RE: RES: IPSECPOL ???????

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 5 Jul 2004 11:25:08 -0500

Hi Tiago,

Ha! That's right :)

IPSecPol tool
To create a remote site network that uses the IPSec protocol tunneling mode on 
a computer running Windows 2000, you must install the IPSecPol tool, available 
on the Microsoft website (http://www.microsoft.com/). The tool must be 
installed to the ISA Server installation folder.

When you create a remote site network that uses the IPSec tunneling protocol, 
the Microsoft Firewall service modifies the IPSec filters on the computer, when 
restarting the Firewall service. This process can take up to several minutes, 
depending on the number of subnets included in the address ranges for the 
network. To minimize the effect, we recommend that you define IP address ranges 
that are aligned in subnet boundaries.

PolicyAgent service
If you stop or restart the IPSec PolicyAgent service, all dynamic IPSec 
configuration information is lost, including ISA Server VPN site-to-site IPSec 
configuration settings, and the clients are disconnected. Furthermore, when the 
PolicyAgent service is stopped, and the IPSec policy is erased, all traffic 
from the clients is forwarded to the Internet, unencrypted. 

To restore settings, start the PolicyAgent service and restart the Firewall 
service. Alternatively, reboot the computer.

IPSec policy for domain members
Typically, the ISA Server computer is not a member of a domain. In this case, a 
local IPSec policy can be used. However, if ISA Server is a member of a domain 
that has IPSec policy applied to all its members, the local IPSec policies are 
overwritten by the domain IPSec policies. Work with the domain administrator to 
ensure that the domain IPSec policy does not conflict with the IPSec policy 
configured for the remote site network. To view the remote site network's IPSec 
policy:

In ISA Server Management, click Virtual Private Networks (VPN). 
In the details pane, click the Remote Sites tab. 
In the details pane, select the applicable remote network. 
On the Tasks tab, click View IPSec Policy. 
IPSec support for multiple IP addresses
For IPSec remote site networks, when using a non-primary IP address as the 
local endpoint, the following is not supported:

A NAT relationship cannot be configured from any internal network to the remote 
site network (for traffic initiated from the internal networks to the remote 
site network). 
Web Proxy traffic is not supported from any internal network to the remote site 
network. You can allow HTTP traffic by defining a new protocol (e.g., named 
HTTP1) that is not configured for the Web Proxy application filter. Use that 
protocol in a rule that allows HTTP traffic to the specific remote site 
network. 
When connecting multiple IPSEC remote site networks to the same ISA Server 
computer running Windows Server 2003, we recommend that you define unique IP 
addresses for each remote site network's local endpoint. 

If multiple IPSec remote site networks require NAT/HTTP functionality (from the 
Internal network to the remote site network), we recommend that you use a 
dedicated network adapter for each remote site network (using the primary IP 
address on the network adapter as the local endpoint). To identify the primary 
IP address:

Select the relevant network adapter and then right-click Properties. 
Click TCP-IP protocol and then click Properties. 

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls



-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Monday, July 05, 2004 8:32 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: IPSECPOL ???????


http://www.ISAserver.org

You have to download IPSecPol from the Microsoft web site and install it do the 
c:\program files\Microsoft ISA Server folder so you can create these policies.

Tiago de Aviz

SoftSell

(41) 340-2363

www.softsell.com.br

 

Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é 
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem 
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus 
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta 
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável 
pelo conteúdo ou a veracidade desta informação.

-----Mensagem original-----
De: Andrea [mailto:andrea@xxxxxxxxx] 
Enviada em: segunda-feira, 5 de julho de 2004 05:35
Para: [ISAserver.org Discussion List]
Assunto: [isalist] IPSECPOL ???????

http://www.ISAserver.org

Hi all, 
situation:
siteA= w2000 srv and isa 2004B2
siteB= w2003 srv and isa 2004B2

I would create a vpn IPSEC presharedkey. 
on 2003 srv in a wizard I create all ......( good ! )
on 2000 srv when I start wizard required for IPSEC VPN, IPSECPOL, I have
install it and I have create 2 rules .
I retry wizard but stop again .
I restart srv but wizard stop again .
help my please,,  can I use a wizard for VPN in IPSEC in isa 2004B2 on
win2000 srv?

thx.

Andrea ITA

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist



Tenha proteção contra vírus e spam para seu servidor de correio pagando
apenas uma pequena mensalidade! Veja os serviços de Gateway em 
www.softsell.com.br !


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

• » RES: IPSECPOL ???????
• » Re: RES: IPSECPOL ???????
• » RE: RES: IPSECPOL ???????

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription