Hi Jeb, Just for fun, make them members of the same global group and allow that global group access. HTH, Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] Sent: Friday, November 05, 2004 9:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 flakey VPN access policy? http://www.ISAserver.org Tom, Both the members are members of a universal group. The ISA box is a member of the domain hosting this group. Thanks! Jeb -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, November 04, 2004 3:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 flakey VPN access policy? http://www.ISAserver.org Hi Jeb, Are the users both members of the same global group and is the ISA firewall a member of the domain hosting that global group? If not, give it a try and see what happens. HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] Sent: Thursday, November 04, 2004 2:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 flakey VPN access policy? http://www.ISAserver.org Thanks for the reply Tom, The rule is "Corporate VPN Users", Action: "Allow", Protocols: "All Outbound", From: "VPN Clients", To: "Internal", Users: "VPN Users"(Contains "Corporate VPN Users" universal group), Schedule: "Always", Content: "All" These are the log entries for user test1 and tomc: (Hope this doesn't come through really ugly) Field1 Field2 Field3 Field4 Field5 Field6 Field7 Field8 Field9 Field10 Field11 Field12 Field13 Field14 Field15 Field16 Field17 Field18 Field19 Field20 Field21 Field22 Field23 Field24 Field25 NTS3 2004-11-04 15:55:06 - 192.168.1.155 192.168.1.156 65.70.250.57 VPN Clients Local Host Successful Connection 0x0 - WAN Miniport (PPTP) 0 0 0 0 - - - NTS3 test1 VPN remote access 7355 0 NTS3 2004-11-04 15:55:17 ICMP 192.168.1.155:8 192.168.1.2 192.168.1.155 VPN Clients Internal Establish 0x0 Corporate VPN Users Ping 0 0 0 0 156 156 - - test1 - 7355 38209 NTS3 2004-11-04 15:55:24 ICMP 192.168.1.155:8 192.168.11.14 192.168.1.155 VPN Clients Internal Establish 0x0 Corporate VPN Users Ping 0 0 0 0 62 62 - - test1 - 7355 38238 NTS3 2004-11-04 15:55:39 - 192.168.1.155 192.168.1.156 65.70.250.57 VPN Clients Local Host Disconnection 0x0 - WAN Miniport (PPTP) 0 0 0 0 32953 32953 - NTS3 test1 VPN remote access 7355 0 NTS3 2004-11-04 15:56:00 - 192.168.1.154 192.168.1.156 65.70.250.57 VPN Clients Local Host Successful Connection 0x0 - WAN Miniport (PPTP) 0 0 0 0 - - - NTS3 tomc VPN remote access 7361 0 NTS3 2004-11-04 15:56:12 ICMP 192.168.1.154 192.168.1.2 192.168.1.154 VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0 - - - - tomc - 7361 38421 NTS3 2004-11-04 15:56:13 ICMP 192.168.1.154 192.168.1.2 192.168.1.154 VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0 16 16 - - tomc - 7361 38423 NTS3 2004-11-04 15:56:14 ICMP 192.168.1.154 192.168.1.2 192.168.1.154 VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0 16 16 - - tomc - 7361 38424 NTS3 2004-11-04 15:56:15 ICMP 192.168.1.154 192.168.1.2 192.168.1.154 VPN Clients Internal Denied 0xc004000d Corporate VPN Users Ping 0 0 0 0 16 16 - - tomc - 7361 38430 NTS3 2004-11-04 15:56:23 - 192.168.1.154 192.168.1.156 65.70.250.57 VPN Clients Local Host Disconnection 0x0 - WAN Miniport (PPTP) 0 0 0 0 22703 22703 - NTS3 tomc VPN remote access 7361 0 NTS3 2004-11-04 15:56:38 ICMP 192.168.1.155:8 192.168.11.14 192.168.1.155 VPN Clients Internal Terminate 0x80074e20 Corporate VPN Users Ping 240 240 180 180 73468 73406 - - test1 - 7355 38238 NTS3 2004-11-04 15:56:38 ICMP 192.168.1.155:8 192.168.1.2 192.168.1.155 VPN Clients Internal Terminate 0x80074e20 Corporate VPN Users Ping 240 240 240 240 81687 81531 - - test1 - 7355 38209 ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Thursday, November 04, 2004 11:03 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA 2004 flakey VPN access policy? http://www.ISAserver.org Hi Jeb, What are the EXACT details of the rules in question? Also, the EXACT log file entries related to processing of those rules? Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Watts, Jeb [mailto:Jwatts@xxxxxxxxxxx] Sent: Thursday, November 04, 2004 10:33 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004 flakey VPN access policy? http://www.ISAserver.org I have set up a policy to allow the group XXX VPN users access to certain internal servers. I have 6 users in this group. The policy works fine for 3 of the users. The other 3 cannot access the internal servers. The strange part is when I look in the firewall logs, the same rule that is allowing access for 3 of the users is also denying access to the other three. I have deleted the policy and recreated it, but it didn't help. Any ideas? Thanks! Jeb ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jwatts@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jwatts@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx