RE: ISA 2004 flakey VPN access policy?

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 5 Nov 2004 09:51:57 -0600

Hi Jeb,

Just for fun, make them members of the same global group and allow that
global group access.

HTH, 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] 
Sent: Friday, November 05, 2004 9:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 flakey VPN access policy?

http://www.ISAserver.org

Tom,

Both the members are members of a universal group. The ISA box is a
member of the domain hosting this group. Thanks!

Jeb 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, November 04, 2004 3:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 flakey VPN access policy?

http://www.ISAserver.org

Hi Jeb,

Are the users both members of the same global group and is the ISA
firewall a member of the domain hosting that global group? If not, give
it a try and see what happens.

HTH, 
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls

 

________________________________

From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] 
Sent: Thursday, November 04, 2004 2:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 flakey VPN access policy?


http://www.ISAserver.org

Thanks for the reply Tom,
 
The rule is "Corporate VPN Users", Action: "Allow", Protocols: "All
Outbound", From: "VPN Clients", To: "Internal", Users: "VPN
Users"(Contains "Corporate VPN Users" universal group), Schedule:
"Always", Content: "All"
 
These are the log entries for user test1 and tomc: (Hope this doesn't
come through really ugly)
 
Field1 Field2 Field3 Field4 Field5 Field6 Field7 Field8 Field9 Field10
Field11 Field12 Field13 Field14 Field15 Field16 Field17 Field18 Field19
Field20 Field21 Field22 Field23 Field24 Field25
NTS3 2004-11-04 15:55:06 - 192.168.1.155 192.168.1.156 65.70.250.57 VPN
Clients Local Host Successful Connection 0x0 - WAN Miniport (PPTP) 0 0 0
0 - - - NTS3 test1 VPN remote access 7355 0
NTS3 2004-11-04 15:55:17 ICMP 192.168.1.155:8 192.168.1.2 192.168.1.155
VPN Clients Internal Establish 0x0 Corporate VPN Users Ping 0 0 0 0 156
156 - - test1 - 7355 38209
NTS3 2004-11-04 15:55:24 ICMP 192.168.1.155:8 192.168.11.14
192.168.1.155 VPN Clients Internal Establish 0x0 Corporate VPN Users
Ping 0 0 0 0 62 62 - - test1 - 7355 38238
NTS3 2004-11-04 15:55:39 - 192.168.1.155 192.168.1.156 65.70.250.57 VPN
Clients Local Host Disconnection 0x0 - WAN Miniport (PPTP) 0 0 0 0 32953
32953 - NTS3 test1 VPN remote access 7355 0
NTS3 2004-11-04 15:56:00 - 192.168.1.154 192.168.1.156 65.70.250.57 VPN
Clients Local Host Successful Connection 0x0 - WAN Miniport (PPTP) 0 0 0
0 - - - NTS3 tomc VPN remote access 7361 0
NTS3 2004-11-04 15:56:12 ICMP 192.168.1.154 192.168.1.2 192.168.1.154
VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0
- - - - tomc - 7361 38421
NTS3 2004-11-04 15:56:13 ICMP 192.168.1.154 192.168.1.2 192.168.1.154
VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0
16 16 - - tomc - 7361 38423
NTS3 2004-11-04 15:56:14 ICMP 192.168.1.154 192.168.1.2 192.168.1.154
VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0
16 16 - - tomc - 7361 38424
NTS3 2004-11-04 15:56:15 ICMP 192.168.1.154 192.168.1.2 192.168.1.154
VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0
16 16 - - tomc - 7361 38430
NTS3 2004-11-04 15:56:23 - 192.168.1.154 192.168.1.156 65.70.250.57 VPN
Clients Local Host Disconnection 0x0 - WAN Miniport (PPTP) 0 0 0 0 22703
22703 - NTS3 tomc VPN remote access 7361 0
NTS3 2004-11-04 15:56:38 ICMP 192.168.1.155:8 192.168.11.14
192.168.1.155 VPN Clients Internal Terminate 0x80074e20 Corporate VPN
Users Ping 240 240 180 180 73468 73406 - - test1 - 7355 38238
NTS3 2004-11-04 15:56:38 ICMP 192.168.1.155:8 192.168.1.2 192.168.1.155
VPN Clients Internal Terminate 0x80074e20 Corporate VPN Users Ping 240
240 240 240 81687 81531 - - test1 - 7355 38209
 
 

________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, November 04, 2004 11:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2004 flakey VPN access policy?


http://www.ISAserver.org

Hi Jeb,
 
What are the EXACT details of the rules in question?
Also, the EXACT log file entries related to processing of those rules?
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

________________________________

From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] 
Sent: Thursday, November 04, 2004 10:33 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2004 flakey VPN access policy?


http://www.ISAserver.org

I have set up a policy to allow the group XXX VPN users access to
certain internal servers. I have 6 users in this group. The policy works
fine for 3 of the users. The other 3 cannot access the internal servers.
The strange part is when I look in the firewall logs, the same rule that
is allowing access for 3 of the users is also denying access to the
other three. I have deleted the policy and recreated it, but it didn't
help. Any ideas? Thanks!
 
Jeb
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jwatts@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jwatts@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?
• » RE: ISA 2004 flakey VPN access policy?

1. Home
2. isalist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---