I don't really recall the differences between when the FWC was enabled or disabled. I know it went through the ISA server fine, but only when the ports/protocols in that KB article were used, otherwise no connection at all. It just didn't re-direct everything like it should have, if that distant server hadn't been on a different sub-net, it might have worked. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, October 20, 2005 11:48 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cisco SSL VPN client http://www.ISAserver.org Hi Dan, Good info nonetheless. Maybe no hamberger, but perhaps a fishwich. Were you able to reach the remote network IDs when you disabled the Firewall client? Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > Sent: Thursday, October 20, 2005 10:39 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cisco SSL VPN client > > http://www.ISAserver.org > > I do recall running into a version like that not too long > ago. Couldn't > make it work quite right because of what Jim mentioned, it installed > itself as an LSP, and the FWC was battling it out, and wouldn't allow > the VPN client to connect quite right. > > It would connect, but it wouldn't redirect everything. I.e. the > destination server was on a different subnet than the VPN > server, and it > couldn't reach it. Since I could reach servers on the VPN server > subnet, it appeared that the VPN client wasn't redirecting all the > traffic like it was supposed to, it was treating it as an additional > subnet for the local computer, that was all. I considered setting up > the workstation for routing, to redirect traffic > appropriately, but they > wouldn't give me any details about their network... > > I seem to remember posting about it on this mailing list, and Jim > informed me about the dueling LSP problem. If I remember right, it's > basically whatever LSP gets installed first that has first > dibs. Since > we didn't want to totally ruin that workstation just to get > one program > running I worked around it. I uninstalled the client, figured out the > protocols/ports the program needed to use, and created a > specific set of > rules. > > Sorry, that is probably not a heck of a lot of help... > > No free "hamburger" for me! > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, October 20, 2005 11:12 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cisco SSL VPN client > > http://www.ISAserver.org > > Hi Dan, > > This is the new SSL VPN client, not IPSec tunnel mode. > > If you have a pointer on any docs on how this thing works, I'll gladly > pay you Tuesday for a hamberger today :) > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] > > Sent: Thursday, October 20, 2005 10:09 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Cisco SSL VPN client > > > > http://www.ISAserver.org > > > > I've had a Cisco VPN client running like there here for a few > > years now. > > I used the article at > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;812076 to get > > the right settings for ISA 2000, then just used those same ports to > > recreate a rule for ISA 2004 and it works fine. > > > > Although, we're using a slightly older VPN client, so maybe > > that makes a > > difference. > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Thursday, October 20, 2005 10:20 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: Cisco SSL VPN client > > > > http://www.ISAserver.org > > > > I guess I should also add that the Cisco SSL VPN sludgeware also > > installs a local host proxy listener. > > > > > > > > > -----Original Message----- > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > > Sent: Wednesday, October 19, 2005 8:52 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] Cisco SSL VPN client > > > > > > http://www.ISAserver.org > > > > > > Hey folks, > > > > > > Anyone have any experience with the Cisco SSL VPN client > > > connecting to a > > > Cisco VPN server when the client is behind an ISA firewall > > > and the Cisco > > > SSL VPN server is behind god knows what? > > > > > > From the tests of done so far: > > > > > > =========================== > > > Web proxy client ONLY configuration does NOT work > > > > > > Firewall client ONLY configuration does NOT work > > > > > > Web proxy AND Firewall client configuration does NOT work > > > > > > Web proxy and SecureNAT configuration DOES work > > > > > > Firewall client and SecureNAT configuration DOES work > > > > > > Firewall client, Web proxy client and SecureNAT client > configuration > > > DOES work > > > =========================== > > > > > > The Web proxy log file shows SSL connection failed with a 995 > > > reported. > > > The Firewall client doesn't even intercept the request, at > > least from > > > what I see in the Sessions tab of the console > > > > > > An example of what happens with the Web proxy filter > > connection is the > > > line below: > > > Original Client IP Authenticated Client Service > Server Name > > > Referring Server Destination Host Name MIME Type Object > > > Source Source Proxy Destination Proxy > > > Bidirectional Client > > > Host Name Network Interface Raw IP Header Raw Payload > > > Source Port Processing Time Bytes Sent Bytes > Received Cache > > > Information Log Time Client IP Destination IP > > > Transport Destination Port Protocol Action Rule > > > Client Username URL Source Network Destination > > > Network HTTP > > > Method Filter Information Error Information > > > Result Code > > > Log Record Type Client Agent HTTP Status Code > > > 0.0.0.0 No Proxy CELESTIX-H5L4CS webvpn.fsba.com > > > Internet - - - - - - > > > 0 0 105978 1464 0x0 10/19/2005 7:25:58 PM > > > 192.168.1.71 216.226.999.999 TCP 443 > > SSL-tunnel Failed > > > Connection Attempt All Open Servers anonymous > > > webvpn.noneya.com:443 Internal External > > > 0x9 Web Proxy Filter Mozilla/4.0 > (compatible; MSIE > > > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 995 > > > ============================== > > > > > > Firewall policy is All Open from source to destination network. > > > Web proxy filter is unbound from the HTTP protocol > > > > > > Hints, tips, tricks, guesses or anything appreciated. > > > > > > > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org <http://www.isaserver.org/> > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > > MVP -- ISA Firewalls > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx