topic Re: VNC Access through Global protect in General Topics

VNC Access through Global protect

Radmin_85 — Tue, 20 Feb 2018 11:52:06 GMT

Hi all

We have internal server that must be accessed through VNC and HTTP.

Internally it works well but when we try to connect from outside through Global Protect it is blocked

Access Policies from GP to Internal allowed. But not working.

Re: VNC Access through Global protect

BPry — Tue, 20 Feb 2018 14:10:06 GMT

@Radmin_85,

Can you post the actual security policy that you have to allow the traffic, along with verifying that your Gateway settings under Agent > Client Settings include an access route if you are utilizing split tunnel.

I'd also recommend looking at the traffic logs and seeing what they tell you, as it will give you a better insight into where the problem actually is. Do you see the traffic from your GlobalProtect client hitting the firewall? Can you see traffic from the server attempting to hit your GlobalProtect clients? It might be worth taking a packet capture directly on the server as well.

Re: VNC Access through Global protect

Radmin_85 — Wed, 21 Feb 2018 07:55:23 GMT

Thanks i will check

Re: VNC Access through Global protect

Radmin_85 — Wed, 21 Feb 2018 09:05:12 GMT

What i have learned is:

The outside users can connect any other server inside with GP.But there is one spesific server inside which is Siemens Simantic server to which users cannot connect from outside with HTTP.

They wanted to use VNC as alternative but no way.That is the logs.The security rule is allowing any any from GP zone to Trust zone.Everything works fine except this server with Siemens web server

May be someone meet such case.Is there any specification about it?Can it be because of HTML version or something else?

Re: VNC Access through Global protect

Mick_Ball — Wed, 21 Feb 2018 14:45:08 GMT

you stated any,any, does that include application and service...

it may be best if you post the actual security policy as @BPry suggested.

Re: VNC Access through Global protect

Radmin_85 — Thu, 22 Feb 2018 15:18:39 GMT

Please the information provided bellow;
DELL Precision T1650 RACKMOUNT
Intel Xeon E3-1240 v2 (3.40GHz, 8MB, QC)
1 GB NVIDIA Quadro 600
1x500GB 3.5inch Serial ATA (7.200 Rpm) Hard Drive
8GB (2x4GB) 1600MHz DDR3 Non-ECC
Windows 7 SP1 Ultimate (English) 64 Bit

USB TR Q professional keyboard, Optical USB Mouse

HD 1920 x 1080 @60 Hz i Destekleyecek 1xDP çıkışlı Ekran Kartı TakılmalıDELL
Web Server IIS VERSION 7.

Re: VNC Access through Global protect

Remo — Thu, 22 Feb 2018 16:33:21 GMT

Hi @Radmin_85

In such cases it may help if you check the column "Bytes received" in your logs. It there is a 0, the problem could also be a local firewall or accesslist on the server.

And what filter did you use ond the screenshot? Did you filter on the source and destination IP or the rulename or something completely different?

Re: VNC Access through Global protect

Radmin_85 — Fri, 23 Feb 2018 06:20:28 GMT

First is logs.And as you see the server 172.17.79.2 get incomplete and some bytes are recieved

and the second is actual security rule.

Re: VNC Access through Global protect

Radmin_85 — Fri, 23 Feb 2018 06:22:25 GMT

We also cannot access to this server via http

Re: VNC Access through Global protect

Remo — Fri, 23 Feb 2018 07:12:21 GMT

Actually in this screenshot there is only the "bytes" column, but not "Bytes received"

Re: VNC Access through Global protect

Radmin_85 — Fri, 23 Feb 2018 10:11:50 GMT

As you see there is no received bytes

Re: VNC Access through Global protect

Remo — Fri, 23 Feb 2018 15:57:44 GMT

Hi @Radmin_85

Is the firewall with GP Gateway the only firewall in between? If yes, is this subnet of that server directly vonnected to this firewall?
From where in the internal network is it working? From the same subnet or also from other subnets?
Did you check the local firewall on that server?