Hi Dan, This is normal for FWC apps. A1 - both the FWC and the Cisco VPN client are Winsock Layered Service Providers (herein referred to as 'LSP'). What LSPs do is accept traffic passed to Winsock and "do their thing with it", each in their turn as registered in the Winsock catalog. In the case of FWC and CVC, they redirect the traffic to the destination they deem appropriate *if they get the traffic to begin with*. Since the FWC: 1. is registered first in the Winsock catalog 2. the traffic is for a non-local subnet 2. has no policy stating otherwise ..it directs the SQL traffic to the ISA for further processing. Thus, the CVC never sees the traffic. A2 - use the ISA logs, Luke - query for SQL traffic from that client. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, March 30, 2005 11:40 To: [ISAserver.org Discussion List] Subject: [isalist] Cisco VPN Client http://www.ISAserver.org I have someone here trying to install a Cisco VPN client in order to run a program that accesses a SQL server across the Internet through our ISA 2004 server (not my design, don't blame me!). I had created a firewall policy awhile back for Cisco VPN clients, which allows TCP 3389 Outbound, UDP 4500 Send Receive, and UDP 500 Send Receive. I added this workstation to that group, and then the client connected and seemed to run fine. It wouldn't access their SQL server though. I then created another rule, allowing THAT workstation to connect to THEIR server, allowing ONLY TCP 1433 outbound, and then the program started to work. It took me awhile to convince the tech on the other end that it was bypassing the VPN client, and using the ISA policies to pass through. I finally had to have the person here start up the VPN client, run the program, and while they were using it I disconnected the client, and the program continued to run. They are still skeptical though... So, I have two questions... 1. Why wouldn't the SQL calls pass through the Cisco VPN and use their network? 2. What can I do to prove to these people that it isn't even using their client? ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.