I still think there's a bit of confusion on how thing's are setup. Assume all clients are each at a different remote location, talking to the server from a home connection using built-in XP PPTP / VPN client software. They may or may not have their own personal router between their XP machine and the server, but since the connection will be tunneled the router should not interfere. Now in terms of this client, they will have a second NIC installed which will talk to an H.323 phone at their house. This phone needs to talk to the server, which is part of the Internal network behind the VPN Gateway / ISA 2004 Firewall. 1) I removed the default gateway on the "Phone" NIC as it looked like XP was taking precedence with this NIC connection over the "WAN" one anyways. I can ping the Phone server from my XP machine. 2) Yeah, I know H.323 is worthless routing protocol, which I'm stuck working with. We're trying to implement SIP in the upcoming months, but in the meantime I need to figure this out. To explain, our H.323 gateway is properly configured AFAIK as it's been working for years. Up to recently, we had to move offices and until we new office is ready, we're stuck connecting from home. I hope you understand my problems now. Would you saying Bridging "WAN" and "Phone" is my best course of action and adding some custom persistent routes or do you have any other ideas? Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: December 10, 2006 10:42 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ICS/Briding over VPN problems Actually, that's much better, but still a Q or two. Q1 - your XP machine has it's own Internet connection via a separate router?. Q2 - if Q1 = yes, why? You can make this connection through ISA..? Problem #1: You have a default gateway for each interface. Because the LAN and VPN interfaces are auto-assigned, you have little control there (we'll discuss DHCP options later). Solution #1: Remove the default gateway from the "phone" NIC. If you can successfully ping from to the remote H.323 server (assuming it responds to ping), you did it right. Problem #2: Something you need to bear in mind; H.323 doesn't tolerate IP changes along the path very well. If you're trying to provide IP telephony through that XP machine to a remote H.323 gateway, this process may fail. Solution #2: This is the tough part; H.323 Gateways are not easy to come by (and less easy to configure). From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: Sunday, December 10, 2006 12:59 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ICS/Briding over VPN problems I think I suck at explaining. A. Okie, ICS stays off. B. Yes, basically 3 interfaces, although to re-explain, I have 2 NIC's / 1 VPN: 1) Connects to the Internet essentially (my personal router sits in front, but shouldn't be interfering) ("WAN") 2) Talks over a cross-over cable to my H.323 phone or even a laptop ("PHONE"). The VPN connection of course talks over the 1st (Internet) NIC ("VPN"). C. Essentially what I want is: H.323 phone through XP through VPN to H.323 server. There is an SBS server which the XP client talks to first. The H.323 phone server sits in the Internal network (192.168.100.90/95) === *For my router/Internet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connection Physical Address. . . . . . . . . : 00-11-11-63-2D-B8 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.2.100 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.2.1 DHCP Server . . . . . . . . . . . : 192.168.2.1 DNS Servers . . . . . . . . . . . : 192.168.2.1 Lease Obtained. . . . . . . . . . : December 10, 2006 1:40:16 AM Lease Expires . . . . . . . . . . : December 11, 2006 1:40:16 AM *For VPN: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.100.115 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 192.168.100.115 DNS Servers . . . . . . . . . . . : 192.168.100.10 Primary WINS Server . . . . . . . : 192.168.100.10 *For the "Phone" NIC, I'm still working through figuring out which IP to use. I can tell the H.323 phone to use DHCP or a static IP (static IP of 192.168.0.111 at the moment), but I can also give the NIC itself an IP ... so this is probably where I need the help as I've tried so many thingks with this NIC. Currently ICS/Bridging is off. Connection-specific DNS Suffix . : Description . . . . . . . . . . . : ADMtek ADM8511 Physical Address. . . . . . . . . : 00-00-E8-00-F6-DE Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.0.1 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.0.1 Route Table ======================================================================== === Interface List 0x1 ........................... MS TCP Loopback interface 0x10003 ...00 11 11 63 2d b8 ...... Intel(R) PRO/100 VE Network Connection 0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface 0x20005 ...00 00 e8 00 f6 de ...... ADMtek ADM8511 ======================================================================== === ======================================================================== === Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.1 20 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.100 21 0.0.0.0 0.0.0.0 192.168.100.115 192.168.100.115 1 66.51.121.2 255.255.255.255 192.168.2.1 192.168.2.100 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20 192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20 192.168.2.0 255.255.255.0 192.168.2.100 192.168.2.100 20 192.168.2.100 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.2.255 255.255.255.255 192.168.2.100 192.168.2.100 20 192.168.100.115 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.100.255 255.255.255.255 192.168.100.115 192.168.100.115 50 224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20 224.0.0.0 240.0.0.0 192.168.2.100 192.168.2.100 20 224.0.0.0 240.0.0.0 192.168.100.115 192.168.100.115 1 255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1 255.255.255.255 255.255.255.255 192.168.2.100 192.168.2.100 1 255.255.255.255 255.255.255.255 192.168.100.115 192.168.100.115 1 Default Gateway: 192.168.100.115 ======================================================================== === Persistent Routes: None 66.51.121.2 is public IP of SBS server. Thanks Jim and whoever else can help. Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: December 9, 2006 7:55 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ICS/Briding over VPN problems A - IPRouting should *not* be enabled if using ICS; they're conflicting configurations. Since you only want to enable routing; ditch ICS; it also adds a DNS "proxy". Better that you use only IPRouting, since that's all you want. B - it sounds as if XP has three interfaces; LAN, WAN, VPN? C - what is the traffic path you want to create: 1. LAN through XP to H.323 2. LAN through XP through VPN to H.323 3. LAN through XP through WAN to H.323 What is the 'ipconfig/all' and 'netstat -r' from the XP client when it has a connection to the H.323 VPN server? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jonathon J. Howey Sent: Friday, December 08, 2006 10:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] ICS/Briding over VPN problems Hope I can explain my situation well enough, although I apologize as the solution may not even involve ISA 2004 (but I would appreciate anyone's networking advise). I have on my client: 1 NIC hanging off to WAN -- "WAN" 1 NIC connected to H.323 IP Phone -- "Phone" VPN Connection to server H.323 will talk to; receives a 192.168.100.0/24 IP -- "VPN" IPRouting is enabled on the XP SP2 desktop through registry change + reboot ------ Now in terms of ICS (remember that ICS has internal DHCP server which hands out 192.168.0.0/24 by default): 1) When I setup "WAN" to share to "Phone", ISA logs the IP that the H.323 Phone received, so 192.168.0.X. 2) On the other hand, if "VPN" is setup to share to "Phone", ISA logs the VPN address as the client accessing the network, so 192.168.100.X My problem is that in ICS Scenario #1, ISA denies the connection as 192.168.0.X is of course not part of the Internal or VPN Clients network. In ICS Scenario #2, it works fine, but due to the routing problems, it can never find it's way back to the H.323 phone as it knows the destination is only 192.168.100.X and when I trace with Ethereal/Wireshark, the packets do not contain any references to the original client (and so once it hits the PPP interface on the client it doesn't know what to do with it). I think that if I were to bridge "WAN" and "Phone" together, I would be dealing with a combination of the problems of #1 and #2 would I not? (or does a bridge do something special with managing concurrent streams?) I know that if I bridge them together, "Phone" will get an IP from the same DHCP server as "WAN" did, but I run into routing issues. ------ Has anything ever had to deal with this situation? What we be the ideal solution to Scenario #1 [this of course is why I posted here and not some networking newsgroup]? Any other ideas / am I misunderstanding the technical problem? (In case you are wondering why I'm dealing with this problem, it is because due to upper management constraints on server locations while we move offices, all of our servers are in one location while we have users who need to use the phone server remotely and I know it's possible). Jonathon J. Howey MENSE Inc. P 780.409.5620 F 780.409.5621 D 780.409.5628 C 780.965.8363 Jonathon@xxxxxxxx Defining the Future of Industry www.MENSE.ca <http://www.mense.ca/> All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.