Stealth Blocked Ports terminates my VPN

Am using NIS 2009 on my home desktop and cannot maintain a VPN connection to that machine from my remote office unless I turn off Stealth Blocked Ports. All machines involved are using XP Pro and the VPN connection software is that which comes with XP.

 

It appears SBP does not recognize that port 1723 has been opened by a general rule in the firewall for incoming traffic and is being used by a remote computer. The VPN connects, but is terminated after about 3 minutes. When I turn SBP back on I get the following log message in the "Firewall-Activities" log:

 

Unused port blocking has blocked communications.Inbound TCP connection.


Remote Address,local service is (168.103.87.220, Port(1723))

I do not know what this IP address is, but am suspicious that SBP is not responding correctly to the general rule I created to open port 1723 to internet traffic.

 

I would just as soon operate with SBP on since it offers a valuable service with respect to unused ports.

Can anyone help me use my VPN connect with SBP on?

Thanks,

wrnoof

I am using the VPN client that XP sets up when I use the New Connection Wizard. No 3rd party software. The incoming connection is set up on the host computer where NIS is installed also using the New Connection Wizard.

 

My general rule is at the top of the stack.

Thanks for the quick response

wrnoof

wrnoof:

 

If you do a search in the bar at the top of the screen, you will find a number of solutions for various VPN issues.  See if any of those assist you.

Tried that. The other posts generally lead to turning off Stealth Blocked Ports. That works for me, too. However, I am hoping for a better solution that allows me to keep SBP on.

wrn

Can you give me the details on the rule you made?

Absolutely. Here it is by tab.

Action -- Allow

Connections -- Inbound: from other computers

Computers -- any

Communications -- TCP protocol; local pptp (Port 1723)

Tracking -- create an event log entry

 

I have also tried marking both inbound and outbound ("to and from other computers") and limiting the remote computers to a specific range of IP addresses. Neither of these steps made any change in the results: VPN terminates after 3 minutes when SBP is on. 

 

wrnoof

In case it is helpful, I found the following information in the Firewall - Activities log when trying to connect via VPN with SBP on.

 

Initiate VPN Connection -- this appeared when the VPN connected. 10.10.0.150 is the internal IP for my home desktop which has NIS installed. This computer is also the VPN host although the VPN adapter on that machine generates its own IP. The other IPs are a cipher for me.

--------------------------------
Rule "VPN Access from Remote Computer" permitted (168.103.87.220, Port(1723)).
Inbound TCP connection.
Local address, service is (10.10.0.150), Port (1723)).
Remote address, service is (168.103.87.220, Port(44356)).
Process name is "System".


Terminate VPN Connection -- this entry has a time stamp 9 seconds after the entry above.

----------------------------
Rule "Default Block Windows File Sharing" blocked (169.254.145.163, Port(139)).
Inbound TCP connection.
Local address, service is (169.254.125.194, Port(139)).
Remote address, service is (169.254.145.163, Port (2339)).
Process name is "C:\WINDOWS\system32\svchost.exe".

The second entry appeared two more times in the Firewall - Activities log. The second appearance time stamp is three seconds after the first, and the third is six seconds after the second.


Hope this leads somewhere.

 

wrnoof.

Based on your feedback from the logs, is this system 168.103.87.220 (Remote VPN system) in the Trusted Network list?  If not add it to the Trust Control on the Network Security Map.  Go to View Network Security Map > Network Details and choose Trust Control from the drop down box.  Then click on the [+] sign to add a device to Trust Control.  Enter the address for the VPN host you are connecting to and then click Add Device.

 

Close the Network Map and then try your VPN again.  Let us know the results.

Message Edited by dbrisendine on 08-19-2009 07:17 PM

OK. That worked. Added the device 168.103.87.220 to Trust Control. It had to be on Full Trust to work; "Protected" did not do it.

 

However, I am not sure I understand. I have assigned IPs to the remote computer and to the host adapter on the machine with NIS 2009 installed. The client is 10.10.0.51 and the host adapter has a range of 10.10.0.50 to 10.10.0.53 (I plan to access from more than one remote client) and assigns itself the first range address of 10.10.0.50. I have limited the computers that have access to the open port 1723 to 10.10.0.51 through 10.10.0.53 -- the remote clients that I plan will be using VPN access to the host with NIS 2009.

 

Neither the host nor the remote clients that will be using the VPN have an IP of 168.103.87.220. Where did that IP come from? Is it static or will I have to modify it each time I want to connect? I can ping it from the client machine and it responds, but I don't know how to determine who owns it. When I ping from the host machine, it times out. If its not in the range of acceptable IPs included in the general rule, how does it get through the host NIS 2009 firewall? When I added the remote IP of 10.10.0.51 to trust control (full trust) that did not work either. I am confused on why an IP I did not specify slips through the firewall general rule, while IPs I do specify cannot be exempted from SBP in Trust Control.

 

Can you help me expand my knowledge on this one?

 

wrnoof

Am using NIS 2009 on my home desktop and cannot maintain a VPN connection to that machine from my remote office unless I turn off Stealth Blocked Ports. All machines involved are using XP Pro and the VPN connection software is that which comes with XP.

 

It appears SBP does not recognize that port 1723 has been opened by a general rule in the firewall for incoming traffic and is being used by a remote computer. The VPN connects, but is terminated after about 3 minutes. When I turn SBP back on I get the following log message in the "Firewall-Activities" log:

 

Unused port blocking has blocked communications.Inbound TCP connection.


Remote Address,local service is (168.103.87.220, Port(1723))

I do not know what this IP address is, but am suspicious that SBP is not responding correctly to the general rule I created to open port 1723 to internet traffic.

 

I would just as soon operate with SBP on since it offers a valuable service with respect to unused ports.

Can anyone help me use my VPN connect with SBP on?

Thanks,

wrnoof

The 168 IP is internal inside the VPN hosting machine (the one with NIS2009 on it; the VPN “server” if you want to call it) .  You have to have complete access to this VPN device as it will communicate over several ports for different protocols.  You will not be able to ping this unless you are connected in the VPN network.  Basically, you are going from your desktop (for example) to the VPN device (which encrypts your data) to your regular network adapter and out.  So your VPN, in this case, is tunneling inside your system (VPN software is embedded in the OS), setting up a encrypted “gatekeeper” for the other PCs that connect to the VPN device.

So, even though NIS lists the 168 IP as the remote address, it is really the VPN hosting adapter or software on the local machine? Based on your description, it stands between the local machine and the normal network adapter. I assume NIS sees it as outside the local host because of that.

thanks,

wrnoof.

Correct; even though it is internal to that machine, it is a separate entity to the Firewall (that is) .

Message Edited by dbrisendine on 08-21-2009 04:59 PM

Although we have the right solution, I think we have headed down a slightly wrong path here. I went to "whatismyip.com" from the remote computer and, lo and behold, the public ip of my remote client is 168.xxx.xxx.xxx. My IT admin tells me it is the public IP of my workplace primary internet connection. So, it is not internal to the VPN host adapter software on my home computer where the NIS 2009 is installed.

 

What concerns me is that when I try to access the host via VPN from another location using my laptop, will I run into the same problem since I have only trusted one IP specific to my workplace office. It seems to me that every coffee shop wi-fi will have it's own and different public IP that will need to be trusted, also.

 

How do I deal with that? Is there a way to do a trust all in Trust Control?

 

Thanks,

wrnoof

So, are there any suggestions on how to keep SBP operating on the host computer while accessing it via VPN from various remote locations with each location having a different public IP? This is an issue since each current remote public IP needs to be "trusted" in Trust Control for the VPN connection to work. How does one "trust", for example, an IP at an airport wi-fi when the IP is not known in advance?

 

wrnoof

wrnoof:

 

I will leave a reminder to dbrisendine to revisit this thread to see if your question can be answered. 

It sounds like you are using a company laptop to access your home system; is this right?  When you log in on the company laptop does it try and ask you for a User namd , password and domain / work group to log into?

Actually, right now I am using my company desktop to access my home system. However, in the near future, I will be travelling on business and will be using a company laptop the same way. Desktop access is OK since the public IP at the company that the home system need to trust" is static. Once I start moving around with the laptop to different locations with new public IPs, however, the situation will get more complicated.

 

You are correct. When I login on any company machine, the login dialogue asks for username, password and domain. The username and domain always carry forward from the last login. So, all I have to provide each time is the password.

Thanks,

wrnoof

The problem with the varing public access to your home system is that there is no true VPN "Server" per se.  I don't believe you will be able to do what you want without a dedicated VPN software solution.  The one inside the OS is part of the network interface but one like Nortel VPN (for example) is a stand alone program that rules can be written for or protocols enabled for. 

 

You might be able to do what you want if your company were to asign the laptop a static IP address.  Then you can make a rule for that IP address only on that network / subnet.