Hi,

I just bought a new safe@office 500ADSL, it is connected to the internet and works fine.

All workstations in the office are connected to simple switch that is connected to lan1.

All computers get IP address from the safe@office DHCP server.

I installed vnc server on one of the workstation, it listen to port 5900 and windows firewall is open for that port.

I want to access this workstation from outside the lan (no problem to access from a workstation inside lan)

I created an "Allow and Forward" rule, this way:

-> Allow and Forward
-> Custom Service (protocol: any; port range: 5900-5900)
-> Source: any; destination: any
-> Forward the connection to: myvnccomputername (Network Object), QOS: default

rule is enabled.

i tried to connect from home, and it failed.

I looked at the event log in the reports, and it goes like this (red)

[date] [time] TCP [my home ip] [Policy rule] 1059 [my office ip] (Safe@Office) 5900

please help.

-brauner

There needs to be the ip address or use the WAN port as the destination in order for the forward to work correctly.

There's a better and more secure way to access your vnc server through the safe@office gateway over the internet from home: Use a Remote Access VPN!

Configure your Safe@Office as followed (VPN Menu):

• Allow SecuRemote users to connect from the Internet
  
• Bypass NAT
  
• Bypass default firewall policy

PC at home:

• Download SecuRemote and install it on your PC at home

Doing like this you can directly connect (by using the internal IP address) to your vnc server by bypassing the firewall and no rule (and no hole) has to be created on your firewall in order to access your vnc server.

Use this link for a detailed instruction:
Creating a Remote Access VPN Using SecuRemote/SecureClient

This message has been edited. Last edited by: Tom,

quote:

better and more secure way to access your vnc server through the safe@office gateway over the internet from home: Use a Remote Access VPN!

Configure your Safe@Office as followed (VPN

I agree about the VPN being more secure- however access to the PC for using outlook etc requires Windows Professional to perform Remote Desktop.

Hi

tserreyn - can you please be more specific?

What do you mean by "use the WAN port as the destination"

I did set the destination IP to the workstation ip (instead of network object), and it still don't work.

and for all other responders, I don't want to use VPN, because sometimes I wish to be able to connect from every computer using vnc viewer.

-brauner

This message has been edited. Last edited by: brauner,

Found the solution (with the help of live chat)

Destination should be "This gateway", it seems to be a bug, because if "This gateway" works, "Any" should work too.

-brauner

quote:

Originally posted by brauner:
Found the solution (with the help of live chat)

Destination should be "This gateway", it seems to be a bug, because if "This gateway" works, "Any" should work too.

-brauner

I don't agree.

You started with a rule saying that traffic coming from anywhere, going to anywhere, on 5900, should be forwarded to your VNC server.

If it actually worked like that, any user behind the firewall trying to access a VNC server out on the internet would be forwarded back to your internal VNC server, as it would match that rule. Their traffic would be coming from somewhere, going somwhere, on 5900, so forward it off.

I would configure the rule as Source:Wan, Destination:This Gateway, Port:5900, Allow and Forward.

I find with my techs who configure these devices their biggest confusion comes from the difference between "Allow" and "Allow and Forward", and when have the destination as the local computer object and when to have it as "This Gateway".

Once you can get your head around that, you are sweet.

Personally I wouldn't call this a bug, just a difference in understanding.

Clayton

Hi,

Well, I don't agree with you...

As far as I understand, step 3 is a condition step.

step 1: rule type (allow & forward)
step 2: service (port 5900)
step 3: source and destination - this is a condition step, is means: allow and forward the port 5900 connection if all conditions are met.
So, if "this gateway" work, "any" must work too, because "any" include all options.

-brauner

How Check Point describes the above mentioned rules:

Allow and Forward
This rule type enables you to do the following:

• Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules.
  For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.2, and the network contains two private Web servers, A and B, you can forward all traffic with the destination 62.98.112.1 to server A, while forwarding all traffic with the destination 62.98.112.2 to server B.
  Note: Creating an Allow and Forward rule for incoming traffic to the default destination This Gateway (which represents the Safe@Office IP address), is equivalent to defining a server in the Servers page.
  
• Permit outgoing traffic from your internal network to a specific service and destination IP address on the Internet and then divert all such connections to a specific IP address. Such rules are called transparent proxy rules.
  For example, you can redirect all traffic destined for a specific Web server on the Internet to a different IP address.
  
• Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT).
  
• Assign traffic to a QoS class.
  If Traffic Shaper is enabled for incoming traffic, then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class. For example, if Traffic Shaper is enabled for incoming traffic, and you create an Allow and Forward rule associating all incoming Web traffic with the Urgent QoS class, then Traffic Shaper will handle incoming Web traffic as specified in the bandwidth policy for the Urgent class.
  For information on Traffic Shaper and QoS classes, see Using Traffic Shaper.

Note: You must use this type of rule to allow incoming connections if your network uses Hide NAT.

Allow
This rule type enables you to do the following:

• Permit outgoing access from your internal network to a specific service on the Internet.
  Permit incoming access from the Internet to a specific service in your internal network.
  
• Assign traffic to a QoS class.
  If Traffic Shaper is enabled for the direction of traffic specified in the rule (incoming or outgoing), then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class. For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing Web traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing Web traffic as specified in the bandwidth policy for the Urgent class.
  For information on Traffic Shaper and QoS classes, see Using Traffic Shaper.

Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. Use an "Allow and Forward" rule instead. However, you can use Allow rules for static NAT IP addresses.

This message has been edited. Last edited by: Tom,