[isalist] Re: Outgoing VPN...
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 Jan 2008 21:54:37 -0800
http://www.ISAserver.org
-------------------------------------------------------
Nope. Can't authenticate GRE at all.
No FWC or web proxy, no auth.
FWC doesn't process GRE.
Web Proxy doesn't handle GRE.
Thus, no ISA auth for GRE.
You can authenticate the PPTP part of the communications, since this operates
over TCP-1723.
The problem is that the PPTP filter understands that GRE from the same IP is
associated with a prior PPTP session and is allowed/denied according to the
previous rule.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Tuesday, January 22, 2008 8:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Outgoing VPN...
http://www.ISAserver.org
-------------------------------------------------------
Well, you can authenticate if you have separate rules to carve out GRE,
right?
t
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, January 22, 2008 6:13 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You can't authenticate outbound VPN because:
> 1. VPN traffic is not handled by the web proxy
> 2. the ISA FWC is required to authenticate non-web proxy traffic
> 3. the ISA FWC only handles TCP and UDP and that only for traffic
> processed by Winsock
> 4. PPTP includes IP-47 (GRE), which is neither TCP nor UDP
>
> Thus, you can't authenticate PPTP traffic.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> Sent: Tuesday, January 22, 2008 1:12 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
> But why can you NOT specify a subset of users?
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Tuesday, January 22, 2008 3:57 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
>
>
> Tada :)
>
>
>
> t
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> Sent: Tuesday, January 22, 2008 12:50 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
>
>
> I double checked the user list and I had a subset of users
> allowed for this rule (not All Users) - when I changed to ALL USERS, I
> am now connected to the remote VPN !
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Tuesday, January 22, 2008 3:06 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
> Hey Tom - are you sure it's PPTP and not LT2P? What
> does the log say when you attempt the connection?
>
> t
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> Sent: Tuesday, January 22, 2008 11:55 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Outgoing VPN...
>
>
>
> Trying to get an outgoing VPN connection to work
> through ISA 2006 on a W2K3 SP2 server. I have the outbound access rule
> setup as...
>
>
>
> VPN Outbound
>
> Allow
>
> PPTP
>
> GRE (VPN) - [User-Defined, IP-Level 47 Send Recv]
>
> From - Internal
>
> To - External
>
> All Users
>
> Always
>
> All Content Type.
>
>
>
> I have disabled the Firewall Client software, removed
> the ISA settings in IE Connections, and set my PC up as a SecureNAT
> Client. It now takes alot longer to fail now, before I made the PC a
> SecureNAT client, it would fail immediately.
>
>
>
> Currently I am getting an 800 Error.
>
>
>
> I bypassed the ISA 2006 server and was able to make
the
> connection immediately with no issues.
>
>
>
> Any advice would be appreciated.
>
>
>
> TIA,
>
>
>
> -TRogers
>
>
>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
