RE: Change IP Address of VPN
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 2 Jul 2003 02:57:01 -0500
Hi William,
I would not make that assumption because I have no idea how ISA decides what
address to use for the source address for outbound communications. I once heard
a pretty eloquent explanation from Jim regarding this, but I don't recall the
details, and I wasn't smart enough at the time to fully appreciate what the
issue was. However, I'm a bottom line kind of guy and I did appreciate the fact
that you can not control the source address for any particuarl outbound packet.
And that's what counts, right?
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp>
-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Wednesday, July 02, 2003 2:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Change IP Address of VPN
http://www.ISAserver.org
Aaah Tom, you leave me with no hope.... :-(
Do I at least have it correct that the VPN/RRAS connection appears to
be restricting access to that External IP because that IP is now involved in
some form of secure communications?
Also, do you think I need to investigate this as an RRAS or an ISA
issue?
Thanks
William R.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 02 July 2003 08:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Change IP Address of VPN
http://www.ISAserver.org
Hi William,
OK, I now understand your problem. However, I do not understand the
solution :-)
The conventional wisdom is that all outbound communcations leave with a
source address that is the primary address on the external interface of the ISA
Server. However, as you've discovered, that is not true. That fact is, there is
no documentation as to what changes the source address to change from the
primary address to one of the secondary addresses. I suspect its related to
VPN, but since I really have no idea as to what's going on, it could be
anything.
Since there is no way to bind a particular service to a particular port
for outbound access, you can't depend on a particular address of the external
interface to be used as an identifier by a remote host. You can provide the
range, but forget out used a single address on the external interface as an
authenticator.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: William Robertson
[mailto:robertson.william@xxxxxxxxxxxxxx]
Sent: Wednesday, July 02, 2003 1:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Change IP Address of VPN
http://www.ISAserver.org
Hi Tom
Don't know if I understand. Are you asking whether a new
resource record for my ISA's external IPis created in my DNS once a VPN client
has connected? If so, I will check shortly...
As for the clients unable to connect, I mentioned earlier that
the problem is that RRAS seems to secure the external IP Address upon which the
VPN has been established (well, that's my naïve understanding so far) and this
then prohibits any other non-VPN connection to then leave ISA on that same IP
Address. So ISA then decides to route all other traffic (such as my SAP/R3
traffic) through one of the other 2 IP Addresses, and the reason then why my
connection fails is because the "receiving" firewall for my SAP/R3 connection
doesn't permit that specific IP Address. It is configured to only allow the
first address, and none others.
Now I know that I can fix this by telling my parent company to
accept my full range of addresses, but I am concerned for future problems
arising from a similar scenario.
That is why I wish to change the IP Address that VPN clients
use to connect to my ISA Server (I wish to use the last of the 3 addresses and
"dedicate" it to VPN connections only) so that all the other (normal) traffic
goes through the first IP Address, as it currently does, and then all inbound
VPN's are established on the last IP Address.
Your comments?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
robertson.william@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
---------------------------------------------------------------------
Everything in this e-mail and attachments relating to the official
business of Columbus Stainless is proprietary to the company. It is
confidential, legally privileged and protected by law. Columbus
Stainless does not own and endorse any other content. Views and
opinions are those of the sender unless clearly stated as being that
of Columbus Stainless. The person addressed in the e-mail is the sole
authorised recipient. Please notify the sender immediately if it has
unintentionally reached you and do not read, disclose or use the
content in any way. Whilst all reasonable steps are taken to ensure
the accuracy and integrity of information and data transmitted
electronically and to preserve the confidentiality thereof, no
liability or responsibility whatsoever is accepted if information or
data is,for whatever reason, corrupted or does not reach its intended
destination.
---------------------------------------------------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
