• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site to Site VPN with ISA 2006 article discussion

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site VPN with ISA 2006 article discussion Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site to Site VPN with ISA 2006 article discussion - 8.Aug.2006 5:32:30 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the site to site VPN article for ISA 2006 over at http://www.isaserver.org/tutorials/Creating-VPN-ISA-Server-2006-Firewalls-Main-Branch-Office-Part1html.html

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Site to Site VPN with ISA 2006 article discussion - 18.Aug.2006 12:28:05 PM   
EMademlis

 

Posts: 6
Joined: 1.Mar.2004
Status: offline
Hello Tom,
 
Very good article. It helped me clarify many options and make the right decisions.
I still have a question that other ISA firewall administrators might have as well.
 
It's about the VPN gateway Dial-in Account;
Does it have to be a "LOCAL" account or can it be a "DOMAIN" account?
 
I'm asking this because in my case the ISA boxes are AD domain member servers.
 
Thanks in advance for any information provided.
 
All the best.
 
EM.

(in reply to tshinder)
Post #: 2
RE: Site to Site VPN with ISA 2006 article discussion - 18.Aug.2006 2:50:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi E,

At the local ISA firewall, you can make the demand-dial interface account a domain account.

In a scenario where the branch office ISA firewall is a domain member, you can also make it a domain account, but you should also have a domain controller at the branch office to support this.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to EMademlis)
Post #: 3
RE: Site to Site VPN with ISA 2006 article discussion - 23.Jan.2008 2:35:37 PM   
cpalmer

 

Posts: 1
Joined: 23.Jan.2008
Status: offline
Hello Tom!

First I would like to say THANK YOU for the vast amount of knowledge you are sharing with the rest of us! Although this is my first forum post, I have used your site as the one stop shop for anything "how-to" with ISA. Again, thanks!!

With regards to setting up the branch office connection between ISA 2006 EE servers. I am trying to do L2TP/IPSEC using local user accounts on both sides versus Domain accounts but one side is NLB array. What would yo put for the domain field in the User authentication for the VPN connection?

Chuck

(in reply to tshinder)
Post #: 4
RE: Site to Site VPN with ISA 2006 article discussion - 24.Jan.2008 12:13:34 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chuck

Try using the account on the connection owner.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cpalmer)
Post #: 5
RE: Site to Site VPN with ISA 2006 article discussion - 13.May2008 3:40:35 PM   
jfrench

 

Posts: 3
Joined: 14.Aug.2007
Status: offline
When following the article I get to step 8: Remote Authentication page and I cannot enter the full domain name. The ISA 2006 server at the branch site is also a domain controller so I must use a domain account. The domain name box will only allow me to enter 15 characters. Is there a way around this?

(in reply to tshinder)
Post #: 6
RE: Site to Site VPN with ISA 2006 article discussion - 14.May2008 12:27:27 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Correct. That is the NetBIOS name of the domain, which is always limited to 15 characters.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jfrench)
Post #: 7
RE: Site to Site VPN with ISA 2006 article discussion - 14.May2008 1:04:48 PM   
jfrench

 

Posts: 3
Joined: 14.Aug.2007
Status: offline
DOH!  Of course it's the NetBIOS name not the FQDN! Thanks for your help Tom. Without your articles and forum posts I would not have a working ISA config at all.

-Jeff

(in reply to tshinder)
Post #: 8
RE: Site to Site VPN with ISA 2006 article discussion - 15.May2008 6:22:54 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jeff,



No problem!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jfrench)
Post #: 9
RE: Site to Site VPN with ISA 2006 article discussion - 2.Sep.2008 8:49:54 PM   
rogerp

 

Posts: 2
Joined: 2.Sep.2008
Status: offline
Hi,
Is split tunneling an issue in the site to site scenario?

ie. Should the branch office's default route go via the vpn, as a single remote client needs too?

If not (as seems to be often configured), why not please...

TIA
Roger

(in reply to tshinder)
Post #: 10
RE: Site to Site VPN with ISA 2006 article discussion - 4.Sep.2008 8:52:55 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi r Roger,

Split tunneling isn't really an issue like it is with a remote access VPN client configuration. Clients must access both the Internet and the main office through the ISA firewall at the branch office.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rogerp)
Post #: 11
RE: Site to Site VPN with ISA 2006 article discussion - 8.Sep.2008 8:43:41 PM   
rogerp

 

Posts: 2
Joined: 2.Sep.2008
Status: offline
Thanks

Regards
Roger

(in reply to tshinder)
Post #: 12
Site to Site VPN with ISA 2006 static ip pool problem - 30.Mar.2010 7:12:24 AM   
RoadRunner2

 

Posts: 1
Joined: 30.Mar.2010
Status: offline
Hello Thomas. (ahtung, extremly bad english) I am trying to use static ip in hq and branch, and every time Alerts tab on both sides shows:

Description: ISA Server detected routes through the network adapter hq that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.0.2-10.0.0.2,10.1.1.3-10.1.1.3;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

hq lan - 192.168.0.0/24
hq vpn pool - 10.0.0.0/24
isp
branch lan - 192.168.1.0/24
branch vpn pool - 10.1.1.0/24

I the article you said:

quote:

If you use a static address pool, you might want to consider using off-subnet IP addresses. There is no problem with this, but you must make your routing infrastructure aware that in order to reach the network ID used for the VPN clients network that they must forward those connections to the ISA firewall interface from which the connection was received. In a simple dual NIC configuration, this would be the Internal interface.


Can you explain what is that means?

It seems like i have to do something with my rounting tables on every isa server, but what i can't undastand.

< Message edited by RoadRunner2 -- 30.Mar.2010 7:15:18 AM >

(in reply to rogerp)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Site to Site VPN with ISA 2006 article discussion Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts