IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 4:50 pm
Hi,
We are setting up our accounts where our parent hosts the system and we use a Telstra IPSec VPN between Sydney and Auckland
Getting the thin client running behind WinGate was simple, we just put a TCP map in for port 23 and it burst into life
What we can't seem to get going is the printing.
How do I allow the printing to originate in Sydney and print to one of two IP printer we have behind our Wingate firewall
Configuration as follows
WinGate Version 6.6.4
on an old (but very stable and reliable) Windows 2000 PC
In Auckland
Wingate DMZ IP 10.0.15.2
Wingate Local IP 10.0.14.4
Printer #1 IP 10.0.14.252
Printer #2 IP 10.0.14.225
Cisco Router/gateway 10.0.15.254
In Sydney
Main accounts server IP 10.0.0.15
Accounts print server IP 10.0.0.57
I would of thought that opening the printing port 9100 in extended networking would of worked but no, nothing. What I think is the problem is that Wingate doesn't see the 10.0.0.57 IP as internet source being a private range IP? Obviously wingate doesn't pass the ping requests either
To proove that the VPN passes the printing we temporarily put the 10.0.14.225 printer into the DMZ on 10.0.15.225 and it worked fine (as we hoped) which leads us to this request for assistance.
thanx
Ralph
We are setting up our accounts where our parent hosts the system and we use a Telstra IPSec VPN between Sydney and Auckland
Getting the thin client running behind WinGate was simple, we just put a TCP map in for port 23 and it burst into life
What we can't seem to get going is the printing.
How do I allow the printing to originate in Sydney and print to one of two IP printer we have behind our Wingate firewall
Configuration as follows
WinGate Version 6.6.4
on an old (but very stable and reliable) Windows 2000 PC
In Auckland
Wingate DMZ IP 10.0.15.2
Wingate Local IP 10.0.14.4
Printer #1 IP 10.0.14.252
Printer #2 IP 10.0.14.225
Cisco Router/gateway 10.0.15.254
In Sydney
Main accounts server IP 10.0.0.15
Accounts print server IP 10.0.0.57
I would of thought that opening the printing port 9100 in extended networking would of worked but no, nothing. What I think is the problem is that Wingate doesn't see the 10.0.0.57 IP as internet source being a private range IP? Obviously wingate doesn't pass the ping requests either
To proove that the VPN passes the printing we temporarily put the 10.0.14.225 printer into the DMZ on 10.0.15.225 and it worked fine (as we hoped) which leads us to this request for assistance.
thanx
Ralph
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 5:17 pm
Hi
are you seeing any hits in WinGate's firewall tab?
Regards
Adrien
are you seeing any hits in WinGate's firewall tab?
Regards
Adrien
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 6:26 pm
a bit of an update
I found this post viewtopic.php?f=12&t=39537&p=32510&hilit=remote+printing#p32510
and followed the instructions and it seems to work as much as there was a bit of garbage in the printing which I think its the Aussies not installing the wrong drivers, but in essence it seems to work fine.
My next issue is how do I get the second printer running? They will both use 9100 as a port and so far I've found no way to change that in the device setting?
With the extended network in WG set as a re-direct for port 9100 its limited to 1 printer effectivly?
Any suggestions of how I could deal with it in WinGate?
thanx for the fast reply
Regards
Ralph
I found this post viewtopic.php?f=12&t=39537&p=32510&hilit=remote+printing#p32510
and followed the instructions and it seems to work as much as there was a bit of garbage in the printing which I think its the Aussies not installing the wrong drivers, but in essence it seems to work fine.
My next issue is how do I get the second printer running? They will both use 9100 as a port and so far I've found no way to change that in the device setting?
With the extended network in WG set as a re-direct for port 9100 its limited to 1 printer effectivly?
Any suggestions of how I could deal with it in WinGate?
thanx for the fast reply
Regards
Ralph
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 6:43 pm
Hi
Fundamentally, if you have an IPSEC VPN between the 2 sites, then the computers should be individually addressable?
So the VPN client is running on a computer behind WinGate and connects via WinGate to the Sydney office?
If so, you shouldn't need to use mapped ports for printing. Sydney should just be able to connect to the private IPs on your LAN.
Adrien
Fundamentally, if you have an IPSEC VPN between the 2 sites, then the computers should be individually addressable?
So the VPN client is running on a computer behind WinGate and connects via WinGate to the Sydney office?
If so, you shouldn't need to use mapped ports for printing. Sydney should just be able to connect to the private IPs on your LAN.
Adrien
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 6:59 pm
that's true for DMZ pc's on the same subnet as the Cisco DSL router which as I understand it is the VPN end point
problem is the printers are behind the wingate firewall so you can't ping or print to them unless I set up a the print driver on the Sydney PC to point to the wingate DMZ IP 10.0.0.2 and then in Wingate do a port 9100 redirect to one of the 2 printers and there lies the question
At the moment we think we have to try and change the port on the printer itself so we can set up a second redirect
thanx
problem is the printers are behind the wingate firewall so you can't ping or print to them unless I set up a the print driver on the Sydney PC to point to the wingate DMZ IP 10.0.0.2 and then in Wingate do a port 9100 redirect to one of the 2 printers and there lies the question
At the moment we think we have to try and change the port on the printer itself so we can set up a second redirect
thanx
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 19 11 8:39 pm
depending on setup, WinGate could route to those other machines rather than port forward.
But another port should also do the trick.
But another port should also do the trick.
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 20 11 12:02 pm
Thanx for your patience Adrien,
Are you able to explain the "ROUTE" set-up for me. It would be preferred as changing the port on the device isn't that simple a task.
My original attempt was to open the port in extended networking like so
But that didn't work so as previously stated I found something similar in the forum and used the re-direct setting instead like so
Again, thanx for your assistance with this.
Regards
Ralph
Are you able to explain the "ROUTE" set-up for me. It would be preferred as changing the port on the device isn't that simple a task.
My original attempt was to open the port in extended networking like so
- Port 9100 Allow.JPG (75.93 KiB) Viewed 5376 times
But that didn't work so as previously stated I found something similar in the forum and used the re-direct setting instead like so
- Port 9100 redir.JPG (50.58 KiB) Viewed 5376 times
Again, thanx for your assistance with this.
Regards
Ralph
Re: IPSec Site to Site VPN and printer behind WINGATE
Apr 26 11 4:13 pm
Hi
in order for WinGate to do this by routing, the clients using the printers need to know / use the actual printers IPs. Currently I presume they are configured to connect to the IP of the WinGate computer.
That means the subnet that the printers reside on, must be known across the VPN. This then comes down to publishing routes, setting routes (or default gateway) on computers on the remote network.
The local VPN gateway also needs to know about this subnet and know to pass packets for it to WinGate.
After that, if the packets are received by WinGate on an internal adapter, going to another internal adapter, they will be routed rather than address-translated.
Regards
Adrien
in order for WinGate to do this by routing, the clients using the printers need to know / use the actual printers IPs. Currently I presume they are configured to connect to the IP of the WinGate computer.
That means the subnet that the printers reside on, must be known across the VPN. This then comes down to publishing routes, setting routes (or default gateway) on computers on the remote network.
The local VPN gateway also needs to know about this subnet and know to pass packets for it to WinGate.
After that, if the packets are received by WinGate on an internal adapter, going to another internal adapter, they will be routed rather than address-translated.
Regards
Adrien