• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Problems with incoming traffic

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Problems with incoming traffic Page: [1]
Login
Message << Older Topic   Newer Topic >>
Problems with incoming traffic - 12.Aug.2009 1:28:37 PM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Been working on this issue for two days, but I think I've been barking up the wrong tree as I've been chasing what appeared to be an RDP issue. I've tried to describe the entire setup to try an give as full as picture as possibe. I would be grateful for any response as this project is just about to fail!

Sorry about the legth!

ISA server is configured as a back-to-back firewall.
Main firewall is a hardware firewall (BT Secure Services 2402) and ISA serve is located behind (cable directly from ISA to BT Secure Services box (there is no perimeter network).
ISA Server is a domain member, the internal nic is pointing to the 10.0.0.0 network range.
External nic (2nd) is Connection between hardware firewall and ISA server are configured as follows..
ISA: 10.1.1.2/255.255.255.0
Hardware Firewall: 10.1.1.253/255.255.255.0
There is a static rule on the hardware firewall so all traffic for 10.0.0.0 is handed to 10.1.1.2.
We have a VPN connection to the hardware firewall, so our vpn users logon there and the idea is that RDP/HTTP traffic travels from the hardware firewall to the ISA server.
I have been trying for 2 days now to publish a terminal server connection to my ISA server but have been unable to, everytime I see it hit the isa firewall with an IP of 172.17.0.2 and the connection is denied. Iím obviously now tearing my hair out Ė as management are talking of abandoning the project unless we get somewhere close to resolving this issue in the next 24 hours.
Just before leaving the office I connected via 3G to the BT firewall over VPN and attempted to access an intranet page what previously worked over VPN Ė this time I saw the connection hit the firewall for the IP 172.17.0.2 over port 80/HTTP and was again denied. This now leads me to believe that the issue isnít RDP its something to do with the incoming traffic.
Although I donít think I need to allow anything such as IPSec or any other VPN type protocols as there doesnít appear to me to be any evidence that it is required, but of course Iím new to this so may be wrong.
Is it possible that all traffic is being denied for 172.17.0.2 because the address range isnít recognised/trusted as seeing that even http traffic is denied (I created a temporary rule to allow incoming http requests to test), if that is the case what would I need to add so that anything incoming on 172.17.0.nnn is allowed access to the network as it is from VPN users?
I may be way off with this, but would be grateful for anyones thoughts or help on this as I would hate to have to rollback.
Post #: 1
RE: Problems with incoming traffic - 12.Aug.2009 4:26:06 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I know how to make it work,...but you have to be willing to do it.

I see a couple things in your post:

quote:

Main firewall is a hardware firewall (BT Secure Services 2402) and ISA serve is located behind (cable directly from ISA to BT Secure Services box (there is no perimeter network).


Yes you have a perimeter network,...it just doesn't have any ports to plug anything else into it because it lacks a switch.  It is the IP Segment between the ISA and the BTSS box.

quote:

There is a static rule on the hardware firewall so all traffic for 10.0.0.0 is handed to 10.1.1.2.


That means the BTSS firewall has been "logically" eliminated,..it is doing nothing at all other than burning electricity and taking up space.

You would have this all working fine in a very short time by pulling out the BT box and just runing the ISA by itself.  Configure the ISA to allow incomming Remote Access VPN Connections. 

Then create an Access Rule that allows:

From: VPN Users Network
To: <Computer Set containing any Terminal Servers they need to use>
Protocol: RDP  (not RDP Server)
User: <User Set containing the correct users or groups>

From that point the users just connect to the RDP boxes by their actual name or internal IP#.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 2
RE: Problems with incoming traffic - 12.Aug.2009 5:19:52 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Yep, I concur...

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pwindell)
Post #: 3
RE: Problems with incoming traffic - 12.Aug.2009 7:08:21 PM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Guys,

Thanks for the advice...

Losing the BTSS box would be great if management would allow this, but thats doubtful.

Am I right that the problem is that the VPN traffic is arriving on 172.17.0.2 for instance, if so would you recommend I do to rememdy it - I read this http://articles.techrepublic.com.com/5100-22_11-6042192.html - now if I got the VPN addresses to be in the same subnet as the perimeter would that make it work - or once again am I way off?

(in reply to SteveMoffat)
Post #: 4
RE: Problems with incoming traffic - 13.Aug.2009 9:32:50 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You could try management beatings behind the building. If that doesn't work then you need to terminate the VPN at the ISA and not the BTSS box.  The setup you already have with passing "everything" back tot he ISA almost does that,...but you need to see of the BTSS has some kind of VPN Pass-through functionality to enable,...usually just a typical ReverseNAT by itself won't do it.  Once the VPN is correctly terminating at the ISA then you can do the rest of what I said just as I described it.

I can't help much more than that.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 5
RE: Problems with incoming traffic - 13.Aug.2009 9:38:47 AM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Tried the beatings, still didn't work - so I've asked BT to allow TCP port 1723 and IP Protocol 47 (Generic Route Encapsulation (GRE)) so that we can allow PPTP directly to the ISA.

Still having problems, but as BT sub this stuff out to Clearpath in LA I expected nothing less and it will take at least another half dozen calls to get the traffic through the firewall.

Hopefully before the end of the day I will get ISA VPN running.

Thanks for the advice!

(in reply to pwindell)
Post #: 6
RE: Problems with incoming traffic - 13.Aug.2009 10:09:31 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If none of that works.....

The last option I can think of is to stop doing the "let everything rip from outside to the ISA" on the BTSS box and run it the way you would normally run a firewall.  That means the goal is Security,...not "blindly-try-to-make-everything-work-no-matter-what".

Then change the Network Relationship on the ISA between the Internal and External Network to "routed".  You can still control/limit traffic with the ISA Rules but you are getting rid of the "NAT" aspect of it which allows the BTSS box to directly access Hosts on the internal LAN after the ISA routes the traffic across it (assumming the ISA Rules allowed it).

I don't particularly like it that way,..but it is a valid way to handle it.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 7
RE: Problems with incoming traffic - 13.Aug.2009 10:27:04 AM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Phillip,

Thanks for all the help and info so far, after 2.5 days and hardly any sleep I think I might be getting somewhere.

I can now see the traffic hit the firewall, I'm getting a failed connection but the information provided by ISA is...

Destination IP:10.0.0.253
Destination Port: 1723
Protocol: PPTP
Action: Failed Connection Attempt
Rule: [System] Allow VPN client traffic to ISA Server
Client IP:212.183.134.252
Source Network: External
Destination Network: Local Host

I've got a feeling its just something stupid that I've done in my tired state - any ideas on what I could try to turn this into a working connection?

Thanks again!

Damian

(in reply to pwindell)
Post #: 8
RE: Problems with incoming traffic - 13.Aug.2009 11:05:45 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I think it is time to call MS.


_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 9
RE: Problems with incoming traffic - 13.Aug.2009 1:40:55 PM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
No need for MS, it was nothing that a reboot didn't fix!

We've still got some issues such as we can only use IP because the default gateway is being set the same IP as the VPN client - but it basically works.

Thanks again for all your help, its is very much appreciated.

(in reply to pwindell)
Post #: 10
RE: Problems with incoming traffic - 13.Aug.2009 3:14:26 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
??  Having to only use an IP as the target has nothing to do with the Default Gateway used anywhere,...there is just no relationship between the two.  Having to only use an IP as the target  has everything to do with the DNS Scheme being correctly designed or not.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 11
RE: Problems with incoming traffic - 13.Aug.2009 3:22:28 PM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Ok I'll look at the DNS, but when I did an IPCONFIG /All on the connected client the IP for the client and the default gateway were both the same (10.0.0.135), but the DNS was pointing back to the internal DNS servers 10.0.0.1, 10.0.0.2. At least at the moment users can RDP by IP address which is better than the nothing that they've had for the last three days.

(in reply to pwindell)
Post #: 12
RE: Problems with incoming traffic - 13.Aug.2009 3:30:35 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It is ok to do it by IP#. You can get by with that.

The client's DNS setting for their normal Nic is not going to change from whatever they are using,...and it is not supposed to.

The way that names resolve correctly for the Network that they are VPN'ing into is handled by the TCP/IP Specs they receive from the remote DHCP when the VPN goes active.  If all they get is the IP and Mask,...then names over the VPN will not resolve.  The DHCP needs to give them the IP#, Mask, DNS, and optionally WINS which will be the DNS and WINS used on the LAN they are VPN'ing into.   The Default Gateway that the VPN Connection recieves is going to look strange,..don't worry about it,..don't mess with that.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 13
RE: Problems with incoming traffic - 13.Aug.2009 4:01:23 PM   
DamianHill

 

Posts: 75
Joined: 20.Jul.2009
From: South Wales, UK
Status: offline
Thanks Phil - They've used IP since we've had VPN, to have them resolve by name would have been a bonus but not at all important.

One thing thing if I may, I noticed this evening when connected from home to the office, I'm unable to surf the net on my local machine when connected over VPN - if I disconnect the VPN I can surf again, anything I can do about that?

(in reply to pwindell)
Post #: 14
RE: Problems with incoming traffic - 13.Aug.2009 4:38:13 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
It is supposed to be that way.  Dialup VPN is supposed to be temporary,...connect,...do the job,...disconnect.  So theoretically you will not be doing "other things" while connected to the VPN.   This behavor dates back to the old dialup technology,..and VPN is a dialup technology.  The purpose is to protect the LAN you are connected into from "you". Besides the protection aspect,..it just simply has to be the way to work properly anyway.

You can get around it by disabling the behavor. This is called Split-Tunneling.  All it means is that you find the setting in your local dialup connectiod called "use gateway on remote network" and disable that.   However there is a price to pay,...if the Corp LAN has more than one subnet the VPN user will cut themselves off from all Corp subnets except for the one subnet that they directly VPN'ed into.

_____________________________

Phillip Windell

(in reply to DamianHill)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Problems with incoming traffic Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts