Configuring a VPN tunnel to pass common services between a Symantec Firewall/VPN appliance and a Symantec Enterprise Firewall

Article:TECH80021  |  Created: 2002-01-17  |  Updated: 2003-01-19  |  Article URL http://www.symantec.com/docs/TECH80021
Article Type
Technical Solution


Environment

Issue



You want to pass common services through a VPN tunnel connecting two sites that are protected by Symantec firewalls. Users at one site want to access services available on the other site. You want to know how to configure the firewalls for service traffic.


Solution



The information in this document describes the steps for configuring the Symantec firewalls to control access to services through a VPN tunnel. For the purposes of explanation, the following scenario will be used:
  • A Symantec Enterprise Firewall (7.0, 6.5.2, Symantec VelociRaptor 1.1, 1.5, or Symantec Gateway Security appliance) is located at a central site.
  • A Symantec Firewall/ VPN appliance (100, 200, or 200R) is located at a remote site.
  • A VPN tunnel has been established between the two sites


To pass traffic with all available services through the VPN tunnel, do the following.

On the Symantec Enterprise Firewall (SEF)
  1. Select VPN tunnels, click IKE policy, and then select the correct policy for the tunnel.
  2. Check "Pass traffic through the proxy."
  3. Create a rule allowing inbound traffic from the tunnel with the following settings:

    Note: More information for creating rules is available in the product user and configuration guides and in the Symantec Knowledge Base (use keywords: create rules)

    • In Via: The tunnel
    • Out via: The inside network adapter (NIC)
    • Services will normally include:
      • cifs*
      • nbdgram*
      • http*
      • Any custom protocols
      • If the remote users are connected to a Windows 2000 domain protected by the SEF, they will normally add protocols for the following services:
        • tcp_137
        • udp_137
        • tcp 135-135 (be sure to use the range 135-135 in the destination)
        • kerberos 88_tcp
        • imap
        • smtp*
        • pop3
        • tcp_1212 for MS Exchange
        • LDAP 389_UDP and 389_TCP

          DNS name resolution from the SEF is included by default when traffic is being passed through the proxy, DNSd is enabled, and the Address Transform is configured as shown below. DNSd will give remote users access to both private and public DNS records, access to name resolution on the internal name servers, and name resolution through public authoritative name servers on the Internet.
  4. Create an address transform to ensure that traffic exiting the tunnel at the central site will exit with the firewall's internal IP address, by using the following settings:
    • In Via: The tunnel
    • Out via: The inside NIC
    • Source: The remote subnet
    • Destination: The internal subnet
    • Set the transform to use the gateway address.

      Note: For more information on configuring address transforms, see the document How to configure Address Transforms
  5. DNS records on the SEF must have an entry for any internal name servers, with the appropriate domains served. The entry must use the fully qualified names for the servers, and the domain served must include both the forward and reverse zones. If you have forwarder records, the ability to use internal Name Servers will be limited. Remove them or contact technical support.


On the Symantec Firewall/VPN appliance (100, 200, 200R)
  1. On the VPN Dynamic Key page, select Gateway to Gateway Tunnels.
  2. Check "Netbios Enabled in Tunnel."

    Note: If firmware 5L or previous is being used, the "Global Tunnel" option must be unchecked.
  3. To resolve DNS through a tunnel, the address of the DNS server on the remote network should be entered into the Static IP and DNS page > DNS Gateway section. Additionally, the "Use ISP or Static DNS as Backup" feature should be enabled for occasions when the tunnel is down.

    On the remote clients
    For remote clients protected behind the Firewall/VPN appliance, make the following changes to ensure WINS and DNS resolution:
    • In the lmhosts file, preload the WINS server behind the SEF (if it exists).
    • In the DNS search order, make the inside NIC of the SEF first in the search order and the inside (LAN) IP address of the appliance as second.


    Other considerations
    • It is important to be aware of the total bandwidth requirements for applications through a VPN tunnel. For example, if you have an accounting package at the central site that normally serves users on 100 MB (or more) local connections, this application will probably not work correctly over a wide area network (WAN) connection on less than 10 MB of throughput.
    • Some applications may be sensitive to latency (time lag) inherent with VPN connections. In general it is best to service larger applications over WAN connections through thin clients such as PCAnywhere, Citrix, or Terminal Services. Please consult your local reseller or Symantec Consulting Services for issues relating to this kind of traffic.
    • Avoid the use of All* in services, with the exception of limited testing to determine if an application can be passed through protocols. After testing is complete, create the appropriate protocols, remove all* from all rules, and reboot the system.


    References

    Kerberos Authentication fails from a Symantec VPN Client to a Symantec Firewall/VPN appliance





    Legacy ID



    2002061714452354


    Article URL http://www.symantec.com/docs/TECH80021


    Terms of use for this information are found in Legal Notices