Stefaan, Do you have an URL's on this? It seems unlike a strange idea. Why would you want to compromise security to implement a security feature? I was working for a client once when an HP engineer asked to set up an IPSec connection like this. I told that it didn't make sense. He swore that HP was using it on its client sites through France but he couldn't tell me how. Now, I'm starting to see how they did it. It seems like a stupid idea. Imagine installing something like Reverse wwww Shell that would use this mechanism. A+, Gary -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Tuesday, January 08, 2002 12:18 To: [ISAserver.org Discussion List] Subject: [isalist] RE: IPSEC http://www.ISAserver.org Hi Vald, the answer is yes and no ;-) It depends on the IPSEC implementation. The big vpn vendors (Checkpoint, Cisco, Redcreek, Netscreen, ...) have a solution to UDP encapsulate IPSEC traffic to get through NAPT devices. This should work because the traffic ISA sees is UDP traffic. From what I was told, the Microsoft IPSEC client will support UDP encapsulation for L2TP/IPSEC from .NET release onwards. More info at www.isaserver.org in the message boards. Some time ago there were some interesting discussions about it (Secure Remote from Checkpoint and Cisco VPN3000). Hope this helps, Stefaan -----Original Message----- From: Vald [mailto:vald@xxxxxxxxxxxxxxxx] Sent: dinsdag 8 januari 2002 11:40 To: [ISAserver.org Discussion List] Subject: [isalist] IPSEC http://www.ISAserver.org Is it possible to initiate an IPSEC VPN connection to an external endpoint from a client internal to an ISA Server, assuming 50 and 51 are open and IP fragments aren't being blocked? I think the answer is no for the following reasons: - 1. NAT - IPSEC isn't going to like the packet being modified en route 2. It would be undesirable from a security standpoint bearing in mind the contents of the packet could not be checked and all manner of viruses etc could be being passed through to the internal network. I haven't got the right equipment to be able to test this to get the definitive answer. Can anyone help? Vald ----- Original Message ----- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, January 08, 2002 9:03 AM Subject: [isalist] RE: PPTP VPN > http://www.ISAserver.org > > > Hi Brad, > > to my knowledge, you cann't publish a 'internal' VPN server. Server > publishing works only for TCP/UDP protocols, not PPTP (IP 47 GRE) or IPSEC > (IP 50 and IP 51). > > Why not make the ISA server the VPN server? That's a supported > configuration... > > Hope this helps, > Stefaan > > -----Original Message----- > From: Brad Slaughter [mailto:brads@xxxxxxxxx] > Sent: dinsdag 8 januari 2002 1:03 > To: [ISAserver.org Discussion List] > Subject: [isalist] PPTP VPN > > > http://www.ISAserver.org > > > ISA has again perplexed me, and I'm afraid that I could really use some > help. I want to create a VPN server using RRAS, but not on the same > server as ISA. Can I create a protocol definition for VPN and then > publish it using the external interface of the ISA server and the external > interface of the VPN server? This doesn't seem to be working, and I > cannot for the life of me discern what it is that I am doing wrong.path > from internet to VPN is as follows. > <--65.X.X.X~Router~192.168.0.X--> <--192.168.0.X(65.X.X.X > VIP's)~ISA~172.16.1.X--> switch <--172.16.1.X~VPN~192.168.1.X--> <--internal > lan--> > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > stefaan.pouseele@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: vald@xxxxxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')