Netbios over SSL-VPN
Enzino78
Enthusiast ✭✭
Hello Community, need directions to let browsing by hostnames work correctly when connected in SSL VPN on a Gne6 firewall. After done usual config steps (enable Netbios over SSL-VPN in client config, enable IPHelper>Netbios) doing some additional config to allow multicast on X1 and X0 to resolve UDP 5353 to 224.0.0.251 drop, we found additional packets related to Netbios still dropped:
I can't figure out why this happens since IpHelper for Netbios will be hit but it doesn't allow to create a foreard policy from/to SSL-VPN zone.
Documentations on KB is quite ineffective, so If you have any clue... thanks for your help.
Category: Entry Level Firewalls
Tagged:
0
Answers
Hi @Enzino78 I was never in need for Netbios over SSL-VPN, but did you followed this specific SNWL KB article?
--Michael@BWC
Thnaks @BWC used it but doesn't work in the customer scenario
@Enzino78 I took the Standard Support approach, that would have been to easy 😂
Did you do a packet trace on both ends (firewall & client) to figure out which traffic is generated and what and what not hits the firewall?
--Michael@BWC
Thanks Michael ;-)
I've traced the packet arrived to firewall and the only one dropped is the one depicted above for UDP port 137, sourced from SSL VPN connected client (10.0.10.10) with broadcast destination 255.255.255.255. Dropped by Policy (?), no output interface indicated. I belived such drop was caused by IPHelper. But it also seems to forward traffic. From/to SSL VPN Subnet isn't possible to crate a dedicated IPHelper policy.
hi @Enzino78
Try to exclude the SSL VPN IP pool / address object from CFS policies and try.
Hello Ajishlat, SSL VPN IP Pool is assigned to SSL-VPN Zone associated a dedicated network (no overlap with LAN) and there isn't any CFS policy from SSL VPN zone to WAN zone.
Hi @Enzino78 ,
Can you please confirm the presence of access rule for the NETBIOS service is configured from the SSLVPN to the LAN or (the zone where the host is configured )?
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
yes, I can confirm you the rules are in place from SSL VPN to LAN for Netbios services and Netbios boradcast (255.255.255.255) as per this KB.
I suggested because of the said drop code due to the CFS related.
I think this issue is more than a random problem: I've collected another customer with Gen7 and issue in propogating Netbios over SSL-VPN. Any feedback from Vendor people?