http://www.ISAserver.org ------------------------------------------------------- Right - but as you said, if you allow all for GRE in one rule, you can authenticate TCP 1723 in a different one -- If the filer "allows GRE from the same IP based on the previous rule" that would work. Or did you mean that TCP 1723 would be allowed/denied from the same rule? That seems really shortsighted to me... I could have sworn that I've done this before - I had to in a previous life... I wonder what I did? t > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Tuesday, January 22, 2008 9:55 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Outgoing VPN... > > http://www.ISAserver.org > ------------------------------------------------------- > > Nope. Can't authenticate GRE at all. > No FWC or web proxy, no auth. > FWC doesn't process GRE. > Web Proxy doesn't handle GRE. > Thus, no ISA auth for GRE. > > You can authenticate the PPTP part of the communications, since this > operates over TCP-1723. > The problem is that the PPTP filter understands that GRE from the same > IP is associated with a prior PPTP session and is allowed/denied > according to the previous rule. > > Jim > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > Sent: Tuesday, January 22, 2008 8:44 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Outgoing VPN... > > http://www.ISAserver.org > ------------------------------------------------------- > > Well, you can authenticate if you have separate rules to carve out GRE, > right? > > t > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Tuesday, January 22, 2008 6:13 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Outgoing VPN... > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > You can't authenticate outbound VPN because: > > 1. VPN traffic is not handled by the web proxy > > 2. the ISA FWC is required to authenticate non-web proxy traffic > > 3. the ISA FWC only handles TCP and UDP and that only for traffic > > processed by Winsock > > 4. PPTP includes IP-47 (GRE), which is neither TCP nor UDP > > > > Thus, you can't authenticate PPTP traffic. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers > > Sent: Tuesday, January 22, 2008 1:12 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Outgoing VPN... > > > > But why can you NOT specify a subset of users? > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > Sent: Tuesday, January 22, 2008 3:57 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Outgoing VPN... > > > > > > > > Tada :) > > > > > > > > t > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers > > Sent: Tuesday, January 22, 2008 12:50 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Outgoing VPN... > > > > > > > > I double checked the user list and I had a subset of users > > allowed for this rule (not All Users) - when I changed to ALL USERS, > I > > am now connected to the remote VPN ! > > > > > > > > ________________________________ > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) > > Sent: Tuesday, January 22, 2008 3:06 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Outgoing VPN... > > > > Hey Tom - are you sure it's PPTP and not LT2P? What > > does the log say when you attempt the connection? > > > > t > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > > bounce@xxxxxxxxxxxxx] On Behalf Of Tom Rogers > > Sent: Tuesday, January 22, 2008 11:55 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Outgoing VPN... > > > > > > > > Trying to get an outgoing VPN connection to work > > through ISA 2006 on a W2K3 SP2 server. I have the outbound access > rule > > setup as... > > > > > > > > VPN Outbound > > > > Allow > > > > PPTP > > > > GRE (VPN) - [User-Defined, IP-Level 47 Send Recv] > > > > From - Internal > > > > To - External > > > > All Users > > > > Always > > > > All Content Type. > > > > > > > > I have disabled the Firewall Client software, removed > > the ISA settings in IE Connections, and set my PC up as a SecureNAT > > Client. It now takes alot longer to fail now, before I made the PC a > > SecureNAT client, it would fail immediately. > > > > > > > > Currently I am getting an 800 Error. > > > > > > > > I bypassed the ISA 2006 server and was able to make > the > > connection immediately with no issues. > > > > > > > > Any advice would be appreciated. > > > > > > > > TIA, > > > > > > > > -TRogers > > > > > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx