Hi Amy, OK, if you're not getting the VPN gateway connection started, then the FTP connection to the remote site connection isn't going to work. If the remote site VPN gateway isn't receiving the IKE negotiation connection, then something else is going on. Is there a NAT device anyone in the path? If so, do path side support RFC IPSec NAT-T (ISA does, don't know if the Check Point server does). Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, February 27, 2006 2:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP over VPN http://www.ISAserver.org Sorry wrong log file... 0.0.0.0 SBS2003 - TCP - No - 36319 21032 0 0 0x0 0x0 Firewall 198.133.250.19 Failed Connection Attempt GXS FTP out Rule 10.1.10.40 - Local Host FTP 21 GXS VPN - 2/27/2006 4:00:39 PM 0x80072751 I've got the book in hand and am following along but still no luck. I don't understand why he doesn't see an IKE connection but I do? Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, February 27, 2006 3:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP over VPN http://www.ISAserver.org Hi amy, Those logs show that the connections are not using direct access. Also check our book on special issues re ipsec tunnel mode and web proxy Tom Sent via ISA firewall protected Exchange 2003 Windows Mobile -----Original Message----- From: "Amy Babinchak"<amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> Sent: 2/27/06 2:07:26 PM To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx> Subject: [isalist] RE: FTP over VPN http://www.ISAserver.org Tom, When I try direct access I get unreachable host error and ISA logs a failed connection attempt. When I try to go through the proxy I get a message that it's not allowed because it's read-only. I see to be spinning my wheels here. When I try to make an FTP connection using direct access, which I've specified in the browser, I see in the ISA logs this: 10.1.10.40 SBS2003 - UDP - Yes - 500 0 0 0 0x0 0x0 Firewall 198.133.250.19 Initiated Connection Allow VPN site-to-site traffic from ISA Server 10.1.10.40 - Local Host IKE Client 500 GXS VPN - 2/27/2006 2:59:48 PM 0x0 I think that this looks good so far. Although the guy on the other end says he doesn't see a tunnel come up. He's on a checkpoint firewall so I might be wrong. Then I see the FTP attempt. It looks like this: 0.0.0.0 Microsoft(r) Windows(tm) FTP Folder No Proxy SBS2003 198.133.250.19 TCP Internet - - - - - - 0 21000 4250 112 10065 0x0 0x40 Web Proxy Filter 198.133.250.19 Failed Connection Attempt GXS FTP out Rule 192.168.16.2 anonymous ftp://198.133.250.19/ Local Host ftp 21 GXS VPN GET 2/27/2006 3:01:43 PM 0.0.0.0 SBS2003 - TCP - No - 35324 20953 0 0 0x0 0x0 Firewall 198.133.250.19 Failed Connection Attempt GXS FTP out Rule 10.1.10.40 - Local Host FTP 21 GXS VPN - 2/27/2006 3:00:07 PM 0x80072751 I think this means that its first trying to use anonymous, which will fail, and then attempting to use the specified FTP username and password and also failing. Am I interpreting these log entries correctly? Amy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Monday, February 27, 2006 1:45 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FTP over VPN http://www.ISAserver.org Hi Amy, The remote site should be set for Direct Access. Otherwise, the Web proxy filter intercepts the request. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Monday, February 27, 2006 12:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] FTP over VPN http://www.ISAserver.org I'm setting my first VPN gateway. The client needs to send FTP over the Gateway to another company. I'm getting an error message that the proxy is set for read-only. I've unchecked the read only box on the VPN rule. I'm still getting this message. Here's what the log says. Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received HTTP Status Code Cache Information Error Information Log Record Type Destination IP Action Rule Client IP Client Username URL Source Network Protocol Destination Port Destination Network HTTP Method Log Time Result Code 0.0.0.0 SBS2003 - TCP - No - 33544 20922 0 0 0x0 0x0 Firewall 198.133.250.19 Failed Connection Attempt GXS FTP out Rule 10.1.10.40 - Local Host FTP 21 GXS VPN - 2/27/2006 1:34:45 PM 0x8007274c 0.0.0.0 Microsoft(r) Windows(tm) FTP Folder No Proxy SBS2003 198.133.250.19 TCP Internet - - - - - - 0 21000 4496 112 10060 0x0 0x40 Web Proxy Filter 198.133.250.19 Failed Connection Attempt GXS FTP out Rule 192.168.16.2 anonymous ftp://198.133.250.19/ Local Host ftp 21 GXS VPN GET 2/27/2006 1:35:06 PM What am I missing? Thanks, Amy Harbor Computer Services Small Business Computer Specialists Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/ -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, February 16, 2006 10:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wireless Access and ISA 2004 http://www.ISAserver.org Hi Tom, That's a pretty interesting question. Have you enabled all RPC outbound to the user's Exchange Server? I'm assuming that you're talking about Outlook MAPI connections. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Tom Rogers [mailto:trogers@xxxxxxxxxxxxxxxxxx] Sent: Thursday, February 16, 2006 9:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] Wireless Access and ISA 2004 http://www.ISAserver.org I have a guest on my network, who says that any wireless network he connects to, at hotels for instance, can use Outlook to grab his email. I setup guest Internet access for him today, but the mail servers cannot be accessed through our ISA 2004 server. I tried to Telnet with no luck. Now with my desktop PC that is part of my domain, I have no trouble. I have the Firewall Client installed. I tried to install the FW Client on the guest PC, but it still did not work. If the guest is able to connect to the Internet, shouldn't we be able to telnet to the mail server? I just upgraded to ISA 2004 yesterday, so I'm sure something is not set right, but am not sure what it could be, because I am allowing all protocols access at this point. Any advice? TIA, -Tom Rogers ISA 2004 Rookie ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx