Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 62640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN out UTM to corporate network issues.

ChadClement

I'm a home UTM user trying to VPN out to my corporate network. I'm able to connect, get an IP addresss and resolve hosts on the corporate network but when I try to get to their web pages i get nothing. I'm not seeing anything being blocked on the firewall rules nor should I as I'm not performing ssl inspection so I wouldn't see the traffic anyway. Any thoughts? I'm running the latest release.



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Chad, and welcome to the UTM Community!

    Does #1 in Rulz give you any clues?  If not, my guess is a routing problem with the VPN endpoint at corporate.

    Cheers - Bob

    EDIT 2016-09-28: Added the link to Rulz.

  • 0 in reply to BAlfson

    Bob,

    Not sure what you mean by #1. My first rule is to allow any internal traffic outbound over any protocol. Not the most secure thing but did it for troubleshooting purposes.

    As far as a routing problem I'm the only one experiencing the problem. We're all a bunch of IT security consultants working remotely from home with our own individual FW solutions running on our home networks. 

    Once I took the UTM out of the equation and put a Linksys FW/Router in play everything worked fine.

    Using Pulse Secure as the vpn client.

    Thanks,

    Chad

  • 0 in reply to ChadClement

    Hi Chad,

    UTM will simply forward traffic. The routing decisions are taken from the remote server. If you are able to connect to VPN server and discover no drops according to #1 suggested by Bob then check if the web request from your system's IP address is received on the remote firewall. 

    Thanks

  • 0 in reply to ChadClement

    Oops!  I just added the link in my post above. [;)]

    Cheers - Bob

  • 0 in reply to sachingurung

    Hello,  I have the same issue here.  My VPN is up, and only my corporate internal links open, no outside websites can open now (www.google.com, www.bbc.com etc).  How would i go about doing your suggestion of checking if the web request from my system's IP is received on the remote firewall?  I assume you mean the VPN IP obtained after initiating my VPN session, but also I am not admin and would likely need to open a ticket with our IT folks to find out if its being received.  I just wanted to get all the information i can and try everything before checking with the corporate IT folks.  Thanks, Tim.

  • 0 in reply to Tim Coyle

    Hi, Tim, and welcome to the UTM Community!

    Which Remote Access method are you using to connect to the UTM?

    Cheers - Bob

Reply Children
  • 0 in reply to BAlfson

    Hi Bob, 

    I believe I did not word my problem very well...

     

    I have my work laptop connected to my LAN via WiFi AP.  When i first turn this on, all is well and nothing is blocked.  However, then I open my work VPN Forti Client and VPN from my home to the corporate VPN.  I can now see my laptop having two IPs, the LAN and then the one for the corporate VPN.  There is no VPN running on my UTM, and I am not remote but actually home and on the LAN.  With my corporate VPN open from my home network to the corporate network, mostly the corporate internal URLs open.  Most non corporate URLs are now blocked, but I do not see anything in the Firewall logs about drops from my laptops LAN IP.  

    Does that make anymore sense?  

  • 0 in reply to Tim Coyle

    " Most non corporate URLs are now blocked" - Please give an example, Tim.  Have you looked at the Web Filtering log?  This is beginning to sound like a DNS conflict between the way the UTM is configured and the config of the Forti client, but let's eliminate the other possibilities first.

    Cheers - Bob

  • 0 in reply to BAlfson

    Revisiting this old thread now that I am working from home more often.  An example site that gets blocked is www.lynda.com.  This opens fine if I do not connect to my corporate VPN, but once that connection is up I can no longer open this site on my laptop and can only access it via the remote machine that I am VPN'd into.  There is nothing in the Web Filtering Live Log for the laptop's IP, perhaps because I added the laptop's static IP to both tables in the Transparent Mode Skiplist box?

     

    Thanks,

    Tim

  • 0 in reply to Tim Coyle

    From what I understand, when you VPN in, you become subject to the web filtering rules that UTM uses.  If the VPN network pool that you use is not one of the networks allowed in the web filtering rules, then web browsing to external sites will not get through the UTM proxy.

    Also remember that in your VPN options you have the choice to use the VPN as your default gateway - if you choose not to use the default gateway, you should still be able to browse using your default internet connection.

  • 0 in reply to Shaun Raven

    The laptop is already on the UTM, and the VPN is out of the UTM to my corporate network.  Not sure I follow what to check here?

  • 0 in reply to Tim Coyle

    Sorry Tim, my mistake - I didn't make myself very clear.

    When you create a VPN connection from your laptop to your corporate network, you usually have the option in the VPN settings to use the remote gateway on the corporate network (at least, I know this option exists on the microsoft VPN clients).  If you set this option, ALL of your traffic goes via your VPN tunnel to the corporate network.  If you choose NOT to enable this option, only traffic destined for your corporate network goes via the tunnel - everything else goes out of your normal internet connection.

     

    Does that help?

  • 0 in reply to Shaun Raven

    Yes, that makes more sense.  We use FortiClient and all the settings are read only for us end users.  I can however see the Remote Gateway IP, is there anything I can do in the UTM admin with that IP to allow all traffic in and out and not just to and from our corporate sites?

  • 0 in reply to Tim Coyle

    I suspect that if it's the VPN client causing the problem, nothing you change in the UTM will make a difference.  You can confirm this by establishing the VPN from another network I.E. another person's house.  If you still can't browse the internet when the VPN is up you can blame the client.

  • 0 in reply to Shaun Raven

    Well before I installed the UTM I didn't have this problem.  I could have my VPN'd remote desktop up on one monitor, and then browse any standard non corpoarate site I wanted to on the other monitor.  The issue only started once I setup the UTM, so I was thinking there was something the UTM was doing that was blocking the traffic.  Even still, when I hotpot off my phone instead of my home wifi it runs normally... can browse The Google on one monitor and work my remote desktop on the other.  So that's why I was isolating the issue to a UTM setting.

  • 0 in reply to Tim Coyle

    Here's a wacky idea....

    Maybe UTM is seeing your web traffic as coming from the client end of the VPN tunnel.  For example, say your VPN tunnel is configured as a 10.100.x.x network - once the tunnel is established, your computer gets an address based on that tunnel.  If the web request is issued from that address, the UTM's web filtering may block it as it's not a recognized network.  Same may happen for DNS requests.