well, my scenario is that I have a vendor's server that sits on one of my networks, that has to talk to a sensitive network that I run, and another vendor's network. I would like to hook all three up to ISA 2004 and setup a VPN from the one vendor server to reach the other two. Ideas? I can do this? tx. g. -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Wed 7/21/2004 11:46 AM To: [ISAserver.org Discussion List] Cc: Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question( s) http://www.ISAserver.org I really don't have any plans, I have a bunch of servers at home that I have set up, and I have some spare VIA C3 systems that I let my friends use as web/ftp servers for whatever they want to do with the understanding that I'm not responsible if I need more space on my system and "borrow" the boot drive to store mpeg clips from my ReplayTV.... This sounds like an interesting way of letting them just VPN into their server on their own network and keep them off my research/practice/personal domain..... I'm guessing that's chapter 5 in your new 2004 book, which now I'll be forced to buy in addition to all the other ones..... Oh wait, I filled up that book self, I'll have to build another one.... Oh, wait, I put the fish tank there..... I'll have to move the tv then, but I don't have anywhere else in the room with that many plug in's and cat5 drops.... Damn you and your books! I'll have to build a new room onto the house to put them in.... =?) Troy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, July 21, 2004 10:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question( s) http://www.ISAserver.org Hi Troy, I've included some information in chapter 5 of the book and will include even more in the VPN chapter (chapter 8), but I don't think there's anything on the Microsoft site yet. There is also some info on RADIUS configure for VPN clients in the ISA 2004 VPN kit (www.msfirewall.org/isa2004kits.htm) but not specific for the tri-homed setup. What do you have in mind for your RADIUS plan? Thanks! Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Troy Radtke [mailto:TRadtke@xxxxxxxxxxxx] Sent: Wednesday, July 21, 2004 8:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question( s) http://www.ISAserver.org Is there a write up on this 3+ NIC config with RADIUS somewhere Tom? I've used RADIUS with Cisco stuff before, but not Windows based equipment. TIA Troy -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, July 21, 2004 8:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question(s) http://www.ISAserver.org Hi Greg, Yes, the update button will refresh the Web Proxy config for the other users. You definitely can VPN to different segments -- just create the appropriate access rules. Suppose you have 10 NICs install on the ISA firewall. You want VPN users to access networks attached to the other 9 NICs based on their user account and group membership. No problem! That's a no-brainer for the ISA firewall. Each NIC can host another organization and you can configure access policy to allow users to access the networks they need to without allowing them access to other networks. What cool is you can use RADIUS and a list of RADIUS servers to simplify this otherwise complex "federated" scenario. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Greg Hess [mailto:gmh@xxxxxxxx] Sent: Wednesday, July 21, 2004 8:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question(s) http://www.ISAserver.org Tom, Thanks for the quick reply! Are you talking the 'update' button in the firewall client? Also, can I VPN onto two different segments on the ISA 2004 box? I've never tried that but have a need. Greg. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, July 21, 2004 9:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Globally set proxy in IE and 2004 VPN question(s) http://www.ISAserver.org Hi Greg, Subsequent users can use the Firewall client dialog box to set their browsers too. Just doesn't happen automatically (sort of like my 1040s don't get file automatically :-) There are two very good contenders for ISA firewall appliances: www.rimapp.com and www.networkengines.com So far, the Rimapp is more "appliancized" with a complete conversion to Web interface -- you never have to touch the MMC and can use the Web interface for total firewall management. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Greg Hess [mailto:gmh@xxxxxxxx] Sent: Wednesday, July 21, 2004 8:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] Globally set proxy in IE and 2004 VPN question(s) http://www.ISAserver.org Hey everybody! I noticed that installing the firewall client sets up the IE settings for proxy etc. However, if there is more than one profile on the PC, it does not set these IE settings for the other profiles. Is there any way (non-GPO) to do this? It would help a lot. I've looked at the registry settings, but have yet to find a way to set these settings globally. - Also - I would like to set up an isa 2004 appliance (are those ready yet?) between three networks such that one machine from one network can vpn in and connect to the other two, is this possible, or am I good looking? (I used to say crazy, but that was just asking for trouble) Tx! -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, July 21, 2004 9:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Ricky, http://www.amazon.com/exec/obidos/ASIN/1928994296/ ;-) HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] Sent: Wednesday, July 21, 2004 8:05 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Tom, Sorry that I didn't response to your email yesterday because I left my office already. Answer your question, I didn't configured the dial-up entry in ISA interface. Can you tell me how to do it? Please let me know. Thanks alot. Ricky -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, July 20, 2004 6:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Ricky, Have you configured the dial-up entry yet in the ISA interface? HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 4:22 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org COOL!!!! Now, I can ping my local server. But my client still not able to ping the public address.... Pleae help. Ricky -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, July 20, 2004 5:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Ricky, If you can ping the internal interface of the ISA 2000 firewall, it indicates your LAT might be messed up. What entries are in your LAT? Make sure they include only you internal network ID. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 3:52 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Tom, I'm using ISA server 2000 here. What is your suggestion to solve this problem? I'm sorry. I'm newbie in ISA server. Thanks Ricky -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, July 20, 2004 4:50 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Ricky, If this is an ISA Server 2000 firewall and the SecureNAT client on the internal network can't ping the internal interface of the firewall, there are some more pressing issues here. If you're using an ISA 2004 firewall, then this is normal. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 3:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Thanks Tom. However, I followed you article http://www.isaserver.org/articles/snatdns.html to setup ISA server, but my internal client still not able to ping the public address. Now, I can't even ping the server internal address. ISA server: LAN IP address: 2.2.2.2/24 WAN IP address: DHCP - obtain by DSL local client: IP address: 2.2.2.4/24 default gateway: 2.2.2.2 Now, my local client can't ping 2.2.2.2 at all. Would you tell me why? Thanks Ricky -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, July 20, 2004 11:44 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Hi Ricky, If you have configured the clients as a SecureNAT client, and enabled IP Routing on the ISA 2000 firewall, then that's all you can do from the firewall's perspective. HTH, Tom www.isaserver.org/shinder Get the book! Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] Sent: Tuesday, July 20, 2004 9:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org I enabled IP routing, my internal client still not able to see/ping public address. Basically, we have a OWA 2003 server which is on the public address. I would like to configure isa server, so that it will allow our internal client to connect their outlook using "RPC OVER HTTP". Please advice. Thanks Ricky -----Original Message----- From: Tom Rogers [mailto:trogers@xxxxxxxxxxxxxxxxxx] Sent: Friday, July 16, 2004 11:12 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: question http://www.ISAserver.org Enable IP Routing - right click on IP Packet Filters under Access Policy. -TRR > -----Original Message----- > From: Chan Ricky-NYKSYPL [mailto:Chan-R@xxxxxxxxxxxxxxx] > Sent: Friday, July 16, 2004 11:00 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] question > >