See Geovision GV NVR behind Sonicwall Enhanced

[turboviking 0]

Hello. You will learn quickly that I am not a pro. I have a TZ 190 enhanced. I wanted to access (or see from WAN) a terminal on my LAN which is a dedicated camera server and NVR. I set up the appropriate NAT policy, created the object and gave IP, and set up firewall policy and pretty much did so as instructed by various VIDS, help menu, and reading.

 

We use this in bridged mode to assign a static IP. We have one LAN service to our Linux box and one WAN, as well at a VPN tunnel for credit card processing.

 

I just want to access this one camera security terminal and have tried everything 10 times. DMZ HTTP - you name it. I even have now set up a GoToMyPC Citrix app which is not what I want, but it sees past the firewall just fine. I can't though. Any thoughts? Would love to set up the remote application as the SW company (Geovision) advises, rather than this terribly slow and clumsy approach.

 

We are PCI compliant and can not violate the rules regarding the VPN two way tunnel for credit card or become less secure to sniffing etc. Thank you good folks for having this forum. Troy

[ssnapier 0]

Ok, it sounds to me like you had someone with the skills required to get your VPN setup so why not ask that same person to help you sort out this firewall issue?

 

I have never messed with a Dell Sonicwall, but a firewall is a firewall really. The tricky bit with Geovision is that they use multiple ports and you have to make sure they are all forwarded correctly. I think the last one I setup used 9 different ports or something crazy.

 

GV-Box (192.168.2.2:9999) >>> Port on Router (9999 pointed to 192.168.2.2 for both TCP and UDP) >>>> Port out of Router (9999 pointed to public IP address) >>> Internet (Public IP address is something like: 75.25.126.178) >>> Your laptop (you type in 75.25.126.178:9999 to talk to the GV-Box)

[turboviking 0]

Thank you! There are several ports to forward, and depending on what you read, including the GV manual, seems they want 21, 80 3550 4550 5550 and for some reason ??443??

 

I will take a look at that. The suggestion of using the Protobase guy is great, except he works for them and could care less as long as our CC transactions are moving smoothly.

 

I also had a MSE cert guy with years of experience login to the Dell. He is as sharp as I think they come, but by the end was suggesting I get a static IP at my home, VPN tunnel to that permanently, and so on, which made no sense. So maybe he was not all that sharp.

 

I will try the forwarding you suggest with all the ports and see where it goes. I also had a suggestion that I needed a 10dot net for the Camera server. Don't know how that would work, and IP is and IP or am I all washed up?

 

Thank you once again. Troy

[ssnapier 0]

I really hate to suggest this, but maybe think about turning on uPnP just long enough to let all those ports talk to the router, and then turn it right back off. There is an option someplace in the GV software that will auto config the router as long as UPnP is turned on. I say this with great caution because UPnP is one of those nice things that comes with some touchy security risks.

 

Here is an article on it in case you wanted to get smart before making that choice:

 

https://www.grc.com/unpnp/unpnp.htm

[turboviking 0]

That is a great idea, but the manual for V 8.5 only shows that option for win XP - I can not find even a mention in Win 7. I'll try looking again. That was exciting to read - less exciting not to find.

 

Hugs from Yosemite.

Troy

[turboviking 0]

integrator, thanks for you great helpful ideas. - Troy

[turboviking 0]

Seems that UPnP will leave me out of compliance with PCI certification, as a DMZ is needed to protect from hacking the CC transactions passing the VPN tunnel. So back to the drawing board.

 

HUGS