Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN with SBS ISA
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN with SBS ISA - 16.Aug.2007 1:11:48 PM
|
|
|
DCoglianese
Posts: 2
Joined: 26.Nov.2003
From: Pittsburgh
Status: offline
|
I've been working on creating a Site to Site VPN between an SBS 2003 Premium and Watchguard Edge.
After much fiddling and help from Micorosft, we have the tunnel up with one exception. Clients at the remote site (where the Watchguard Edge is) are unable to access any resources located on the SBS Server (which of course is where ISA is). They can however access other workstations at the main site.
The explantion is that the Watchguard is not able to access any services located on the endpoint, only beyond.
Microsoft says that there are firewalls that can handle this so it should not be an issue, but Watchguard has been unable to come up with a solution.
Has anyone had this experience and is there a way around it? Are other VPN Firewall solutions able to allow access to the SBS services?
Any suggestions would be greatly appreciated.
Thanks in advance for your assistance.
_____________________________
Dennis J Coglianese
|
|
|
|
|
RE: Site to Site VPN with SBS ISA - 16.Aug.2007 3:06:59 PM
|
|
|
sneeze24
Posts: 2
Joined: 16.Aug.2007
Status: offline
|
I am one step behind you. I have spent the last day trying to get the tunnel up and running between a Watguard Edge and ISA 2004 Std on SBS 2003. Once I do that I will be in the same boat you are. Can you give me some insight into what you had to do to get the tunnel up and then at least we can have two heads working on the issue you have?
As far as I can see the IPsec settings are the exact same on ISA and the Edge. I have a network rule and access rules setup on ISA. I cannot, however, get the tunnel to come up.
_____________________________
Andrew Alaniz
System Engineer, MCP, MCNPS
CTS, Inc.
|
|
|
|
|
RE: Site to Site VPN with SBS ISA - 17.Aug.2007 1:47:01 PM
|
|
|
DCoglianese
Posts: 2
Joined: 26.Nov.2003
From: Pittsburgh
Status: offline
|
I had to use a support incident with Microsoft to get this far. In the Watchguard documentation and everything else I read, the concept was to make sure you use the same settings on both devices for Phase I and Phase II.
It seems that ISA has a different opinion. You have to use the following on both sides:
Phase I
3DES
Sha1
Group 2
Authenticate and Regenerate Key 28800 Seconds
Phase II
3DES
Sha1
Generate new key - 20480 bytes, 28800 seconds
PFS
Group 2
It seems that if you don't use these values, ISA will anyway. We found that out by digging through the logs.
The other thing we found is that you should include the external interface of the Edge in the network of the remote node. The opposite is not true on the Edge.
Unfortunately, once this tunnel is up, it can only communicate with beyond the endpoints.
One other odd behavior, if the remote users try to access OWA or a PPTP VPN that is located on the same IP address as the IPSEC Tunnel endpoint, they won't succeed. You have to remove the external address of the Watchguard from the ISA configuration for the remote node.
This drove me crazy for more time that I would like to admit.
Microsoft claims to have work arounds for doing this with Linksys, Sonicwall, PIX and CheckPoint devices, but I have not tried these or proven that they can communicate with SBS services.
Let me know if I can help you more.
I'm still hoping for some help with my original question.
Good Luck!
_____________________________
Dennis J Coglianese
|
|
|
|
|
RE: Site to Site VPN with SBS ISA - 20.Aug.2007 5:40:12 PM
|
|
|
sneeze24
Posts: 2
Joined: 16.Aug.2007
Status: offline
|
Thanks, I will give these settings a try. We have decided that it is more beneficial for our client at this point to purchase another Watchguard firewall as opposed to spending time troubleshooting this issue. We do however have someone else continuing to address the issue and I will keep you updated if we discover any fixes.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
