4 Replies Latest reply: Jan 29, 2014 5:35 PM by sliedl RSS

    Shrewsoft VPN Client and Passive Auth



      my firewall is running 8.3.0 software version and I configured it to receive VPN connections from Shrewsoft VPN clients and is it working fine. VPN definitions is using Active Directory as Authenticator but now I'm requested to allow VPN connections from certain domain users only. Then I deployed McAfee Logon Collector and it is working fine so I see from Firewall the granted passports. I created a VPN Zone to terminate the VPN connections and enforce policies to Internal Zone.


      In the rule that allow to pass from VPN zone to Internal zone I configured the users that are allowed to access the internal network and when it's connected with an allowed VPN user, no resource or IP device from internal network can be reached from VPN user. May be I misconfigured something in the VPN Client? MLC users are identified as user@domain.com, when the connection comes from VPN client is it seen by the firewall in the same format?


      Any help will be appreciated.




        • 1. Re: Shrewsoft VPN Client and Passive Auth



          Firewall sees the users as it is given by MLC. i.e users@domain.com.

          Were you able to see all the users on MLC logon report and  were you able to see the passive passports for the authenticated users for which the rule is is defined to allow from vpn to internal zone?

          • 2. Re: Shrewsoft VPN Client and Passive Auth

            Hi Senthil,

            I'm not really sure to understand your questions. On MLC server if I run a logon report I see all the domain users with their IP address, no problem here. On the firewall Policy/Rule Elements/Passport/Manage Passports I see all the domain users, no problem here either. On these days I been working on the Active Directory authenticator that was made for authenticate VPN users and with an LDAP filter I restricted the search on AD tree by allowing firewall to browse on users on an specific group that was made to contain vpn users. The issue I need to resolve now is on the rule that allow to pass from VPN zone to the internal zone. If I add an allowed VPN user on the rule no user can access any device on the internal network from VPN zone.


            My idea is to have a couple of VPN rules that allow:


            Rule VPN 1 allow user A to server X

            Rule VPN 2 allow user B to server Y


            Can this be done?


            Thanks very much.


            on 17/01/14 18:21:17 ART
            • 3. Re: Shrewsoft VPN Client and Passive Auth

              I asked the questions to make sure MLC is not causing any issues. Thanks for confirming that.

              I am not too familiar about this scenario and hence do not have an answer

              • 4. Re: Shrewsoft VPN Client and Passive Auth

                The way I would troubleshoot this is to see if the IP address that is assigned to the VPN Client shows up as a logged-in user in MLC.

                When clients login from their PCs at home how do they logon to the domain?  Do they turn the VPN client on and then somehow logon to the domain?  What networks do you specify in your VPN definition?


                Do the IP addresses you are trying to reach over the VPN reside off the internal interface?  A 'route -n get x.x.x.x' will show you the interface and zone.