[isalist] Re: Outgoing VPN...
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 23 Jan 2008 07:44:59 -0800
http://www.ISAserver.org
-------------------------------------------------------
Right - but as you said, if you allow all for GRE in one rule, you can
authenticate TCP 1723 in a different one --
If the filer "allows GRE from the same IP based on the previous rule"
that would work. Or did you mean that TCP 1723 would be allowed/denied
from the same rule? That seems really shortsighted to me...
I could have sworn that I've done this before - I had to in a previous
life... I wonder what I did?
t
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, January 22, 2008 9:55 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Nope. Can't authenticate GRE at all.
> No FWC or web proxy, no auth.
> FWC doesn't process GRE.
> Web Proxy doesn't handle GRE.
> Thus, no ISA auth for GRE.
>
> You can authenticate the PPTP part of the communications, since this
> operates over TCP-1723.
> The problem is that the PPTP filter understands that GRE from the same
> IP is associated with a prior PPTP session and is allowed/denied
> according to the previous rule.
>
> Jim
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> Sent: Tuesday, January 22, 2008 8:44 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Outgoing VPN...
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Well, you can authenticate if you have separate rules to carve out
GRE,
> right?
>
> t
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Tuesday, January 22, 2008 6:13 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outgoing VPN...
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > You can't authenticate outbound VPN because:
> > 1. VPN traffic is not handled by the web proxy
> > 2. the ISA FWC is required to authenticate non-web proxy traffic
> > 3. the ISA FWC only handles TCP and UDP and that only for traffic
> > processed by Winsock
> > 4. PPTP includes IP-47 (GRE), which is neither TCP nor UDP
> >
> > Thus, you can't authenticate PPTP traffic.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> > Sent: Tuesday, January 22, 2008 1:12 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outgoing VPN...
> >
> > But why can you NOT specify a subset of users?
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Tuesday, January 22, 2008 3:57 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outgoing VPN...
> >
> >
> >
> > Tada :)
> >
> >
> >
> > t
> >
> >
> >
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> > Sent: Tuesday, January 22, 2008 12:50 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outgoing VPN...
> >
> >
> >
> > I double checked the user list and I had a subset of users
> > allowed for this rule (not All Users) - when I changed to ALL USERS,
> I
> > am now connected to the remote VPN !
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
> > Sent: Tuesday, January 22, 2008 3:06 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Outgoing VPN...
> >
> > Hey Tom - are you sure it's PPTP and not LT2P? What
> > does the log say when you attempt the connection?
> >
> > t
> >
> >
> >
> > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers
> > Sent: Tuesday, January 22, 2008 11:55 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Outgoing VPN...
> >
> >
> >
> > Trying to get an outgoing VPN connection to work
> > through ISA 2006 on a W2K3 SP2 server. I have the outbound access
> rule
> > setup as...
> >
> >
> >
> > VPN Outbound
> >
> > Allow
> >
> > PPTP
> >
> > GRE (VPN) - [User-Defined, IP-Level 47 Send Recv]
> >
> > From - Internal
> >
> > To - External
> >
> > All Users
> >
> > Always
> >
> > All Content Type.
> >
> >
> >
> > I have disabled the Firewall Client software,
removed
> > the ISA settings in IE Connections, and set my PC up as a SecureNAT
> > Client. It now takes alot longer to fail now, before I made the PC a
> > SecureNAT client, it would fail immediately.
> >
> >
> >
> > Currently I am getting an 800 Error.
> >
> >
> >
> > I bypassed the ISA 2006 server and was able to make
> the
> > connection immediately with no issues.
> >
> >
> >
> > Any advice would be appreciated.
> >
> >
> >
> > TIA,
> >
> >
> >
> > -TRogers
> >
> >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
