Hylafax clients & Watchguard Firewalls

Posted on by
Reply

To prevent having to use old fax hardware, we use a Hylafax solution to send and receive faxes via Weepee Telecom, our incoming faxes are handled by their Hylafax solution that nicely converts them to email for our mailserver and if we send faxes out, we use a Hylafax client:

For Windows: Winprint Hylafax

For OS X: Fax 90 Client

And for All: HylaFaxSender

Here is a list of other supported clients, if the above don’t fit.

Now to configure this traffic through a Watchguard XTM it’s a bit non-standard so here we go:

Go to https://yourwatchguardfirewall:8080, login with the write password

The Hylafax clients are communicating with the server over Tcp port 4559, so we have to make a rule for that, click on Firewall -> Firewall Policies -> Green + in the above right corner to add a policy:

Screenshot Watchguard XTM

 

Click on ‘Custom’:

Custom proxy

 

Now for the new rule that we have to make, we have to use a very custom proxy.  A Hylafax client can be compared with an FTP client when doing fax transactions as it uses a ‘FTP connection tracking‘, so we will add a ‘Hylafax FTP Proxy’:

  • Choose a name for your policy and a description
  • As type choose Proxy and select FTP from the dropdown list
Click on ‘Add’, in the windows that appears use the same settings a in the picture:
addproxyport

 

 

 

 

 

 

 

Click on ‘Ok’, now you should have:

Hylafax-proxy

 

Click on Save and you are done.

This custom made policy with FTP connection tracking can now be used :mrgreen:

Watchguard SSL VPN for Snom 370

Posted on by
Reply

As of version 7.3.23, the Snom 370 (and others) IP phone has built-in support for Openvpn, which is a very nice, secure and simple way to attach a remote IP phone to an IP PBX. By transporting all communication over a TCP tunnel, we don’t have to worry about NAT issues etc etc etc … In this example we will be using:

  • Snom 370 using special firmware with Openvpn support
  • Watchguard XTM505 Firewall
  • A lot of patience ;-)
Part 1: Provision the Snom with Openvpn firmware:
  1.  For version 7 use: 
    http://provisioning.snom.com/download/fw/snom370-7.3.23-VPN-SIP-f.bin

    For version 8, use

     http://provisioning.snom.com/download/fw/snom820-VPN-8.4.18-SIP-r.bin
  2. Go to the webinterface of the Snom 370 -> software update -> paste one of the above provisioning url’s -> Click LoadFile-Setup_softwareupdate_load.png
  3. Reboot the Snom 370, after the reboot the phone is now capable of using Openvpn
Part 2: Extract certificates and config files from the Watchguard XTM505
  1. There are multiple possibilities to retrieve the configuration file from the Watchguard XTM505, via a so called ‘support file’, via a Watchguard SSL vpn client installed on a Windows computer of better and faster by providing the following url: 
    https://my_watchguard_box:4100/?action=sslvpn_download&filename=client.wgssl&username=my_name&password=my_password
  2. A file will start downloading, named clients.wgssl, rename this file to clients.tgz (it’s an archive, make a temporary directory ‘openvpn’ and extract this file there ( command: tar -zxvf clients.wgssl)
  3. Once extracted (command: tar -zxvf clients.wgssl) you will have the following  files: 
    MD5SUM
VERSION
ca.crt
client.crt
client.ovpn
client.pem
Part 3: Modify the Watchguard config files for compatibility with Snom
  1. Delete VERSION and MD5SUM
  2. Rename client.ovpn to vpn.cnf  (*nix: mv client.opvn vpn.cnf)
  3. Create a new file called auth.cnf, open the file with a texteditor and add the two following line yoursslvpnusername <Enter> yoursslvpnpassword <Enter>
  4. Save this file a auth.cnf
  5. Open vpn.cnf, there are a couple of entries in the config file that are not compatible with the Openvpn client on the Snom phone, so delete the lines: 
    tls-remote "/O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN_Server"
remote-cert-eku "TLS Web Server Authentication"
  6. Then in the same vpn.cnf file modify the following lines: 
    ca ca.crt
cert client.crt
key client.pem
  7. To: 
    ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.pem
  8. And add: 
    auth-user-pass /openvpn/auth.cfg
  9. Save the file.
Part 4: Build a tarball with the config files: vpnclient.tar
  1. Change ownership and permissions on all the files: 
    chown root *
chmod 700
  2. Now it’s time to make a tarball that we will later use to setup openvpn on the Snom 370: 
    tar -cvpf vpnclient.tar *
  3. Setup a webserver or use an existing webserver in your network and upload the file vpncient.tar to the root of your webserver directory (/var/www /htdocs /inetpub …)
  4. All done so let’s start using this
Part 5: Configure the Snom 370 to use OpenVpn:
  1. Go to the Snom webinterface Snom 370 version 7 firmware vpn -> Advanced -> Qos/Security tab
  2. Set the radio button VPN or VPN tm to on
  3. In the field below paste the url to the vpnclient.tar file eg. http://yourwebserver/vpnclient.tar
  4. Click ‘save’ in the webinterface of the Snom and reboot the phone.
  5. The phone will reboot and fetch the vpnclient.tar from http://yourwebserver/vpnclient.tar, then it will flash the vpn files and reboot once more.
  6. Done, if all worked out ok, the phone is now connected to your Watchguard SSL vpn
Part 6: Troubleshooting:
  1. If you want to have an easy life, use version 8 of the Snom VPN capable firmware, in version 8 there is an extra field below VPN & Unzipped vpn config tarball, named netcat server where you can provide an ip address and port to a Netcat server.  When there are issues with the tunnel, all debugging output will be sent to your Netcat server so that you can do further troubleshooting.
  2. Setup a netcat server on your mac, pc, server … with the following command: 
    netcat -l -p 5000
  3. Fill the Netcat server field on the Snom phone your.ip.address. <space> 5000
  4. Done
Part 7: Credits
Part 8: Help
Still stuck?   Send us an email on info(nospamplease)@openix.be, maybe we can help ;-)