RE: RES: Oh no! Not another VPN problem!

  • From: "Rui Silva" <rui.silva@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 11 Jul 2003 17:41:14 +0100

So I'll have to wait for that solution.
I really don't like having to disable the firewall client in order to
connect because other things stop working.
Like I said before ISA and VPN don't play well with each other, unless
you're using one of the well-known, well-behaved and well-documented
scenarios .
I just want to be able to use a VPN connection without affecting all my
work.
I'm really, really, frustrated :-(

-----Original Message-----
From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] 
Sent: Friday, July 11, 2003 17:13
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!


http://www.ISAserver.org


OK. Like I said I wasn't sure. I do know that in order for my secure nat
client to vpn out of my network to another I have to turn off my FW
client on that machine. 
Hopefully there is a solution for this and Tom or someone will relay it.
Thanks.

-----Original Message-----
From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] 
Sent: Friday, July 11, 2003 11:58 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!

http://www.ISAserver.org


Actually there's no problem if a client is configured to be of 3
different types (SecureNAT/Firewall/Web Proxy). I need to have the
Firewall Client enabled because I require authentication and without the
firewall client the ISA Server Firewall Service doesn't recognize the
user credentials.

-----Original Message-----
From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] 
Sent: Friday, July 11, 2003 16:46
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!


http://www.ISAserver.org


Did you say earlier that you are running the client as secure nat (DG
set to ISA's internal IP) AND running firewall client? If so, turn the
firewall client off. I run one or the other, not both. Now, I may be
wrong, and someone else here can correct me, but that is my
understanding to not run both.

-----Original Message-----
From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] 
Sent: Friday, July 11, 2003 11:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!

http://www.ISAserver.org


Ok, I'll think about it.
But now there's another thing happening. Although I can browse while
connected to the VPN I can't do any Terminal services connection to a
machine that belongs to the VPN. Unless I disable the firewall client...
So, I think that the firewall client is capturing the RDP protocol and
it's sending it to the ISA server, not to the VPN. What if I made the
VPN IPs as belonging to the LAT?

Comments?

-----Original Message-----
From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] 
Sent: Friday, July 11, 2003 16:34
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!


http://www.ISAserver.org


I would not suggest UNCHECKING the "default gateway...." use. This opens
the vpn'd client to be controlled externally. Ultimately that is up to
you though.

-----Original Message-----
From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] 
Sent: Friday, July 11, 2003 11:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: Oh no! Not another VPN problem!

http://www.ISAserver.org


That's it!!
I had already unchecked the "default gateway in remote network" but I
hadn't configured the proxy settings for the VPN connection.

Txs guys

-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Friday, July 11, 2003 16:19
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: Oh no! Not another VPN problem!


http://www.ISAserver.org



When you open a VPN thru a Workstation, there's a proxy configuration
for each dial-up connection you create. Set the proxy configuration for
your ISA Server inside that connection on Explorer's Internet
Properties.

Workaround: try unchecking the box "default gateway in remote network"
on the advanced TCP/IP properties of the VPN connection. This won't mess
up all routes on your workstation.

And one more thing (like Steve Jobs always says =)): disable the
firewall client when you need to access resources on the VPN. When I
connect to remote computers I must disable it in order to open the
resources on the remote network.

Tiago de Aviz
SoftSell
(41) 340-2363
www.softsell.com.br
 

-----Mensagem original-----
De: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] 
Enviada em: sexta-feira, 11 de julho de 2003 12:02
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Oh no! Not another VPN problem!

http://www.ISAserver.org


Yes, it's true (I'm beginning to think that ISA and VPN don't play
well...). So, imagine this scenario: ISA SERVER
----------
-SP1
-Integrated mode
-PPTP through ISA firewall allowed
-Site and Content Rule that requires authentications for all
destinations -The Web Proxy is not configured to ask for authentication

CLIENTS
-------
-Simultaneously SecureNAT/Firewall/Web Proxy
-IE 6.0 SP1

Everything works well when clients are browsing the net, BUT... When a
client makes a VPN connection, he (she) is still able to make Terminal
Services connections to the outside, do DNS resolutions, etc (the
protocol rules are OK, so I think there's nothing wrong with the
Firewall Service). The problem is that browsing with IE is no longer
allowed. The ISA Server comes up with this message:

The page cannot be displayed 
[...]
403 Forbidden - The ISA Server denies the specified Uniform Resource
Locator (URL). (12202) Internet Security and Acceleration Server

I already tried to look at the logs and I can't see anything wrong. I
even used a network sniffer, but with no results.

What is going wrong here?

Txs. 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


Other related posts: