RE: Cisco SSL VPN client

  • From: "Ball, Dan" <DBall@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 20 Oct 2005 12:15:50 -0400

I don't really recall the differences between when the FWC was enabled
or disabled.  I know it went through the ISA server fine, but only when
the ports/protocols in that KB article were used, otherwise no
connection at all.  It just didn't re-direct everything like it should
have, if that distant server hadn't been on a different sub-net, it
might have worked.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, October 20, 2005 11:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco SSL VPN client

http://www.ISAserver.org

Hi Dan,

Good info nonetheless. Maybe no hamberger, but perhaps a fishwich.

Were you able to reach the remote network IDs when you disabled the
Firewall client?

Thanks!
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> Sent: Thursday, October 20, 2005 10:39 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
> 
> http://www.ISAserver.org
> 
> I do recall running into a version like that not too long 
> ago.  Couldn't
> make it work quite right because of what Jim mentioned, it installed
> itself as an LSP, and the FWC was battling it out, and wouldn't allow
> the VPN client to connect quite right.  
> 
> It would connect, but it wouldn't redirect everything.  I.e. the
> destination server was on a different subnet than the VPN 
> server, and it
> couldn't reach it.  Since I could reach servers on the VPN server
> subnet, it appeared that the VPN client wasn't redirecting all the
> traffic like it was supposed to, it was treating it as an additional
> subnet for the local computer, that was all.  I considered setting up
> the workstation for routing, to redirect traffic 
> appropriately, but they
> wouldn't give me any details about their network... 
> 
> I seem to remember posting about it on this mailing list, and Jim
> informed me about the dueling LSP problem.  If I remember right, it's
> basically whatever LSP gets installed first that has first 
> dibs.  Since
> we didn't want to totally ruin that workstation just to get 
> one program
> running I worked around it.  I uninstalled the client, figured out the
> protocols/ports the program needed to use, and created a 
> specific set of
> rules.
> 
> Sorry, that is probably not a heck of a lot of help...
> 
> No free "hamburger" for me!
> 
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, October 20, 2005 11:12 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
> 
> http://www.ISAserver.org
> 
> Hi Dan,
> 
> This is the new SSL VPN client, not IPSec tunnel mode.
> 
> If you have a pointer on any docs on how this thing works, I'll gladly
> pay you Tuesday for a hamberger today :)
> 
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
> > -----Original Message-----
> > From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
> > Sent: Thursday, October 20, 2005 10:09 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Cisco SSL VPN client
> > 
> > http://www.ISAserver.org
> > 
> > I've had a Cisco VPN client running like there here for a few 
> > years now.
> > I used the article at
> > 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;812076 to get
> > the right settings for ISA 2000, then just used those same ports to
> > recreate a rule for ISA 2004 and it works fine.
> > 
> > Although, we're using a slightly older VPN client, so maybe 
> > that makes a
> > difference.
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Thursday, October 20, 2005 10:20 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Cisco SSL VPN client
> > 
> > http://www.ISAserver.org
> > 
> > I guess I should also add that the Cisco SSL VPN sludgeware also
> > installs a local host proxy listener. 
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > > Sent: Wednesday, October 19, 2005 8:52 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Cisco SSL VPN client
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Hey folks,
> > > 
> > > Anyone have any experience with the Cisco SSL VPN client 
> > > connecting to a
> > > Cisco VPN server when the client is behind an ISA firewall 
> > > and the Cisco
> > > SSL VPN server is behind god knows what?
> > > 
> > > From the tests of done so far:
> > > 
> > > ===========================
> > > Web proxy client ONLY configuration does NOT work 
> > > 
> > > Firewall client ONLY configuration does NOT work
> > > 
> > > Web proxy AND Firewall client configuration does NOT work
> > > 
> > > Web proxy and SecureNAT configuration DOES work
> > > 
> > > Firewall client and SecureNAT configuration DOES work
> > > 
> > > Firewall client, Web proxy client and SecureNAT client 
> configuration
> > > DOES work
> > > ===========================
> > > 
> > > The Web proxy log file shows SSL connection failed with a 995 
> > > reported.
> > > The Firewall client doesn't even intercept the request, at 
> > least from
> > > what I see in the Sessions tab of the console
> > > 
> > > An example of what happens with the Web proxy filter 
> > connection is the
> > > line below:
> > > Original Client IP        Authenticated Client    Service 
> Server Name
> > > Referring Server  Destination Host Name   MIME Type       Object
> > > Source    Source Proxy    Destination Proxy       
> > > Bidirectional     Client
> > > Host Name Network Interface       Raw IP Header   Raw Payload
> > > Source Port       Processing Time Bytes Sent      Bytes 
> Received      Cache
> > > Information       Log Time        Client IP       Destination IP
> > > Transport Destination Port        Protocol        Action  Rule
> > > Client Username   URL     Source Network  Destination 
> > > Network   HTTP
> > > Method    Filter Information      Error Information       
> > > Result Code
> > > Log Record Type   Client Agent    HTTP Status Code
> > > 0.0.0.0   No      Proxy   CELESTIX-H5L4CS         webvpn.fsba.com
> > > Internet  -       -               -       -       -       -
> > > 0 0       105978  1464    0x0     10/19/2005 7:25:58 PM
> > > 192.168.1.71      216.226.999.999 TCP     443     
> > SSL-tunnel  Failed
> > > Connection Attempt        All Open Servers        anonymous
> > > webvpn.noneya.com:443     Internal        External
> > > 0x9               Web Proxy Filter        Mozilla/4.0 
> (compatible; MSIE
> > > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)      995 
> > > ==============================
> > > 
> > > Firewall policy is All Open from source to destination network.
> > > Web proxy filter is unbound from the HTTP protocol
> > > 
> > > Hints, tips, tricks, guesses or anything appreciated.
> > >  
> > > 
> > > 
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org <http://www.isaserver.org/> 
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> > > MVP -- ISA Firewalls
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: