So, I have an interesting network setup I have inherited - I’ll try my best to explain it all. Our connection to the outside is a cable modem with a built in router (Shaw Hitron). We have two WAPs and a sonicwall connected directly to the modem. Behind the sonicwall is our switch, which all of the office machines and printers etc connect to.

I can scan all of those in the last group just fine, but I would like to be able to scan VPN users and wifi users as well.

Do I need to open up the wmi ports on the sonicwall in order to see those outside machines, or is there a better method to accomplish this?

1 Spice up

You should consider the Spiceworks agent for computers that aren’t always on your network during the scan times.

https://community.spiceworks.com/how_to/116624-install-and-setup-the-spiceworks-agent-on-a-device

I have considered the agent for some of those machines, but to be honest most of the remote users leave the vpn connection on when they leave for the day, so the scan should still work.

Do your VPN and wireless users have access to the Spiceworks server/subnet? What do you mean by “Spiceworks can’t see” them?

We just implemented the agent for machines that are not on the network frequently. It’s been working great. We didn’t open it up to the outside world, just have them report when connected to the LAN or VPN.

Ok, so if I am outside and connect to the VPN, I can navigate to the SW server, but if I am on the office wifi (which is plugged directly into the cable modem), I can’t. When I run a scan for devices, it only picks up the devices on the inside of the network, even if there are some open vpn connections.

The WAPs were set up by our service provider, and as such I’m not sure I can connect them to the network inside the firewall (which I believe would allow SW to scan wifi devices)

VPN devices should be no problem them, but I still suggest using the agent.

If your wifi cannot access the Spiceworks server, then they will either need to use VPN or you will have to poke a hole in the firewall and use the Spiceworks agent. VPN being the more secure option of the 2.

Ok, and that hole in the firewall you mention, would that be opening up the WMI port and the others described in the article on configuring the windows firewall?

If your wifi devices don’t have access to the Spiceworks server or VPN then you’d be at the Mult-Site, external routing option for the Spiceworks agent. https://community.spiceworks.com/support/inventory/docs/agent-best-practices

Looks like I’m going to have to look into relocating the WAPs to the other side of the sonicwall if i want to be able to scan for phones and tablets etc. Cheers for all of the info and links :).

this is not a good idea, unless you 1. don’t care if your wireless devices can access any network resources i.e. printers and local servers 2. you plan to have everyone on the wireless network vpn to access network resources.

your wireless network won’t be protected by the firewall either, which would defeat the purpose of the sonicwall in the first place.

users would either have to 1. vpn into the network and their individual computers will be exposed to malicious traffic or 2. you will have to poke a hole in the firewall to allow the wireless network traffic to access your network resources

edit: maybe i’m misreading all of this. if your wap’s are outside the firewall (now) and you are going to move them inside the firewall, that would be a good move. if the wap’s are behind the firewall currently and you are going to move them outside, that would be a bad move. i’m not clear on the topology of your network.

The sonicwall would still function as the firewall - it’s just that now the shaw modem is doing that instead. There are quite a few office personnel here that have company provided devices (iPhones, tablets) that I’d like to inventory.

Current setup - Cable modem and WAP → Sonicwall → internal network

What I’m thinking - Cable modem → Sonicwall and WAP → internal network

Not sure how you are going to inventory iPhones and tablets unless you make the entries manually.

Modem>Sonicwall>Internal Network(WAP/Switches/Servers) is the ideal config. Nothing should connect directly to the modem besides your firewall. The WAPs being connected to the modem is what is preventing (visible) resources from being scanned.

As Rockn said, you will probably have to manually inventory phones and tablets and keep track of them by MAC address.

Check if your VPN clients get IP addresses outside the normal range for in-network machines. May need to tell spiceworks to check an addition range to get VPN users. Our internal network is 10.0.10., but vpn comes in on 10.20.20.