RE: VPN to defined network

• From: Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 07 Feb 2005 10:36:39 -0600

Microsoft Engineers think otherwise

___________________________Quote from the Microsoft E-
mail---------------------------------------

PROBLEM:
Normal "External" users work fine when connecting via PPTP.
However, if a user from an IP address in his custom external network
tries to connect, they get denied.
 
CAUSE:
Creating an external network that ISA is not a part of (or has a direct
route to) is not valid. To achieve what we're looking to achieve with
FTP/VPN, we need to be using an address range, not a custom external
network.

RESOLUTION:
Deleted the custom external networks and recreated all rules using
address ranges instead.
 
---------------------------End of a
Quote--------------------------------------------------

On Sun, 2005-02-06 at 15:45 -0600, Thomas W Shinder wrote:

> http://www.ISAserver.org
> Hi Alex,
>  
> The Internet is reachable from the External interface, so no static
> route is required.
>  
> Tom
> www.isaserver.org/shinder
> Tom and Deb Shinder's Configuring ISA Server 2004
> http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
>  
> 
> 
> ______________________________________________________________________
> From: Alex Litvak [mailto:alexl@xxxxxxxxxxxxxxxxxxx] 
> Sent: Sunday, February 06, 2005 3:17 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: VPN to defined network
> 
> 
> http://www.ISAserver.org
> Hi Tom,
> 
> Thank you for your response.  I am a little bit confused here.  Does
> being reachable assumes a static route in case of external network?
> Because, in general, external interface could reach all of the public
> IP addresses.
> 
> Thanks,
> 
> On Fri, 2005-02-04 at 19:30 -0600, Thomas W Shinder wrote:
> 
> > http://www.ISAserver.org
> > Hi Alex,
> >  
> > No, it doesn't have to be a directly connected network, it just has
> > to be reachable from that interface.
> >  
> > HTH,
> > Tom
> > 
> > 
> > ____________________________________________________________________
> > 
> > From: Alex Litvak [mailto:alexl@xxxxxxxxxxxxxxxxxxx] 
> > Sent: Friday, February 04, 2005 6:04 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: VPN to defined network
> > 
> > 
> > http://www.ISAserver.org
> > My problem was incorrect usage of Network objects.  I was using
> > networks instead of external address ranges.  It seems that networks
> > need to be directly accessible via one of the ISA server interfaces.
> > Does it mean it has to be able to receive arp? or just have a static
> > route?  I guess I am a little bit confused on terminology.
> > 
> > Thanks for your response.   
> > 
> > On Fri, 2005-02-04 at 06:10 -0800, Jim Harrison wrote:  
> > 
> > > http://www.ISAserver.org
> > > 
> > > Please describe your ISA configuration in better detail:
> > > Q1 - how many interfaces on the ISA
> > > Q2 - how many network objects are defined?
> > > 
> > > -----Original Message-----
> > > From: alexl@xxxxxxxxxxxxxxxxxxx [mailto:alexl@xxxxxxxxxxxxxxxxxxx] 
> > > Sent: Thursday, February 03, 2005 7:41 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] VPN to defined network
> > > 
> > > http://www.ISAserver.org
> > > 
> > > It seems that if vpn client comes from default External network,
> > > everything works fine on ISA2004.  When I define an external network X
> > > with some specific address subset, firewall denies connection to port
> > > 1723
> > > (pptp) even if I make sure that network X is checked on the list of
> > > allowed source networks.  If vpn clined is coming from X it gets denied
> > > right from connection to local host port 1723.  As soon as I remove this
> > > specific network and client becomes part of default External network,
> > > VPN connection works like a champ.
> > > 
> > > Any ideas, please, I am at the end of the rope here.
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com Leading
> > > Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> > > Security Resource Site: http://www.windowsecurity.com/ Network Security
> > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> > > http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > jim@xxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as: 
> > > alexl@xxxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > -- 
> > Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx> 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> > as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?
> > enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
> > as: alexl@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?
> > enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> -- 
> Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?
> enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> alexl@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?
> enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx

-- 
Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx>

Other related posts:

• » VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network
• » RE: VPN to defined network

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---