topic Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties) in Endpoint

Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Hrvoje_Brlek — Tue, 10 Dec 2019 13:58:14 GMT

Hi,

We are using Endpoint Security clients from E80.87 to E82.10, on approximately 1000 users. Our firewall gateway is on version R80.30, and our Endpoint Security Management Server is also on R80.30 (with two external Endpoint Policy Servers). As we have a lot of roaming users we need the ability to use the Register to Hotspot functionality with all ports open during the registration.

I followed the sk41586 and defined the any_port through GuiDBedit tool, and applied it on the Global Properties (see attachment below) on the firewall gateway.

But, as we are using the SmartEndpoint console, there is also the ability to define the ports to be used for Hotspot registration (Policy -> Allow hotspot registration). How can I define the any_port through SmartEndpoint, what value do I have to use (see attachment below)? There is no description in the admin guide what to use for any port if you define it through SmartEndpoint.

And the thing that confuses me the most. What configuration will be applied on the client side when connected to VPN, the one defined on the gateway in Global Properties or the one defined in the SmartEndpoint Policy?

Below is the configuration I get in trac.config when I connect to the VPN:

Thanks,

Hrvoje

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

PhoneBoy — Tue, 10 Dec 2019 18:11:19 GMT

Maybe try a port range 1-65535?

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Hrvoje_Brlek — Wed, 11 Dec 2019 08:15:11 GMT

Already tried, it doesn't accept any kind of port range:

There is also sk155072 which states the format above should work, but it doesn't (I tried while we were on R70.30.03 and now on R80.30):

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

PhoneBoy — Wed, 11 Dec 2019 16:41:12 GMT

If the SK says it should work and it doesn’t…probably worth a TAC case to clarify.

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

PhoneBoy — Wed, 11 Dec 2019 20:13:07 GMT

Checked with R&D, this is most definitely a GUI bug.
Please open a TAC case.

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Hrvoje_Brlek — Thu, 12 Dec 2019 07:12:01 GMT

OK, thanks, will do so 🙂

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Daniel_Hainich — Tue, 21 Jan 2020 14:05:31 GMT

hi
any news about this issue? i have the same problem that i cannot configure an port-range.
next question is - do i have to configure global properties and/or hotspot-policy in endpoint-console?

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

PhoneBoy — Tue, 21 Jan 2020 16:21:50 GMT

This should be fixed in R80.40.
Haven't heard of they've backported this in earlier releases, but a TAC case is the way to find out.

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Hrvoje_Brlek — Wed, 22 Jan 2020 14:20:36 GMT

1.) The port-range doesn't work, as PhoneBoy mentioned it should be fixed in R80.40.

For us the solution was to use any port. To get it working you need to add any in the SmartEndpoint policy on the Hotspot Settings (Policy -> Allow hotspot registration). I have tested this solution and it is working fine.

Although, if you check the trac.config file on the client side, the ports that are configured for the hotspot are the ones that are defined in the Global Properties on the gateway (not the ones from SmartEndpoint). But, apparently they are not applied, the configuration from the SmartEndpoint is the one that is applied (in our case any port).

trac.config:

2.) Also, to answer the second question. It is enough to define the hotspot policy in the SmartEndpoint console. You can have the option on the Global Properties checked or unchecked, it won't make any difference as long as you are using SmartEndpoint. I tested it both ways, and SmartEndpoint configuration overrides the Global Properties.

In fact, we got the response from TAC regarding this second question and they said it depends if you enforce the Endpoint Firewall policy or the Desktop Policy from SmartConsole (as per sk105644). But, I have tried both options and they don't affect the hotspot registration settings. For us it always remained the one configured in the SmartEndpoint (testing was conducted with re-creating the VPN sites).

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

Daniel_Hainich — Fri, 24 Jan 2020 09:33:48 GMT

thanks for reply. i will test it shortly.

edit: i have tested this solution and it works. hotspot-registration is working now with any port. 🙂

Re: Enable any port on Register to Hotspot (SmartEndpoint or Global Properties)

514numbers — Fri, 11 Dec 2020 19:48:25 GMT

Off topic, but on the global properties, remote access, hotspot / wifi registration section, where have you found the LOG for tracking? I thought it would be automatically sent up to the management server however unable to find it in the LOGS. Does anybody know where this LOG tracking entry is?