I have a Secureguard Appliance with Microsoft Forefront UAG and Microsoft TMG. I have sucessfully configured an SSTP VPN Access in the TMG Managment and it works. After this I defined a couple of rule sets to the restrict the VPN Access to and from the VPN clients. From the VPN clients to the internal LAN I can do everything I want, for example: ping, smb and so one (I have restricted the access to a few protocols). But from the internal LAN I cannot ping the VPN clients, but from the VPN clients to the LAN it works. On the TMG Logs & Reports Section I can see the ping packets and TMG reports that they are blocked:
Log type: Firewall service Status: The action cannot be performed because the session is not authenticated. Rule: intern 2 VPN Source: Internal Destination: VPN Clients Protocol: PING Additional information is empty.
I did a lot of google searches but with no result. Have you any idea? I cannot understand why it blocks the Ping Packets, because a ping cannot be authenticated. But it also blocks SMB and DNS traffic for example. I restricted the rule to the same user, for which I allowed VPN Access. Thanks a lot.
Yes I have definied a FW policy Internal 2 VPN and one VPN 2 Internal. Both Rules include the same protocols (ping, ICMP, SMB .....), and of course different directions. And these Rules aply to the User Group in which the VPN Users are and to the System and Network Service. As I said before from VPN 2 Internal I can ping and everything but from Internal 2 VPN it does not work.
And today I rebootet the Server and my Static Address Pool Range has gone, I configured it again and rebooted and it vanished again....
< Message edited by Benny89 -- 26.Jan.2011 5:31:35 AM >
Hi People, My company runs ISA 2006 SP1 on a Windows server 2003 SP2 box. Configuration is a simple Edge Firewall configuration. Our ISP used routers to configure our WAN, so our ISA NAT's traffic to the router which pushes traffic to the internet. Recently, my CEO asked us to implement a separate network that our guests can utilize without them having access to our internal network. We configured a separate network and added a sub interface on our router.