x700 not allowing ADP upload to work correctly. PLEASE HELP!!

[rduque41]

Ok here's the skinny.
We have a software by ADP that uses a hardware handscanner for clocking in and out.
The software which is installed on a local pc work as follows.
It communicates with the hand scanner which has an internal IP address programmed into it,
then sends that information out to the adp website.
The software uses ports 443, 80 and 3001 to communicate with there site.
What I did notice in the firewall system manager is that my computers ip address does go out to a specific ip address via port 443 everytime I do the upload on the software. So it looks like it is getting out, just not being able to come back in.

They also state the following:
•Configure your firewall to allow ports 80, 443 and 3001 with bi-directional traffic (HandPunch Traffic)
•Configure your firewall to allow the IP range of 170.146.230.0 through 170.146.235.255 with bi-directional traffic (ezLM and upload traffic)

My question is how do I do this? Im a firewall rookie. This hardware was here when I started.

I have spoken with watchguard technical support and the guy keeps wanting to do a 1 to 1 NAT. When I asked ADP if we could do NAT they responded with this
"Please note that our addresses are dynamically assigned from IP Range that is pooled and load balanced. Therefore, it is not permissible to provide a static route that affords/allows 1 to 1 NATTING (from our side)"

Any help would be a blessing. Thank you.

 

[Davetoo]

As you've discovered, Watchguard technical support is basically useless. They don't have a clue how their own equipment works! Just amazes me...

Two ways - best practice would be to setup a service for each of the ports from the sub-domain you've listed to your scanners. Or, you could setup an Any service from that sub-domain to the scanners...but that would open up all the ports to those devices from that sub-domain...I'd go with the first option myself.

Should solve the problem for ya.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[saenz22]

What you need to is go to policy manager. Click on Edit and Add Policies. Highlight Custom and click on New. You then give it a name and you then add the ports. After add ports...you click ok twice. You then click add and it is here you will add the IP range. You have to figure out if it goes in the From or To field but which ever it is you click on add and then add other. You chose host rane...enter IP range and save to firebox.

 

[pankajchawla]

Make the appropriate service according to the ports required to access.

The add that service to policy manager>>set the incoming to be enabled and allowed should be range as given to you, in the TO field click add>>nat>>external=chose the external ip of the firebox and in internal type the internal ip of the device getting updates. then save it to the firebox.

If possible post the logs from traffic monitor for more help.

 

[baamold]

HELP! WatchGuard FB700 to SOHO6 static routing.

Changes to a VPN Server because of (2) default gateways were done last night. The gateway for the VPN server needs to be the outside interface gateway.

Which means that we won't be able to PING or RDP from our location to that server.

I'm guessing we need to add a static route from the other network to ours. The VPN was working but I can't access their server directly (e.g. EDP) over the vpn until we put a route in.

Is this correct?

We know enough to keep most of the wheels turning, but need some advice.

Thank you,
Barry