Microsoft Engineers think otherwise ___________________________Quote from the Microsoft E- mail--------------------------------------- PROBLEM: Normal "External" users work fine when connecting via PPTP. However, if a user from an IP address in his custom external network tries to connect, they get denied. CAUSE: Creating an external network that ISA is not a part of (or has a direct route to) is not valid. To achieve what we're looking to achieve with FTP/VPN, we need to be using an address range, not a custom external network. RESOLUTION: Deleted the custom external networks and recreated all rules using address ranges instead. ---------------------------End of a Quote-------------------------------------------------- On Sun, 2005-02-06 at 15:45 -0600, Thomas W Shinder wrote: > http://www.ISAserver.org > Hi Alex, > > The Internet is reachable from the External interface, so no static > route is required. > > Tom > www.isaserver.org/shinder > Tom and Deb Shinder's Configuring ISA Server 2004 > http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > ______________________________________________________________________ > From: Alex Litvak [mailto:alexl@xxxxxxxxxxxxxxxxxxx] > Sent: Sunday, February 06, 2005 3:17 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: VPN to defined network > > > http://www.ISAserver.org > Hi Tom, > > Thank you for your response. I am a little bit confused here. Does > being reachable assumes a static route in case of external network? > Because, in general, external interface could reach all of the public > IP addresses. > > Thanks, > > On Fri, 2005-02-04 at 19:30 -0600, Thomas W Shinder wrote: > > > http://www.ISAserver.org > > Hi Alex, > > > > No, it doesn't have to be a directly connected network, it just has > > to be reachable from that interface. > > > > HTH, > > Tom > > > > > > ____________________________________________________________________ > > > > From: Alex Litvak [mailto:alexl@xxxxxxxxxxxxxxxxxxx] > > Sent: Friday, February 04, 2005 6:04 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: VPN to defined network > > > > > > http://www.ISAserver.org > > My problem was incorrect usage of Network objects. I was using > > networks instead of external address ranges. It seems that networks > > need to be directly accessible via one of the ISA server interfaces. > > Does it mean it has to be able to receive arp? or just have a static > > route? I guess I am a little bit confused on terminology. > > > > Thanks for your response. > > > > On Fri, 2005-02-04 at 06:10 -0800, Jim Harrison wrote: > > > > > http://www.ISAserver.org > > > > > > Please describe your ISA configuration in better detail: > > > Q1 - how many interfaces on the ISA > > > Q2 - how many network objects are defined? > > > > > > -----Original Message----- > > > From: alexl@xxxxxxxxxxxxxxxxxxx [mailto:alexl@xxxxxxxxxxxxxxxxxxx] > > > Sent: Thursday, February 03, 2005 7:41 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] VPN to defined network > > > > > > http://www.ISAserver.org > > > > > > It seems that if vpn client comes from default External network, > > > everything works fine on ISA2004. When I define an external network X > > > with some specific address subset, firewall denies connection to port > > > 1723 > > > (pptp) even if I make sure that network X is checked on the list of > > > allowed source networks. If vpn clined is coming from X it gets denied > > > right from connection to local host port 1723. As soon as I remove this > > > specific network and client becomes part of default External network, > > > VPN connection works like a champ. > > > > > > Any ideas, please, I am at the end of the rope here. > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com Leading > > > Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > > > Security Resource Site: http://www.windowsecurity.com/ Network Security > > > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: > > > http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > jim@xxxxxxxxxxxx To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > World of Windows Networking: http://www.windowsnetworking.com > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > alexl@xxxxxxxxxxxxxxxxxxx > > > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > -- > > Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx> > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List > > as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl? > > enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > World of Windows Networking: http://www.windowsnetworking.com > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Network Security Library: http://www.secinf.net/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List > > as: alexl@xxxxxxxxxxxxxxxxxxx > > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl? > > enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > -- > Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx> > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl? > enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > alexl@xxxxxxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl? > enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx -- Alex Litvak <alexl@xxxxxxxxxxxxxxxxxxx>