Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
IP Filter for VPN clients from IAS don't apply
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
IP Filter for VPN clients from IAS don't apply - 7.Dec.2006 6:30:45 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Hi!
I got a wierd problem.
I've set up two ISA 2006 in an array and using it with NLB and everything. VPNconnections work fine, as well as all publishing rules.
I want to restrict IP access and be able to use Quarantine filters and have set this up on the authenticating IAS server. I can see in the IAS eventviewer that the client authenticates and matches the correct policy.
But the IP filters and the quarantine filters I set up don't apply to the clients. The clients gets full access to my internal nework. What did I miss?
I never had this problem with standard RRAS or ISA 2004.
Regards
Patric
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 8.Dec.2006 5:16:46 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Is this behaviour new in ISA 2006 then? I'm pretty sure it didn't work like that in 2004.
Is there no way to make the IAS policy IP filter apply to the VPN client then? It feels like this limits the configuration possibilities that IAS policies offers.
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 8.Dec.2006 8:37:56 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Why in the world would you want to use IAS port rules????
ISA Firewall policy is much more granular and secure then the simpleton IAS port rules.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 11.Dec.2006 7:40:41 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Well, the situation is quite complex.
We have about 150 IAS policies and 50 IAS proxy policies for a network containing about 30 different AD's and Ip filter rules for each specific team of users, both external and internal, company PC's and non company PC's. The quarantine feature is used as well as PPTP and L2TP (depending och access type, different IP filter). All in combination with each other make a quite complex environment where a central location for all these settings has been the only way to accomplish the task.
In an ideal world, putting all in the ISA server seems like a good idea, and I agree with you. Rules for access to the network should be in the same location, not spread. But in this case, there would be about 2 weeks of work setting up there IP filter rules again, and i'm not even sure if the ISA can differ an PPTP connection from an L2TP connection and apply diffrent IP filters accordingly(but I'll look into that).
My humble and simple question is:
CAN i use the IAS IP filters if VPN clients connect to an ISA 2006, (as you could in ISA 2004 if I'm not mistaken) if I want to, or has this behaviour changed? I can't get it to work, and I can't find any information about it.
Regards
Patric
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 12.Dec.2006 6:52:29 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Patric,
First, I should correct myself -- IAS port rules are ignored when using VPN-Q. They should still work when not using VPN-Q, IIRC, or at least they worked in ISA 2004.
I haven't confirmed that they no longer work in ISA 2006 though. I'll have to run a side to side comparison to confirm.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 18.Dec.2006 3:49:35 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Hi!
I too have noticed that normal IP filters don't work, and they never did (2004 or 2006). The quarantine filters seems to work though.
What I'm basically is trying to accomplish is to differ the PPTP VPN users from the L2TP VPN users and give them different access to the network. Let's say that I want to restrict the PPTP users to a more "public" part of my network where they could "poke around", and if they use the more secure L2TP IPSEC they could access their home folder.
I have tries very briefly to make such a rule in the ISA server, but i seems i cannot be this precise. I can only make rules based on "VPN clients" or "Quarantined VPN clients". The only way seems to enable all quarantined clients to access my "public" area. But then I would never be able to make sure that users connecting to the secure area use L2TP.
Any clever ideas?
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 18.Dec.2006 10:31:47 AM
|
|
|
patos
Posts: 31
Joined: 13.Oct.2006
Status: offline
|
Yeah that could work, but most users need access to both. I.e say that you would like to implement a certificate enroll feature in a PPTP connection, and that's all you want to allow them to do during a PPTP connection. The users should connect as themselves when retrieving the certificate (cmgetcer.dll), disconnect and then reconnect using L2TP, and then get the access I provide (Home folder aso).
In that case I cannot use groups. =(
Any ideas?
|
|
|
|
|
RE: IP Filter for VPN clients from IAS don't apply - 18.Dec.2006 10:36:28 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
The only thing I can think of is to use two different VPN servers -- a PPTP and a L2TP/IPSec. They connect first to the PPTP VPN server to get the cert and then when they get that, they can connect to the L2TP/IPSec server.
Any Win2k or Win2003 box can be the PPTP server. You could even publish it through the front-end ISA Firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
