Hi Tom, I have not yet a W2K3 server running. However, on a standard W2K server UDP port 500 and 4500 seems to be occupied by the "lsass.exe" process. If I shutdown the "IPSec Policy Agent" service, then those UDP ports seems to become available. Cheers, Stefaan -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: maandag 30 juni 2003 8:15 To: [ISAserver.org Discussion List] Subject: [isalist] RE: RRAS and vpn http://www.ISAserver.org Hi Greg, Nope. First hint: the packet filter log showed blocked packets for UDP 500, in spite of the fact that there was a valid Server Publishing Rule. HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Greg Mulholland [mailto:greg_mul@xxxxxxxxxxxxxxx] Sent: Monday, June 30, 2003 12:32 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RRAS and vpn http://www.ISAserver.org have to say either RRAS or ICS... prolly RRAS since it is the only one that would be going on a firewall you would hope.... Greg _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, 30 June 2003 1:42 PM To: [ISAserver.org Discussion List] http://www.ISAserver.org Hi Stefaan, I checked it out tonight, and you can publish the L2TP/IPSec VPN Server using Server Publishing rules with a back to back DMZ setup with ISA2000/Win2003 in the front and back. HOWEVER -- there is one service that must be disabled on the upstream ISA2000/Win2003 server in order for this to work. I'll award you, (or anyone else), 5 social credits for coming up with the name of that service in Win2003. Thanks! Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Stefaan Pouseele [mailto:stefaan.pouseele@xxxxxxx] Sent: Sunday, June 29, 2003 4:08 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: RRAS and vpn http://www.ISAserver.org Hi Greg, as far a I know you can't publish a Windows 2000 VPN server because PPTP and L2TP/IPSec uses non-TCP/UDP based protocols (IP protocol 47 and 50 respectively). However, a Windows 2003 VPN server supports L2TP/IPSec with NAT Traversal and that feature encapsulates the ESP (IP protocol 50) packets in a UDP packet. Therefore, the ISA server will only see UDP traffic (UDP port 500 for the IKE and UDP port 4500 for the encapsulated ESP) and that can be published. For more info about the IPSec NAT Traversal, check out my article http://www.isaserver.org/articles/IPSec_Passthrough.html <http://www.isaserver.org/articles/IPSec_Passthrough.html> . HTH, Stefaan -----Original Message----- From: Greg Mulholland [mailto:greg_mul@xxxxxxxxxxxxxxx] Sent: zondag 29 juni 2003 13:43 To: [ISAserver.org Discussion List] Subject: [isalist] RE: RRAS and vpn http://www.ISAserver.org I think I found the answer. ISA does not support gre passing. Ironically it was in "GG" and most of the worthy posts I read were from one Thomas Shinder and one Jim Harrison. You guys rock! Greg Mulholland Tech Services Manager Harvey Norman +613 98019333 greg_mul@xxxxxxxxxxxxxxx <mailto:greg_mul@xxxxxxxxxxxxxxx> _____ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: stefaan.pouseele@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')