RE: Cisco VPN Client
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 30 Mar 2005 12:33:51 -0800
Hi Dan,
This is normal for FWC apps.
A1 - both the FWC and the Cisco VPN client are Winsock Layered Service
Providers (herein referred to as 'LSP'). What LSPs do is accept traffic
passed to Winsock and "do their thing with it", each in their turn as
registered in the Winsock catalog. In the case of FWC and CVC, they
redirect the traffic to the destination they deem appropriate *if they
get the traffic to begin with*.
Since the FWC:
1. is registered first in the Winsock catalog
2. the traffic is for a non-local subnet
2. has no policy stating otherwise
..it directs the SQL traffic to the ISA for further processing.
Thus, the CVC never sees the traffic.
A2 - use the ISA logs, Luke - query for SQL traffic from that client.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, March 30, 2005 11:40
To: [ISAserver.org Discussion List]
Subject: [isalist] Cisco VPN Client
http://www.ISAserver.org
I have someone here trying to install a Cisco VPN client in order to run
a program that accesses a SQL server across the Internet through our ISA
2004 server (not my design, don't blame me!).
I had created a firewall policy awhile back for Cisco VPN clients, which
allows TCP 3389 Outbound, UDP 4500 Send Receive, and UDP 500 Send
Receive. I added this workstation to that group, and then the client
connected and seemed to run fine. It wouldn't access their SQL server
though.
I then created another rule, allowing THAT workstation to connect to
THEIR server, allowing ONLY TCP 1433 outbound, and then the program
started to work.
It took me awhile to convince the tech on the other end that it was
bypassing the VPN client, and using the ISA policies to pass through. I
finally had to have the person here start up the VPN client, run the
program, and while they were using it I disconnected the client, and the
program continued to run. They are still skeptical though...
So, I have two questions...
1. Why wouldn't the SQL calls pass through the Cisco VPN and use their
network?
2. What can I do to prove to these people that it isn't even using their
client?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
