Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Enable HTTPS Management Over SSL-VPN

I have a TZ670 and I am trying to enable HTTPS Management Over SSL-VPN.

I followed both of these KB and checked around 5 times. I can connect but I cannot access the UI Management. Just times out.

I also tried the third article to get tunnel mode working and it worked.

Any Ideas?





Category: Entry Level Firewalls
Reply

Best Answers

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    If a port is not "up-up" (physically and logically up) it will not respond to management requests. This is logically correct and by design.

  • CORRECT ANSWER
    prestonpreston All-Knowing Sage ✭✭✭✭
    edited June 2021 Answer ✓

    Hi @TKWITS , this is not true,

    "If a port is not "up-up" (physically and logically up) it will not respond to management requests. This is logically correct and by design."

    if you see my guide above and apply the firewall rules you can see you can still conenct to an interface for management regardless of whether it is up or not, it has been like this for years, see image included I'm connecting in to my appliance from the X0 interface with the disconnected X11 interface IP, I can also ping it and login to the SSL VPN.



Answers

  • Hello @Rinconmike,

    I tested this in my lab setup and it seems to work even without tunnel all mode. You have LAN subnets added to the client routes and testing with the X0 IP address right?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • RinconmikeRinconmike Enthusiast ✭✭

    I do have the LAN Subnets in the client routes.

    I have it setup for X3 a second lan. IP range is 192.168.2.x.

    The SSL VPN Range is 192.168.2.215 to 192.168.2.230

    One thing is that I have the 670 at home and I have been testing it with my laptop hooked up to the X3 port and nothing in the X0. I have the WAN port pulling an IP from my Fios Router. I thought last night I tested from my phone that the VPN worked and I could connect to the management.

    Right now I am in my office and took may laptop. So I have nothing plugged into the X3 port.

    I also have my 2650 hooked up to the Fios Router so I can VPN from my office into the 2650 and access the TZ670 management over the WAN IP.

    I can VPN into the TZ670 but cannot access the management at 192.168.2.1.

    Could it be a bug or an issue that the X3 port has nothing plugged into it? I will have to try again when I get home tonight. Once I plug the laptop into the X3 I will use my phone (not on WIFI) to see if I can connect via VPN and access the management.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    So are you are trying to browse to the X0 management address from the X3 / SSLVPN subnet? Or are you trying to browse to the X3 management address from the X3 / SSLVPN subnet? Was X3 added as a LAN zone?

  • RinconmikeRinconmike Enthusiast ✭✭

    I added X3 as a second Lan Zone.

    When I am home and using a system connected to the 2650, I can access the TZ670 management through X1 WAN typing in the WAN IP. I configured the WAN for HTTPS management for now.

    I can also access the management when my laptop is hooked to the X3 via the X3 IP.

    Ultimately I will be using X0 for the primary lan when I swap out by 2650.

    Right now I an trying to configure and access the X3 LAN management through SSL VPN. I am not home right now and have nothing plugged into the X3 port. When I get home I will plug my laptop in and try the VPN from my phone (not on wifi). I also have nothing plugged into the X0 port.

    I want to be able to manage the device via SSL VPN and followed the KB using X3 instead of X0 noted in the KB.

    Note I setup my laptop to connect to the X3 with IP range of 192.168.2.x so I can connect to both the 670 and 2650 from the same computer one hard wired and one WIF. Both the 2650 and 670 X0 are 192.168.0.X.

  • RinconmikeRinconmike Enthusiast ✭✭

    I hooked my computer up to X3 on the 670 and now I can access the X3 management through SSL VPN, So I guess if the X3 has not connection, it does not work. I will try just a switch on X3 oppose to a computer just to show there is something connect to the X3 to see if it still works.

    In normal use, the X0 or X3 will be connected to a switch so the situation I have is not normal.

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited June 2021

    Hi @Rinconmike , what firmware are you on? do you mean you are portshielding X0 to X3 ? asking as there is a known bug in the latest SonicOS 7.0.1-R1262 firmware with portshielding,

    if you are not and you are trying to get to the X3 IP address from another internal IP address you can do this via the firewall rules, it shouldn't matter if you have anything connected to it or not,

    for example say X3 is in a Zone called LAN2, you can create a firewall rule from LAN-LAN2 for the service SSLVPN with the destination of the X3 IP address, make sure that you also enable the enable management on the rule, (you can then use this to connect to the LAN2 IP address for SSL VPN)

    ( I do this all the time from the LAN-WAN so we can deploy and test users SSL VPN clients internally on their laptops before they take them away with them. )

    you can also create another rule specifically for the HTTPS management the same way as the other this time you just use HTTPS management as the service but you need to add this in the SSLVPN-LAN2 (on this one you don't technically need the enable management enabled on the actual rule as it is a management service)

    If you just wanted you can also create a SSLVPN-LAN2 rule ANY-X3 Interface IP and enable the enable management and this will allow the Management services like Ping, HTTPS, SSH, but I would recommend adding them separately so you are only allowing the management services you require.

  • RinconmikeRinconmike Enthusiast ✭✭

    Hi. I am on SonicOS 7.0.1-R1262. I an not doing anything with Portshield.

    The issue is if I have nothing plugged into the X3 it shows the status of the port Failed. Once I plug something in the status is green (connection) and all works. Right now I have a surface dock plugged into it and not surface connected. So the X3 sees the port is active and the SSL-VPN to X3 works fine. I am only using X3 oppose to X0 as I test. Eventually I will be using X0 once I hook to my switch.

    Not sure if this is by design or a bug. Maybe the same would not happen if I was pointing the SSL VPN to X0 as the default LAN and had nothing plugged into X0. i might try.

    thanks,

    Mike

  • RinconmikeRinconmike Enthusiast ✭✭

    Same thing happens on the X0 interface.

  • prestonpreston All-Knowing Sage ✭✭✭✭

    Hi @Rinconmike , try the latest firmware, 7.0.1-R1456 released yesterday, see if this fixes your issue

  • RinconmikeRinconmike Enthusiast ✭✭

    I installed  7.0.1-R1456 last night but have not tested if this issue still happens. Right now I have the X0 connected to a surface dock (but no computer hooked to the dock) so it shows an active X0 link. Once I connect the TZ670 to the switch there will always be an X0 link (unless the switch fails). I will test tonight if the update changed anything on this.

    Ultimately, may be by design. Outside of testing, I am not sure if there will ever be a situation where there is nothing hooked to the X0 port (or whichever someone will use for the LAN). Maybe on the Wireless models if someone is using it just for wireless and does not have anything plugged into the the X0,

    another possibility is if a switch fails and someone needed to SSL-VPN into the TZ670 to troubleshoot and see what is going on. If there is an active WAN but the switch failed, you should still be able to log in and see the condition that the X0 is in the failed state.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    The more you know. Still not sure why you'd do this but to each their own.

Sign In or Register to comment.