NGAF cannot Communicate With server

Newbie401373 Lv1Posted 10 May 2024 11:17

Last edited by Newbie401373 10 May 2024 17:34.

When we are using SSLVPN we can Communicate with all endpoints but only 1 server that we cant communicate / access, looking at Ngaf, Endpoint Secure Manager Port 3389 are Open TCP/UDP, any ideas what to fix? Thanks

By solving this question, you may help 183 user(s).

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Sheikh_Shani Lv2Posted 22 Jul 2024 14:09
  
Hello Dear

You're experiencing an issue where you can't communicate with one specific server using SSLVPN, despite being able to reach all other endpoints. You've checked the Ngaf and Endpoint Secure Manager, and port 3389 (RDP) is open for both TCP and UDP traffic. Here are some potential causes and suggestions to help you troubleshoot the issue:

1. Server-specific configuration issue: Double-check the server's configuration, ensuring that RDP is enabled and allowed in the Windows Firewall (if applicable).
2. Network segmentation or isolation: Verify that the server is not isolated or segmented from the rest of the network, which might be blocking communication.
3. SSLVPN configuration issue: Review the SSLVPN configuration to ensure that the server's IP address or FQDN is correctly specified and allowed in the VPN settings.
4. Authentication or authorization issue: Check the authentication and authorization settings for the SSLVPN connection, ensuring that the user or group has the necessary permissions to access the server.
5. Network congestion or packet loss: Investigate potential network congestion or packet loss issues between the SSLVPN client and the server, which might be causing connectivity problems.
6. Server resource or performance issues: Check the server's resource utilization (CPU, RAM, disk space) and performance metrics to ensure it's not experiencing any issues that could be causing the connectivity problem.

To further troubleshoot, you can try:

- Using a network sniffer (e.g., Wireshark) to capture and analyze traffic between the SSLVPN client and the server
- Enabling debug logging on the SSLVPN client or server to gather more detailed logs
- Testing connectivity using a different protocol (e.g., ICMP echo/ping) to isolate the issue

If none of these suggestions help, please provide more details about your environment, SSLVPN setup, and the specific error messages you're encountering, and I'll be happy to assist you further!
Newbie221001 Lv1Posted 06 Jun 2024 11:14
  


Maybe you can try packet capture that's traffic, go to system > troubleshooting and then input src and dst ip address
fuadmahbubun Lv2Posted 20 May 2024 20:47
  
Last edited by fuadmahbubun 20 May 2024 20:49.

Hi Newbie401373,
have you checked for resource that allow to connect? you have to define destination resource (all destination server ip address) and roles for sslvpn user.

https://knowledgebase.sangfor.com/detailPage?articleData=%7B%22articleType%22%3A1,%22articleId%22%3A%222cc9b34e2d6b463f9fb3a70c9646ac0e%22,%22keyword%22%3A%22%22%7D


Rotring Lv2Posted 11 May 2024 19:39
  
Hi,
Here are some ideas on why you can't access one specific server through SSLVPN while you can access others, even though ports seem open on the NGAF (Next-Generation Application Firewall) and Endpoint Secure Manager:

1.  Access Control Issues:

Firewall Rules: Double-check firewall rules on the SSLVPN server or NGAF. There might be a rule unintentionally blocking access to that specific server's IP address or port (3389 for RDP).
Split Tunneling: If split tunneling is enabled, ensure the server you can't access is included in the list of resources allowed through the VPN tunnel. By default, split tunneling might route non-work traffic outside the VPN, potentially blocking access to internal servers.
Endpoint Security Restrictions: Endpoint security software on the server you can't access might be blocking RDP connections from the VPN client's IP address.
2.  Server-Side Configuration Issues:

Windows Firewall: Check the Windows Firewall settings on the server itself. It might be blocking incoming RDP connections on port 3389.
Remote Desktop Service: Ensure the Remote Desktop service is running on the server you're trying to access.
3.  Client-Side Configuration Issues:

SSLVPN Client Settings: Verify that the SSLVPN client configuration is correct and points to the right server address and port (3389).
Network Adapter Configuration: Check the network adapter settings on the client machine used with the SSLVPN. Ensure it's set to obtain an IP address automatically when connected through the VPN.
4.  Troubleshooting Steps:

Test from Internal Network: Try connecting to the server directly from within your internal network (not through the VPN) to see if the issue lies with the server itself or the VPN connection.
Ping Test: Use a ping test from the SSLVPN client to the server's IP address to see if basic connectivity exists. If the ping fails, there might be a network connectivity issue between the client and server.
Log Analysis: Review logs on the SSLVPN server, NGAF, and the server you can't access. These logs might provide clues about the specific reason for the access failure.
Prosi Lv3Posted 11 May 2024 18:28
  
Hi,

#Configuration# Sangfor NGAF Route mode
To configure Sangfor NGAF in Route mode setting.
Topology:
https://labs.sangfor.com/forum.php?mod=viewthread&tid=7456
Requirements
1. NGAF with firmware version of 8.0.35.
2. NGAF - Layer 3 switch point-to-point connection
Enrico Vanzetto Lv4Posted 10 May 2024 19:58
  
Ok, so if i understand correctly your server stands on the same network segment as other servers/clients, right? After install EDR on this server, if you connect from external network to your company network through vpn ssl, the only server that's unreachable on rdp is this server with edr, right?
Could you reinstall EDR on this server, disable windows firewall and try to ping or connect with rdp again from vpn ssl?
If you still can't connect, try installing a webserver like xampp and try to reach it from vpn ssl (xampp is a little tool that allows you to have an apache server working on the well known ports).
Newbie517762 Lv5Posted 10 May 2024 16:17
  
HiHi,

Perhaps you can refer to this similar issue - the server cannot access the Internet and is not able to ping by LAN PC after enabling ES Agent.
Please find the attachment for your reference.
Server cannot access Internet and not able to ping.pdf (277.39 KB, Downloads: 576)

I hope it can assist you in resolving the issue.
Farina Ahmed Lv5Posted 10 May 2024 16:15
  
Pls ensure that the SSLVPN configuration includes the correct routes to reach the server's network. Also, verify if there are any network policies or access control lists restricting access to the server. If all else fails, check for any potential issues with DNS resolution or IP routing that might be preventing communication. Hopefully issue will resolve after that.
Newbie401373 Lv1Posted 10 May 2024 14:59
  
No, Still cant do, the only trouble we had occures when we are using the SSLVPN, after conncted we cannot communicate with one of our servers, once we uninstall the EDR we can communicate with the server. no configuration was change, and suddenly we cannot use VPN to access the server.
Enrico Vanzetto Lv4Posted 10 May 2024 14:54
  
Hi, on edr web ui you could check if you have some policy restrictions about rdp?
Please go on policy section of your edr appliance and select the corresponding group where your server resides.
After that, try first disabling this secondary authentication by untick this option:

You can try to disable for testing purpose even this setting about rdp

I Can Help:

Change

Board Leaders