Yes, it makes sense. But then I've got something fundamentally wrong. I have two subnet rules that allow all traffic between the remote sites and the home office. (I've also defined all the actual subnet addresses as part of the internal network.) I get communication between the remote sites and the home office, but it's flaky. When I remove the subnet rules, my ISA server can ping hosts in the remote networks, but they can't ping the ISA server (or anything else using the ISA server as its gateway). As soon as I add the subnet rules back into the firewall policy, communication starts back up (though still flaky). As for your second question, I have two all traffic allowed rules on the local ISA firewall (for access from/to both networks). The remote firewalls aren't ISA. They're IPCop linux firewalls. Thanks, Rob -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, September 14, 2004 9:17 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org Hi Rob, The subnet objects aren't required unless you want to perform access control on those subnets. Since all the subnets are part of the internal network, all those addresses are encompassed by the Internal Network "Network" object. Make sense? What access rules did you create on the local ISA firewall VPN gateway and the remote ISA firewall VPN gateway? Thanks! Tom -----Original Message----- From: Rob Moore [mailto:RMoore@xxxxxxxx] Sent: Monday, September 13, 2004 12:57 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org I think I've done that. In "1" I assume you mean the routing table for the ISA 2004 server, right? I've got that. I've also done "2". Clint Denham's article says I should also create Subnet Objects (in ISA 2004) for these subnets. He says: "Once all of these address ranges are included in the Network, you should go into the Firewall Policy -> Toolbox -> Network Objects and create new "Subnets" for the .0, .10, .20 and .30 [his sample subnets] subnets and then create Firewall Policy Access Rules that apply to the Subnets instead of the "Network"." I created one rule with the intent of allowing all traffic to pass between the remote subnets and the home network. Since I did that, things are working better, but still not perfectly. For example, DNS traffic seems to pass very slowly, and drive mappings don't pass through at all (e.g., when I RDP to a remote server, my local drive mappings don't connect, though I can ping from the remote server to the ISA 2004 box here in Philadelphia; this all worked just fine with my ISA 2000 box). Tearing my hair out... Rob -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, September 13, 2004 1:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org 1 - make sure the ISA routing table understands that subnet "S" is reachable through interface "I". 2 - add subnet "S" to the network object that services interface "I" using the "addresses" tab in "Properties" Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Rob Moore" <RMoore@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, September 13, 2004 08:27 Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org Hi Jim-- Can you tell me how to "associate Ipsets with existing network objects"? I think this is what I need to do--I have a bunch of non-local subnets that are VPN'd (through third-party site-to-site VPN appliances) into the home office network. At this point I'm getting quirky connection berween the home office network and the remote networks. Thanks, Rob -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Monday, September 13, 2004 11:13 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org This is asking for trouble. You can't create a network object for specific IPs; although you can associate IPsets with existing network objects (this is how you associate non-local subnets with network objects). RIS operates with DHCP; if you have to combine boxes, combine those two, not ISA. You *can* combine IIS with ISA, but why? If you need all that and a bag-o'-chips, then buy SBS; it's built and designed to give you an all-in-one scenario. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ----- Original Message ----- From: <vesterby@xxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Monday, September 13, 2004 07:15 Subject: [isalist] Fw: ISA Server 2004 Issues Followup http://www.ISAserver.org I tried implementing the suggestions that both Jim and Tom made to resolve the Java app issue, but none of them worked. It seems the only way I'm going to resolve this is to give the java app users static IP addresses, create a separate network object with those IP addresses with authentication turned off, and then create a new access rule with the new network object. Any other suggestions on that? I have another issue. My company wants me to implement Microsoft SUS and RIS on the same box as ISA Server 2004. I found out that SUS listens on port 80, is dependent on IIS, and can't be changed (according to Microsoft). Any problems with reconfiguring the ISA server listeners to listen on ports other than port 80 to avoid potential conflicts? Thanks. ---------- Forwarded Message ---------- Recall that I mentioned we are currently using Proxy Server 2.0 and are going to get rid of it in favor of ISA Server 2004. When we addressed the java application issue for Proxy 2.0, we fixed the problem by installing the Proxy Client software on the client's workstations. This enabled the users to connect to the java application via Winsock and everything worked. The authentication issue didn't matter. In order to fix this issue, isn't there a way to do something similar in ISA Server 2004? I did try installing the Firewall Client software on my workstation and attempted to access the java application with that, but it didn't work. Should I explore the option of using SecureNat? I appreciate the help. ________________________________________________________________ Get your name as your email address. Includes spam protection, 1GB storage, no ads and more Only $1.99/ month - visit http://www.mysite.com/name today! ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rmoore@xxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rmoore@xxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rmoore@xxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx