Re: Internet Access through RAS or VPN
- From: Joe Pochedley <JoePochedley@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 14 Nov 2001 13:55:32 -0500
Inline means that the responses are imbedded within the quoted text of the
original message... I have again attached the original set of messages to
the bottom of this mail, if you look closely in that mail, you will see
lines that begin with *'s... These are Jim's comments and questions to
you.....
Regarding the VPN clients... If you have the clients go through their VPN
DUN connectiods and uncheck the box labeled "Use Default gateway on remote
network" then the users will pass all internet traffic out to the internet
and not through the VPN... This keeps them from using double bandwidth on
your Internet connection for their web surfing while connected to the VPN...
Of course, you can't log and control their web surfing this way though...
If you want to be able to log and control their surfing through the VPN and
ISA, then you will need to fill in the Proxy server settings on Internet
Explorer (or Netscape, whatever)... In any case, you will need to do this
for your dial-in RAS clients if you want them to get out to the Internet
through your ISA server's connection... Win98 works just fine when
requiring authentication with the Proxy settings filled in... Remember
that the authentication will be in the form of Domain\Username (for NT4
style domains) or Username@xxxxxxxxxx (for Win2K domains)....
Not to be sarcastic, but sounds like a pretty poor setup if you can't
contact the remote users via email, corporate web page, etc with a set of
instructions that will help them and make their connection more usable /
user friendly?
HTH
JoeP
-----Original Message-----
From: jeff hooper [mailto:jeff.hooper@xxxxxxxxxx]
Sent: Wednesday, November 14, 2001 12:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Internet Access through RAS or VPN
http://www.ISAserver.org
I don't understand what you mean by Inline?
I have clients that are going out as SecureNat on my other ISA servers, and
it's not possible for me to contact my remote users to tell them to put in
the web settings. (Which I require authenication so the 98 don't usually
get out that way anyway.)
So how can I make my dial-in users go out through securenat on the same
box..
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, November 14, 2001 11:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Internet Access through RAS or VPN
http://www.ISAserver.org
Inline...
Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG
----- Original Message -----
From: "jeff hooper" <jeff.hooper@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 14, 2001 08:05
Subject: [isalist] Internet Access through RAS or VPN
http://www.ISAserver.org
Routing and Remote access is setup on a box with ISA server in firewall
mode. The VPN and Modem pool work great. I want the people that dial-in to
be able to get back out and surf. Right now the only way I can get this to
work is with the Firewall client. Here is the setup.
Internal interface has static routes to everything.
* if you're using RRAS, make your routes in there; not in the "route -p add"
command
External interface has default gateway on it.
RAS Users get private IP when they dial-in ie. 172.20.20.2-254
* is this subnet in the LAT?
I have tried both selecting the RRAS as router w/lan and demand-dial
routing, with remote access server always selected.
I have setup a client access group with the IP's of my dial-in users, to
allow all protocols, and all sites. (This is what lets my Firewall client
users out, but doesn't let my RAS users be SNAT clients for some reason.)
*RRAS clients can't be SNAT because they use their own IP address as the
default gateway
another option is I have a different ISA server that is my default gateway
that the SNAT is working on, but if I remove my default gateway from the
external interface of course the external VPN can't get it because it won't
talk to the outside.. but Dial-in came get out through the other ISA server.
Other related posts:
