What MS uses internally is not anything even remotely like what you're describing. As Tom said, if the traffic generated by these devices "plays nice" in the NAT-T space, ISA will allow it through the publishing rule. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] Sent: Thursday, October 13, 2005 08:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org I thought I had mention IPSec NAT-T server and client. Should this config work across isa 2004? Since Microsoft recently picked up this switch as their wireless solution, one would think that it would work through ISA -- providing Microsoft is using ISA throughout its infrastructure, and plan on using remote ap's. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, October 13, 2005 10:42 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org ..and the use of the term "NAT-T" in the original posting. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, October 13, 2005 08:37 To: [ISAserver.org Discussion List] Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - revisited http://www.ISAserver.org Sounds like someone forgot about UDP 500. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] > Sent: Thursday, October 13, 2005 10:31 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 > - revisited > > http://www.ISAserver.org > > Jim, > > This is from the switch doc: > > The AP and secure switch communication uses the UDP 4500 > port. When both > the switch and the AP are behind NAT devices, the AP is configured to > use the NAT device's public address as its master address. On the NAT > device, it is necessary to enable NAT-T (UDP port 4500 only) > and forward > all packets to the public address of the NAT device on UDP > port 4500 to > the Aruba Aruba > Mobility Controller to ensure that the Remote AP bootstraps > successfully. > > > The VPN server is published as IPSec NAT-T Server without an internal > ISA server. The wireless switch connects to ISA via windows > 2003/rras. > > TIA > > greg > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Thursday, October 13, 2005 9:03 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 - > revisited > > http://www.ISAserver.org > > ISA External to ISA internal == NAT. > IPSec + NAT == busted connection. > > -----Original Message----- > From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] > Sent: Thursday, October 13, 2005 5:22 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] non-windows VPN Server behind ISA 2004 - revisited > > http://www.ISAserver.org > > The VPN server is Aruba Networks wireless switch. The > client, a remote > wireless access point(RAP), connects to the switch via an ipsec/l2tp > tunnel. The logs of the switch indicate the tunnel > completed, however, > ESP died in the process. The wireless client can attach to the switch > across ISA internally -- not from the Internet. ISA logs indicate the > RAP connects to the switch on port/protocol 4500/udp (IPSec NAT-T > Server). When the RAP connects internally, ISA logs indicates > port/protocol (IpSec NAT-T Client). > > TIA > > greg > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > gregory.crockett@xxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gregory.crockett@xxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.