Netscreen 208 Questions...

Hi Guys,

Just have a quick question about these netscreens. We have two as part of a managed service which i cant access. Basically we have remote users connecting to these from home. We have recently moved our exchange to our datacentre from our local site which the netscreens are connecting to. Since we moved the mailbox location remote users can no longer access the mailbox. Is it because there is a route missing on the netscreens? (i cant see the config so i dont know whats set)

Secondly, is there anyway to connect to users via vnc when they are coming through our netscreens? The guy who used to work here has a way where you would ask (i think) to ask the user to run vnc listen mode, then we would do something on our end to connect remotely via vnc? does anyone know how to do this?

Sorry for the dumb ass questions in advance

Find more posts tagged with

Comments

rossonieri#1

hi nel,

hmm ... you have a lot of task to do i think

does your mail client server addresses did not have to change?
and yes, probably routes to check.

its a bit hard doing online support for netscreen since it uses zones - so it needs a lot of routing part to check.

[edit]
i just remember that 208 doesnt support vsys

[/edit]

remote-desktop to users? as long as the end-point/users end (includes the firewall - if any) open for the session & having correct credential & that their vnc-server listen-mode (you should install their vnc-server and set it as listen mode), i think there should be no problem - because you are not targeting their connection session to mail server right? we are targeting their IPs. eg. 172.16.0.10:5901

any further questions are welcome

HTH.

malcybood

nel wrote: »

Hi Guys,

Just have a quick question about these netscreens. We have two as part of a managed service which i cant access. Basically we have remote users connecting to these from home. We have recently moved our exchange to our datacentre from our local site which the netscreens are connecting to. Since we moved the mailbox location remote users can no longer access the mailbox. Is it because there is a route missing on the netscreens? (i cant see the config so i dont know whats set)

Secondly, is there anyway to connect to users via vnc when they are coming through our netscreens? The guy who used to work here has a way where you would ask (i think) to ask the user to run vnc listen mode, then we would do something on our end to connect remotely via vnc? does anyone know how to do this?

Sorry for the dumb ass questions in advance

nel,

Does the Netscreen sit facing the corporate internet connection?

Does the Data Centre have an internet pipe for external email to be delivered as well as a WAN connection or is external email delivered via your local site then routed to the exchange server over an MPLS?

Are these IPSec VPN client users?

Has the subnet that the exchange server is on changed?

Can they connect to anything else on that VLAN / subnet?

Can they ping the server?

We use checkpoint but have had issues in the past where new sites were added to the MPLS network are not contactable as they were not added to the IPSec encryption domain. We had 25 MPLS sites when checkpoint was implemented 2 years ago and these were added into Checkpoint encryption domain as individual sites (which was fine when it's 25 but not as the network grows), which meant any new MPLS sites with a new LAN IP subnet were not defined in the domain and people could authenticate to the VPN still, but not authenticate or even ping to their regional server and map drives etc as it was not "allowed" by Checkpoint. Comprende?

We got around this by using summarization for the encryption domain allowed subnets.

Example;

10.1.0.0 - 10.30.0.0 were MPLS sites when the firewall was implemented so these were added statically. So we thought we will probably only need about up to 60 odd MPLS sites in the near future so we removed these individual entries and added 10.0.0.0 /10 into the VPN encryption domain, giving more dynamic approach.

For info the reason we would not just put 10.0.0.0 /8 is you want to lock these devices down as much as possible without limiting the functionality.

A routing issue is also possible, but difficult to tell without knowing more about the infrastructure and how the traffic is routed to the data centre at the moment.

Let me know how you get on.

Sorry can't help you on the VNC thing, don't use it.

nel

thanks for the replies.

Yeah the netscreens face our local internet pipe. The new exchange server is on a different subnet too. The users are ipsec vpns too.

they cant ping the new exchange server but then again for some reason they cant ping other things on the network which they CAN communicate with. i.e. tried ping the proxy they use for the internet over these connections and it fails, however they can access the net through that proxy. i have pinged production servers locally and at the data centre and the pings fail - i thought it would have something to do with the firewalls.

im pretty limited from the troubleshooting on the client end because i cant vnc onto the machines and the users arent the brightest bunch and have a moan when they have to sit and go through the stuff you instruct.

rossonieri > how do you run the listen mode in vnc? i.e. what has to be done on my side and the client side?

Thanks for the help?

rossonieri#1

hi nel,

tried ping the proxy they use for the internet over these connections and it fails, however they can access the net through that proxy.

wow, i guess there are too many network failure. are you sure that your client access the net by using the proxy? do check their routing table to make sure that you dont have a split tunneling.

as far as the routing (and the mail server box) problem - you should ask your consultant whether they have any difficulties modifying your network.

rossonieri > how do you run the listen mode in vnc? i.e. what has to be done on my side and the client side?

ok then - if its VPN then good, much simpler - no need to modify lots of thing at the client side except opening that vnc-server port and on your side just use the vnc client software (the same software as the server but - it doesnt activate the vnc daemon - it only use the client part).

assuming windows system :
if you use realvnc free version - here.

if you use tightvnc - here.

there are many of them - but i cant recommend which one to use as far as your security policy concern.

btw - dont you deploy any windows machine? why dont you use the remote desktop connection? optional though, i guess if you have deployed any active directory domain - i mean why dont you use that since your users credential already there in the directory it will be much more faster to use i think

HTH.

malcybood

nel wrote: »

they cant ping the new exchange server but then again for some reason they cant ping other things on the network which they CAN communicate with. i.e. tried ping the proxy they use for the internet over these connections and it fails, however they can access the net through that proxy. i have pinged production servers locally and at the data centre and the pings fail - i thought it would have something to do with the firewalls.

Yeah the firewall may just block ICMP to all hosts. Remember firewalls have everything blocked out of the box and you open what you want to allow, so if ICMP is not opened up you will not be able to ping the hosts but will be able to communicate with them on the application TCP/UDP port.

Try to find out if the hosts are doing split tunneling too. You can find this out by doing a tracert to Google from the user PC, if it is split tunneling then you will see all of the internet hops, if it isn't you will probably see the hops over the broadband network to the Netscreen public address (or the hop before) then it will most likely time out.