RE: non-windows VPN Server behind ISA 2004 - revisited

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 13 Oct 2005 10:35:59 -0700

What MS uses internally is not anything even remotely like what you're
describing.
As Tom said, if the traffic generated by these devices "plays nice" in
the NAT-T space, ISA will allow it through the publishing rule.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
Sent: Thursday, October 13, 2005 08:54
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
revisited

http://www.ISAserver.org

I thought I had mention IPSec NAT-T server and client.

Should this config work across isa 2004?  Since Microsoft recently
picked up this switch as their wireless solution, one would think that
it would work through ISA -- providing Microsoft is using ISA throughout
its infrastructure, and plan on using remote ap's.  

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, October 13, 2005 10:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
revisited

http://www.ISAserver.org

..and the use of the term "NAT-T" in the original posting.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, October 13, 2005 08:37
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
revisited

http://www.ISAserver.org

Sounds like someone forgot about UDP 500.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> Sent: Thursday, October 13, 2005 10:31 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 
> - revisited
> 
> http://www.ISAserver.org
> 
> Jim,
> 
> This is from the switch doc:
> 
> The AP and secure switch communication uses the UDP 4500 
> port. When both
> the switch and the AP are behind NAT devices, the AP is configured to
> use the NAT device's public address as its master address. On the NAT
> device, it is necessary to enable NAT-T (UDP port 4500 only) 
> and forward
> all packets to the public address of the NAT device on UDP 
> port 4500 to
> the Aruba Aruba
> Mobility Controller to ensure that the Remote AP bootstraps
> successfully.
> 
> 
> The VPN server is published as IPSec NAT-T Server without an internal
> ISA server.  The wireless switch connects to ISA via windows 
> 2003/rras.
> 
> TIA
> 
> greg
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, October 13, 2005 9:03 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: non-windows VPN Server behind ISA 2004 -
> revisited
> 
> http://www.ISAserver.org
> 
> ISA External to ISA internal == NAT.
> IPSec + NAT == busted connection.
> 
> -----Original Message-----
> From: Crockett, Gregory [mailto:Gregory.Crockett@xxxxxxxxx] 
> Sent: Thursday, October 13, 2005 5:22 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] non-windows VPN Server behind ISA 2004 - revisited
> 
> http://www.ISAserver.org
> 
> The VPN server is Aruba Networks wireless switch.  The 
> client, a remote
> wireless access point(RAP), connects to the switch via an ipsec/l2tp
> tunnel.  The logs of the switch indicate the tunnel 
> completed, however,
> ESP died in the process.  The wireless client can attach to the switch
> across ISA internally -- not from the Internet.  ISA logs indicate the
> RAP connects to the switch on port/protocol 4500/udp (IPSec NAT-T
> Server).  When the RAP connects internally, ISA logs indicates
> port/protocol (IpSec NAT-T Client).
> 
> TIA
> 
> greg
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gregory.crockett@xxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gregory.crockett@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: