want to connect to a remote site's terminal server through port 3389.

I have created an outbound static filter for port 3389 on the ISA Server.

The first part of my connection to the terminal server is through port 80, http://192.20.0.0/tsweb. This connects ok.

The second connection fails, this is to the terminal server's port 3389.

Any help would be very much appreciated

Thanks

pobeng

Post #: 1

Featured Links*

RE: SonicWall VPN - 12.Oct.2002 9:47:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Pobeng,

Is there a reason you're using a packet filter instead of a Protocol Rule?

Thanks!
Tom

(in reply to pobeng)

Post #: 2

RE: SonicWall VPN - 12.Oct.2002 12:28:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

Tom,

I've already created a protocol rule allowing access to all protocols. Do I need to create a specific rule for rdp (port 3389)?

I only thought of using packet filters just in case 'something' was being blocked, though I'm allowing access to all outbound protocols

Paul

(in reply to pobeng)

Post #: 3

RE: SonicWall VPN - 12.Oct.2002 1:48:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Paul,

if you have an open protocol rule it should work. However, what is the purpose of the SonicWall client? Isn't that a VPN client?

HTH,
Stefaan

(in reply to pobeng)

Post #: 4

RE: SonicWall VPN - 12.Oct.2002 2:53:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

SonicWall is a vpn client which is used to connect to a remote terminal server. Before making a connection, an encryption key is installed on the client. The client's IP need to be specified for the encryption. This is where I believe the problem lies.

The IP of the client will be internal (eg 192.95.100.20) which is not visible to the outside world. If a request is made to the remote terminal server, ISA Server sends its external IP (eg 166.30.10.1) to the terminal server, which in this case does not have the enryption key.

I installed the key on the ISA server itself but did not work. What I'm I doing wrong

(in reply to pobeng)

Post #: 5

RE: SonicWall VPN - 12.Oct.2002 3:39:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Paul,

aha... just what I thought! [Big Grin]

The SonicWall is a VPN client ( see http://www.sonicwall.com/vpn/index.html ) based on the IPSec protocol. So, I think you must first setup the VPN connection to some VPN gateway at the remote site and then establish the TS session through the VPN tunnel.

In that case, you need first to get the VPN connection up and running. Because the VPN is based on IPSec and ISA is doing NAT, this is only possible if the IPSec implementation supports the NAT Traversal or NAT-T feature as specified by the IETF drafts. According to the SonicWall website, the VPN Client version 8.0 should support that. In order to help you further, you must first find out which protocols (TCP/UDP) and which port numbers much be opened for the VPN client in NAT-T mode.

HTH,
Stefaan

(in reply to pobeng)

Post #: 6

RE: SonicWall VPN - 12.Oct.2002 4:03:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

Stefaan,

I've enabled PPTP on the ISA Server. L2TP I think uses TCP port 1701. Do I need to open that up since I'm allowing all outbound ports? To give you more insight to my problem, the first connection is made using http://server/tsweb.

The initial connection is made on port 80. Then by clicking on the *connect* button in the pop-up, a terminal connection is then made on port 3389. The tcp/udc connetion status is determined by netstat -an command.

I'm not sure when vpn plays a role in this case. Even when a connetion is made without the firewall, only two ports (80 and 3389) show as connection established. Do you think vpn plays a role here?

Paul

(in reply to pobeng)

Post #: 7

RE: SonicWall VPN - 12.Oct.2002 4:26:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Paul,

well it is you who should be able to tell us if you need to setup first a VPN connection to the remote site before establishing the TS session! [Razz]

You said:
- I have a PC with SonicWall client installed
- SonicWall is a vpn client which is used to connect to a remote terminal server

So, it is not clear to me what the exact requirements are!

Do you need to setup first the VPN or do you have a problem establishing the TS session when a VPN connection is active to another destination?

What do you exactly means with "Even when a connection is made without the firewall, only two ports (80 and 3389) show as connection established"?

HTH,
Stefaan

(in reply to pobeng)

Post #: 8

RE: SonicWall VPN - 12.Oct.2002 7:44:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

Hi Stefaan,

This is what I did to establish connection with the remote site, using a w2k workstation in my dmz:

1. I installed Sonicwall vpn client on the pc.
2. Configured the encryption key on the pc and specified the IP on my NIC.
3. Connected to the site at http://server/tsweb using my browser
4. When I received the pop-up menu, I clicked connect which gave me the login window to the terminal server.

Since SonicWall was a vpn client, I didn't have to configure any other vpn client. All was done without my ISA server.

Now at dos prompt, I checked the connection with the netstat command and only ports 80 and 3389 were conneted to the remote site.

Hope this helps

Paul

(in reply to pobeng)

Post #: 9

RE: SonicWall VPN - 12.Oct.2002 10:54:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Paul,

Ok, you have done *nothing* between step 2 (configuring the VPN client) and step 3 (connecting to the TS Web site)?

Why did you install the SonicWall VPN client?
Have somebody instructed you to do that?
Does it work in the DMZ without installing the SonicWall VPN client?

I would like to determine if the SonicWall VPN client is a needed component to login to that site.

HTH,
Stefaan

(in reply to pobeng)

Post #: 10

RE: SonicWall VPN - 12.Oct.2002 11:27:00 PM

pobeng

Posts: 29
Joined: 22.Mar.2001
From: Shrewsbury, NJ USA
Status: offline

I installed the Sonicwall client because it's a corporate policy. Using w2k vpn connection without the sonicwall client does not work. I believe the remote Sonicwall device looks for a client with the group encryption key.

Establishing a regular vpn connection with any other remote site will work with no doubt, but I cannot do that. SonicWall's web lists a number of firewalls it works with (including cisco pixfirewall and checkpoint), with no mention of ISA Server. I have to get this working.

To answer your last question again, without the sonicwall client in the dmz, it does not work.

Paul

(in reply to pobeng)

Post #: 11

RE: SonicWall VPN - 12.Oct.2002 11:57:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Paul,

Ok, I *assume* now that the VPN connection must first be established.

You will have to contact the SonicWall system administrator to find out how to configure the IPSec NAT Traversal feature *and* which protocol and port it is using. Without that information, it is nearly impossible to tell you what to do unless you are willing to take some Network Monitor traces and find it out yourself.

HTH,
Stefaan

(in reply to pobeng)

Post #: 12