Can't connect to Sonicwall VPN gateway from my office 1

[sunil2suss]

Hi,

I am having trouble connecting to Sonicwall VPN gateway from my office. I can connect to the same gateway from my home. I think this is because only port 80 is allowed from our office and there is a highly secure firewall configuration in our office. It is impossible to change the office firewall policy. Therefore I am looking for some alternatives. Has anyone got any suggestions for me?

 

[Noway2]

The Sonicwall is either going to use IPSEC, which is a protocol for securing IP connections, or SSL, probably over a semi-nonstandard port. If your outgoing firewall is clamped down to only allow port 80 traffic your options are pretty well limited. While there are means to tunnel connections through HTTP connections, attempting to do so would likely get you into hot water territory.

 

[sunil2suss]

thanks for your reply. I guess SSL VPN runs on port 443 and this port is probably open in our office network. Is it possible to access any machines which dont support web interface via SSL VPN? When you connect via SSL VPN, does the VPN gateway allocate the IP address in the same network as VPN gateway LAN side for the client machine?

 

[Noway2]

thanks for your reply. I guess SSL VPN runs on port 443 and this port is probably open in our office network

Your welcome, I am happy to help. It is possible that port 443 is being used for the VPN (server side) which would necessitate allowing inbound port 443 connections. In analyzing these types of firewall questions, it is important to keep in mind the difference between ingress and egress traffic. The egress traffic will typically use a random high order source port number with a common (e.g. 80, 443) destination port. It is possible to configure the firewall such that NEW connections are only allowed to desired ports, such as 80 and 443 and to allow ESTABLISHED or RELATED return traffic back in. This would largely apply to client side applications. The flip side of this is running a server application where the firewall must allow for listening connections on a particular port (e.g. 80 or 443). In this instance, it is possible to put an SSL VPN on port 443, nut not required. Quite often, these SSL VPNs use UDP through the SSL encrypted tunnel.

Is it possible to access any machines which dont support web interface via SSL VPN?

I am not sure I understand the question, but will try to answer as best I can. SSL is a protocol, which can be used on various port numbers. It is possible to support either a web interface or a VPN connection on a particular port. If you have an SSL web server listening on port 443 (standard) you will need to have your VPN server listen on a different port. This link may be of help in explaining the differences and options available for SSL VPN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

When you connect via SSL VPN, does the VPN gateway allocate the IP address in the same network as VPN gateway LAN side for the client machine?

This will depend upon the VPN configuration. Sometimes they are configured as what is called split tunnels, where only traffic destined for the VPN hosted network will go through the VPN tunnel. In this case, the client will probably NOT be allocated an IP address of the VPN LAN, but simply designate a route to the virtual interface for remote resources. The other option is to configure the VPN as the entire remote gateway, in which case an IP will likely be assigned and for all practical purposes the client will appear as if they are from the remote VPN. This is sometimes more secure, definitely more controlling, but also has a performance price.