Need guidance on a print scenario

868Noob868Noob
in Firebox - VPN Mobile User

Hi folks!

I've been asked to configure printing in a specific scenario that I'm not sure would work or how to get it to work and need some guidance.

There's currently a Mobile VPN with SSL in place for remote users to access the HO and all resources. It's in Routed mode at present and all traffic is not forced.

Mgmt is having a meeting offsite and would like to:

  • connect to the HO using a laptop and the VPN connection,
  • connect a print device to the laptop mentioned above and have it shared,
  • connect and print to this print device from a server at HO.

I'm trying to figure out if it would need a straight policy config or would it also require update of authentication groups.

Please assist.

Best Answer

  • Bruce_BriggsBruce_Briggs
    Answer ✓

    Looks like you need a policy allowing access from the server to SSLVPN-Users, assuming that the source IP addr is the server IP addr and that the dest IP addr is the SSLVPN virtual IP addr.

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @868Noob

    If the users are connecting to the print share across the VPN, they should be able to print provided nothing else is denying access. Since they may have not signed into the domain, they may be prompted to do so by Windows.

    It may be possible for users to connect to the local PC that is at the remote site. However, many corporate AP installs will have client isolation turned on -- meaning client PCs may not be able to talk to each other locally -- just to the internet.

    You will need to check with the local IT team wherever they are as to if the PCs your users are using can talk to each other -- they may have to set up a different SSID to accomplish this.

    Another option may be to simply have the users all connect to the SSLVPN and connect to the printer directly -- that will remove the requirement the PCs be able to contact each other on that local network.

    -James Carson
    WatchGuard Customer Support

  • Bruce_BriggsBruce_Briggs

    You can test this locally - from a laptop behind your firewall, connected using SSLVPN, with a printer connected to the laptop.

  • 868Noob868Noob

    James,

    We did a quick test before you sent the info. A team member connected via VPN from the remote site using Mobile VPN with SSL. On his laptop, he created a shared printer and was able to connect locally using another laptop device, however, when we tried connecting to his laptop from a server in the HO, we got "tun 0 Denied" (images attached). Also included the VPN policies that allow access.
    He had no problem connecting to the same server at the HO and copying a file.

    Any idea why the tunnel is being denied?



  • 868Noob868Noob

    BTW, the source IP is not an external IP, met it so and it's above my pay grade atm. :#

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The denied log is saying that there isn't a policy to handle that traffic. If the Allow SSLVPN-Users policy is allowing to Any, the user is probably not in the right group. I'd suggest opening a support case so we can verify that with you.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.