Connecting to a VPN client for support

We have a few users connect to via Moble VPN IKEv2 with a pre configured Virtual IP address pool. Some employees have SMB access to a server or RDP access. It all works as it should for them coming in.

The issue I haven't figured out is how to provide RDP support or connection to our EasyVista Reach server from the default VLAN to provide support while they are connected to the firebox VPN.

I'm having trouble with how the Firebox handles that routing via the virtual address range. I've tried adding routes to the Virtual IP address range and played with Policy rules without success. It's only for a couple of users but this should be something that can be done?



  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @BarryG

    The main issue will be that the mobile VPN's policy does not allow traffic initiated from the firewall out to the mobile VPN users.

    It's possible to create a policy to accomplish this, but not all OSes will allow traffic to traverse in via this method.

    If you attempt to send traffic to one of your mobile VPN'ed clients, and you see a log that says (unhandled internal packet) associated with it, you need to make a rule.

    In policy manager, go to Edit -> Add policy, or in WebUI, go to Firewall -> Firewall policies, and click to add policy.
    -Create a policy type that fits the ports you wish to use.
    -In the FROM field, I would suggest using the IP of the machine you want to connect from.
    -In the TO field, I would suggest using the IPv4 subnet that your VPN is assigned to (e.g.,
    -I would suggest enabling logging on this policy by clicking the button that says "send log message"

    If you now see traffic being allowed to the destination in traffic monitor, your traffic should be sent to the client.

    -James Carson
    WatchGuard Customer Support

  • Options

    Thanks James I will give that a go.

Sign In to comment.