RE: Cisco SSL VPN client

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 20 Oct 2005 08:44:30 -0700

Lets do this one offline and respond with a "howto" or "forgetit"
article or KB; whichever suits...

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, October 20, 2005 08:39
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cisco SSL VPN client

http://www.ISAserver.org

Hey Jim,

Yep, the Crisco installs a LSP.

It appears that it can't use the ISA Web proxy filter as the next hop.
This is the problem. I have a couple of pretty with it enterprise
Microsoft networking guys who swear it works with using squirm and Sun
Web proxies as the next hop. However, I haven't actually seen evidence
that this is actually the case, or just what they think.

The IP address is just a poor attempt at obfuscation on my part. My bad.
The destination endpoint is the actual IP address on the Syphco SSL VPN
gateway.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, October 20, 2005 10:11 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
> 
> http://www.ISAserver.org
> 
> From your fail/pass table, it appears that unless your client can use
> ISA as the next hop, you're SOL.  Are you trying to test through the
> tunnel or around it?
> IIRC, the Shitsco VPN Crap installs as an LSP.
> 
> What kind of IP is "216.226.999.999"?  Is this Crapsco's idea of
> "specialicity" in IP tunnels?
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, October 20, 2005 07:20
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cisco SSL VPN client
> 
> http://www.ISAserver.org
> 
> I guess I should also add that the Cisco SSL VPN sludgeware also
> installs a local host proxy listener. 
> 
>  
> 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Wednesday, October 19, 2005 8:52 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Cisco SSL VPN client
> > 
> > http://www.ISAserver.org
> > 
> > Hey folks,
> > 
> > Anyone have any experience with the Cisco SSL VPN client 
> > connecting to a
> > Cisco VPN server when the client is behind an ISA firewall 
> > and the Cisco
> > SSL VPN server is behind god knows what?
> > 
> > From the tests of done so far:
> > 
> > ===========================
> > Web proxy client ONLY configuration does NOT work 
> > 
> > Firewall client ONLY configuration does NOT work
> > 
> > Web proxy AND Firewall client configuration does NOT work
> > 
> > Web proxy and SecureNAT configuration DOES work
> > 
> > Firewall client and SecureNAT configuration DOES work
> > 
> > Firewall client, Web proxy client and SecureNAT client configuration
> > DOES work
> > ===========================
> > 
> > The Web proxy log file shows SSL connection failed with a 995 
> > reported.
> > The Firewall client doesn't even intercept the request, at 
> least from
> > what I see in the Sessions tab of the console
> > 
> > An example of what happens with the Web proxy filter 
> connection is the
> > line below:
> > Original Client IP  Authenticated Client    Service Server Name
> > Referring Server    Destination Host Name   MIME Type       Object
> > Source      Source Proxy    Destination Proxy       
> > Bidirectional       Client
> > Host Name   Network Interface       Raw IP Header   Raw Payload
> > Source Port Processing Time Bytes Sent      Bytes Received  Cache
> > Information Log Time        Client IP       Destination IP
> > Transport   Destination Port        Protocol        Action  Rule
> > Client Username     URL     Source Network  Destination 
> > Network     HTTP
> > Method      Filter Information      Error Information       
> > Result Code
> > Log Record Type     Client Agent    HTTP Status Code
> > 0.0.0.0     No      Proxy   CELESTIX-H5L4CS         webvpn.fsba.com
> > Internet    -       -               -       -       -       -
> > 0   0       105978  1464    0x0     10/19/2005 7:25:58 PM
> > 192.168.1.71        216.226.999.999 TCP     443     
> SSL-tunnel    Failed
> > Connection Attempt  All Open Servers        anonymous
> > webvpn.noneya.com:443       Internal        External
> > 0x9         Web Proxy Filter        Mozilla/4.0 (compatible; MSIE
> > 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)        995 
> > ==============================
> > 
> > Firewall policy is All Open from source to destination network.
> > Web proxy filter is unbound from the HTTP protocol
> > 
> > Hints, tips, tricks, guesses or anything appreciated.
> >  
> > 
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/> 
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> > MVP -- ISA Firewalls
> > 
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client
• » RE: Cisco SSL VPN client

1. Home
2. isalist
3. Archive
4. 10-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---