Jump to content
  • 0

Getting around lack of UPNP support....


We have a Watchguard firewall that does not support UPNP. Any tunnel opened automatically falls back to using a TCP Relay connection. The relay connection latency is always in excess of 450ms. If I initiate a tunnel with LabTech outside of the Watchguard it uses a Direct UDP connection resulting in 40-60ms latency. I am trying to figure out how to configure our Watchguard to allow the appropriate traffic so that we can utilize the Direct UDP connections inside our network. Surely it cannot be impossible. Most enterprise level firewalls do not support UPNP. I have made sure that the settings and policies are in place according to the documents found here:




and here:




The tunnels do connect and the Labtech server nor clients are blocked due to threat protection on the Watchguard. The issue is just the inability to use the faster direct connect.


I have tried different H.323 and SIP-ALG settings on the incoming and outgoing policies.


We do have multiple public addresses to work with and a separate network to test with but ultimately we would rather not leave the LAN if could be avoided.


Has anyone had any luck getting this to work? We would love to be able to use redirectors reliably and without timeouts. Thanks for anyone's thoughts and advice.

Share this post

Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0

I don't have a watchguard but I can tell you that relying on upnp support is probably a bad idea. by all means have it enabled, but you should be forwarding the ports required. Our own setup is 2 x dsls connected to a sonicwall. Each DSL has multiple public IPs. A small setup but it supports about 35Mb download speeds without any issues.


I have set up inbound port forwarding on both lines forwarding the LT ports, indicated in the documentation, to our LT server. This much is pretty simple. The only thing I had to do which was out of the ordinary was to enable support for SIP on the firewall. This doesn't make much sense, but it makes a world of difference to tunnel establishment.

Some of the ports I have forwarded are probably legacy and no longer used. This is the list:



https on 444

Quickconnect - tcp 5500-5999

Quickconnect -tcp 8000-9024

Redirector - UDP 70-75

Redirector - TCP 70

VNC - TCP 40000-40010

VNC - UDP 40000-41000

Screenconnect - TCP 8040

Tunnels - UDP 8002

Tunnels - TCP 8002


theres a comment in this article about watchguard which may help: https://docs.labtechsoftware.com/knowledgebase/article/6688

Share this post

Link to post
Share on other sites
  • 0

Hey, thanks for the reply. This started out a bigger deal than it is now. Our latency with the TCP relay was so bad it made the redirectors unusable. The best we could hope to see was 450ms+. The average was around 550-600ms. We have since found that changing the mediator server fixed this. We now see latency at an average of 75ms or so. This makes sense why support was so nonchalant when telling us no UDP is really not a big deal.

Share this post

Link to post
Share on other sites
  • 0

What are valid mediator servers? I see these two listed but they don't ping. I'm starting to think they don't exist.




Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...