Hi Rui, Did you know that this entire scenario is already documented in the ISA Server VPN Deployment Kit? HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Sent: Friday, July 11, 2003 11:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org So I'll have to wait for that solution. I really don't like having to disable the firewall client in order to connect because other things stop working. Like I said before ISA and VPN don't play well with each other, unless you're using one of the well-known, well-behaved and well-documented scenarios . I just want to be able to use a VPN connection without affecting all my work. I'm really, really, frustrated :-( -----Original Message----- From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] Sent: Friday, July 11, 2003 17:13 To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org OK. Like I said I wasn't sure. I do know that in order for my secure nat client to vpn out of my network to another I have to turn off my FW client on that machine. Hopefully there is a solution for this and Tom or someone will relay it. Thanks. -----Original Message----- From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Sent: Friday, July 11, 2003 11:58 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org Actually there's no problem if a client is configured to be of 3 different types (SecureNAT/Firewall/Web Proxy). I need to have the Firewall Client enabled because I require authentication and without the firewall client the ISA Server Firewall Service doesn't recognize the user credentials. -----Original Message----- From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] Sent: Friday, July 11, 2003 16:46 To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org Did you say earlier that you are running the client as secure nat (DG set to ISA's internal IP) AND running firewall client? If so, turn the firewall client off. I run one or the other, not both. Now, I may be wrong, and someone else here can correct me, but that is my understanding to not run both. -----Original Message----- From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Sent: Friday, July 11, 2003 11:42 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org Ok, I'll think about it. But now there's another thing happening. Although I can browse while connected to the VPN I can't do any Terminal services connection to a machine that belongs to the VPN. Unless I disable the firewall client... So, I think that the firewall client is capturing the RDP protocol and it's sending it to the ISA server, not to the VPN. What if I made the VPN IPs as belonging to the LAT? Comments? -----Original Message----- From: John G. Lyon [mailto:jlyon@xxxxxxxxxxxxx] Sent: Friday, July 11, 2003 16:34 To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org I would not suggest UNCHECKING the "default gateway...." use. This opens the vpn'd client to be controlled externally. Ultimately that is up to you though. -----Original Message----- From: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Sent: Friday, July 11, 2003 11:31 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RES: Oh no! Not another VPN problem! http://www.ISAserver.org That's it!! I had already unchecked the "default gateway in remote network" but I hadn't configured the proxy settings for the VPN connection. Txs guys -----Original Message----- From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] Sent: Friday, July 11, 2003 16:19 To: [ISAserver.org Discussion List] Subject: [isalist] RES: Oh no! Not another VPN problem! http://www.ISAserver.org When you open a VPN thru a Workstation, there's a proxy configuration for each dial-up connection you create. Set the proxy configuration for your ISA Server inside that connection on Explorer's Internet Properties. Workaround: try unchecking the box "default gateway in remote network" on the advanced TCP/IP properties of the VPN connection. This won't mess up all routes on your workstation. And one more thing (like Steve Jobs always says =)): disable the firewall client when you need to access resources on the VPN. When I connect to remote computers I must disable it in order to open the resources on the remote network. Tiago de Aviz SoftSell (41) 340-2363 www.softsell.com.br -----Mensagem original----- De: Rui Silva [mailto:rui.silva@xxxxxxxxxxx] Enviada em: sexta-feira, 11 de julho de 2003 12:02 Para: [ISAserver.org Discussion List] Assunto: [isalist] Oh no! Not another VPN problem! http://www.ISAserver.org Yes, it's true (I'm beginning to think that ISA and VPN don't play well...). So, imagine this scenario: ISA SERVER ---------- -SP1 -Integrated mode -PPTP through ISA firewall allowed -Site and Content Rule that requires authentications for all destinations -The Web Proxy is not configured to ask for authentication CLIENTS ------- -Simultaneously SecureNAT/Firewall/Web Proxy -IE 6.0 SP1 Everything works well when clients are browsing the net, BUT... When a client makes a VPN connection, he (she) is still able to make Terminal Services connections to the outside, do DNS resolutions, etc (the protocol rules are OK, so I think there's nothing wrong with the Firewall Service). The problem is that browsing with IE is no longer allowed. The ISA Server comes up with this message: The page cannot be displayed [...] 403 Forbidden - The ISA Server denies the specified Uniform Resource Locator (URL). (12202) Internet Security and Acceleration Server I already tried to look at the logs and I can't see anything wrong. I even used a network sniffer, but with no results. What is going wrong here? Txs. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jlyon@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rui.silva@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')