Lets do this one offline and respond with a "howto" or "forgetit" article or KB; whichever suits... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, October 20, 2005 08:39 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cisco SSL VPN client http://www.ISAserver.org Hey Jim, Yep, the Crisco installs a LSP. It appears that it can't use the ISA Web proxy filter as the next hop. This is the problem. I have a couple of pretty with it enterprise Microsoft networking guys who swear it works with using squirm and Sun Web proxies as the next hop. However, I haven't actually seen evidence that this is actually the case, or just what they think. The IP address is just a poor attempt at obfuscation on my part. My bad. The destination endpoint is the actual IP address on the Syphco SSL VPN gateway. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Thursday, October 20, 2005 10:11 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cisco SSL VPN client > > http://www.ISAserver.org > > From your fail/pass table, it appears that unless your client can use > ISA as the next hop, you're SOL. Are you trying to test through the > tunnel or around it? > IIRC, the Shitsco VPN Crap installs as an LSP. > > What kind of IP is "216.226.999.999"? Is this Crapsco's idea of > "specialicity" in IP tunnels? > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Thursday, October 20, 2005 07:20 > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cisco SSL VPN client > > http://www.ISAserver.org > > I guess I should also add that the Cisco SSL VPN sludgeware also > installs a local host proxy listener. > > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Wednesday, October 19, 2005 8:52 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Cisco SSL VPN client > > > > http://www.ISAserver.org > > > > Hey folks, > > > > Anyone have any experience with the Cisco SSL VPN client > > connecting to a > > Cisco VPN server when the client is behind an ISA firewall > > and the Cisco > > SSL VPN server is behind god knows what? > > > > From the tests of done so far: > > > > =========================== > > Web proxy client ONLY configuration does NOT work > > > > Firewall client ONLY configuration does NOT work > > > > Web proxy AND Firewall client configuration does NOT work > > > > Web proxy and SecureNAT configuration DOES work > > > > Firewall client and SecureNAT configuration DOES work > > > > Firewall client, Web proxy client and SecureNAT client configuration > > DOES work > > =========================== > > > > The Web proxy log file shows SSL connection failed with a 995 > > reported. > > The Firewall client doesn't even intercept the request, at > least from > > what I see in the Sessions tab of the console > > > > An example of what happens with the Web proxy filter > connection is the > > line below: > > Original Client IP Authenticated Client Service Server Name > > Referring Server Destination Host Name MIME Type Object > > Source Source Proxy Destination Proxy > > Bidirectional Client > > Host Name Network Interface Raw IP Header Raw Payload > > Source Port Processing Time Bytes Sent Bytes Received Cache > > Information Log Time Client IP Destination IP > > Transport Destination Port Protocol Action Rule > > Client Username URL Source Network Destination > > Network HTTP > > Method Filter Information Error Information > > Result Code > > Log Record Type Client Agent HTTP Status Code > > 0.0.0.0 No Proxy CELESTIX-H5L4CS webvpn.fsba.com > > Internet - - - - - - > > 0 0 105978 1464 0x0 10/19/2005 7:25:58 PM > > 192.168.1.71 216.226.999.999 TCP 443 > SSL-tunnel Failed > > Connection Attempt All Open Servers anonymous > > webvpn.noneya.com:443 Internal External > > 0x9 Web Proxy Filter Mozilla/4.0 (compatible; MSIE > > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) 995 > > ============================== > > > > Firewall policy is All Open from source to destination network. > > Web proxy filter is unbound from the HTTP protocol > > > > Hints, tips, tricks, guesses or anything appreciated. > > > > > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org <http://www.isaserver.org/> > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > > MVP -- ISA Firewalls > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.