Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Behind isa Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Behind isa Server - 24.Aug.2006 2:23:36 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Hi,
Does anyone know what tcp/udp ports should be enabled for
an Check point Safe@office 5000 VPN Client to work from behind a ISA firewall.
i can only pint to the ISA SERVER, lan other clients i can't ping,
Any help would be greatly appreciated.
Thanks,
chanaka
_____________________________
Chanaka
|
|
|
|
|
RE: VPN Behind isa Server - 24.Aug.2006 4:25:18 PM
|
|
|
mrupright
Posts: 68
Joined: 18.Oct.2004
Status: offline
|
Hi Namal,
What type of vpn are you wanting to connect to? Ipsec, pptp, l2tp, etc
Happy to help
Mark
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 6:45:50 AM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
hi All,
Thanks for your answer, Actually my front end firewall is check point safe@office 500P i'm using there build in VPN Server, backend i'm using isa server 2004, i can connect to safe@office box and i can ping to isa server also, if i tried to ping internal root pdc or exchange server it's show the request time out,
check point technical support team told to me, i have to enable the isa port, i don't know which port i have to enable,
herewith attached the after connected to safe@office VPN logs, if u can tell me which port i have to enable from the isa (External to internal)
i'm waiting your answer,
THanks,
Chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 6:53:08 AM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
pls tell to how can i attached the scrren shot.
my logs show the
IKE PHASE1: completed successfully with VPN peer 203.143.14.38 (Security :AES -256/Sha1 Expire time 23 hours) 59 minutes, 54 second NAT-T TURNNED OFF
Successfully authenticated user abc connecing from ip 203.143.14.38
IKE PHASE2: completed successfully with VPN peer 203.143.14.38 my ranges 0.0.0.0-255.255.255.255 peer range : 203.143.14.38-203.143.14.38 security : 3DES /SHA1 expire time 10 minutes NAT-T TURNNED OFF
if you guys i can send the scrren shot pls proovide to me you email address.
thanks
chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 11:17:22 AM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Mr.Stefaan,
thanks for your mail, pls can i have your email address, then i can forward to you my diagram, there u can see, all
i hope u will help to me.
regards,
chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 12:26:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chanaka,
let's see if I got it right this time! It's a common back-to-back firewall configuration with a Checkpoint as outer and a ISA as inner firewall and the setup can be summarized as follows:
quote:
192.168.10.0/24
vvv
LAN ------ [ ISA ] ------ [ Checkpoint ] --- Internet
^^^ DMZ
192.168.187.0/24
An external client can connect succesfully with a VPN connection to the Checkpoint firewall. Because no NAT is along the path the IPSec tunnel is negotiated without NAT-T. So far so good.
The problem is now that the external client can't access any resource behind the ISA server. Right?
OK, what's the network relationship between the ISA internal and external network? If it is NAT you'll have to publish the internal resources onto the ISA external interface. If it is ROUTE you'll have to create the necessary access rules.
BTW (1) --- you should fix your DNS configuration asap. First, *only* specify the internal DNS server(s) on the ISA internal interface and remove all other DNS servers from any other interface on the ISA server. Next, make sure the ISA internal interface is listed first in the adapter order. At last, configure the external DNS servers as forwarders on your internal DNS server and make sure you have the proper access rules so they can access those external DNS servers.
BTW (2) --- why are you running an FTP server on the ISA itself? That's not recommended at all!
HTH,
Stefaan
< Message edited by spouseele -- 25.Aug.2006 12:32:57 PM >
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 1:14:14 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Sir Stefaan,
THanks for understood my problem.
Your first question to answer is yes I want to access internal resource
ISA Network relationship is Internal IP (192.168.187.0) External IP (192.168.10.0) communicate the Safe@office box and ISA firewall.
Our Root PDC Server has the internal DNS Server(192.168.187.1),
BTW (1) where I have to create rule for DNS? My ISA Server Internal Interface has the internal DNS server IP Address
Internal Card
IP Address
192.168.187.200
255.255.255.0
Gateway = No
DNS 192.168.187.1
External Card
192.168.10.2
255.255.255.0
Gateway 192.168.10.1
DNS, it’s our ISA DNS
203.143.29.1
203.143.0.124
After I check again to confirm open the network connects and there I open advance settings, adapter and binding top one is LAN (INTERNAL) WAN (EXTERNAL)
BTW (2) --- why are you running an FTP server on the ISA itself? That's not recommended at all! Yes, it’s having on ISA Why is that?
Sir if you can pls give the solutions to me, now i can connect as a vpn client, but i cannot access internal Server,
I ope you can help to me.
I'm waiting your answer,
Thanks
Chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 2:14:36 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chanaka,
quote:
ISA Network relationship is Internal IP (192.168.187.0) External IP (192.168.10.0) communicate the Safe@office box and ISA firewall.
That's not what I'm looking for. To determine the configured network relationship, you'll have to go to the ISA MMC, select your ISA server, then Configuration and then Networks. In the tab Network Rules you will see the configured relationship NAT or Route.
Note that this relationship will determine what and how external clients can access on the internal network. However, if your policy is that everything should be accessible, than I strongly suggest you make the ISA server the VPN gateway instead of the Checkpoint.
quote:
BTW (1) where I have to create rule for DNS?
On the ISA server you should create an access rule that looks like: from Internal_DNS_Server (192.168.187.1) to External_DNS_Servers (203.143.29.1 & 203.143.0.124) allow the protocol DNS for all users. Of course, make sure that the Internal_DNS_Server is configured as a SecureNAT client and that you have configured the External_DNS_Servers (203.143.29.1 & 203.143.0.124) as forwarders on the Internal_DNS_Server.
Once that's done and the Internal_DNS_Server can resolve external FQDN's (test it out with the nslookup command), you can safely remove the DNS servers from the ISA external interface.
quote:
BTW (2) --- why are you running an FTP server on the ISA itself? That's not recommended at all! Yes, it's having on ISA Why is that?
ISA Server is supposed to be a firewall, *not* a general purpose server. So, never include ISA server in your server consolidation plan. Also, do you install an FTP server on the Checkpoint too? I guess not...
HTH,
Stefaan
< Message edited by spouseele -- 25.Aug.2006 2:21:00 PM >
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 2:28:51 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
hi,
Thanks for your quick answer,
Yes there Network rule relationship is NAT
Name Relation Source network destination Network
1. Local host access route Local host all network
2. vpn client route vpn/QVpn Client internal
3. internet access NAT internal/vpn client external
Qvpnclient
Still not done the BTW (1), after done i'll tell to u.
BTW (2), for the question answer is no, i didn't installed the FTC server on checkpont.
isa server installed the IIS , there have FTP and Web serve both, if not good idea i can remove? r u recomend the WEB?
i'm wating your answer,
Thanks
chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 2:49:56 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Hi Stefaan,
Thanks for you answer, I want to ping for client pc’s and I want to access the file servers/owa/network printer like ect.. if u have any idea any more tell me.
BTW 1 answer is
i create a new network obeects (Computers the internal dns server 192.168.187.1
other one is create the computer set for external dns server (external dns servers are not having on our lan, i don't know where that server keep on ISP PROVIDER. external ip 203.143.29.1/203.143.0.124
after i create a rule for that like this.
name internal DNS to External------->allow---->DNS---->INTERNAL DNS Server--->External DNS Server.
pls tell me is that ok,
I'm wating your answer,
Thanks
chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 3:07:04 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chanaka,
quote:
I want to ping for client pc’s and I want to access the file servers/owa/network printer like ect.. if u have any idea any more tell me.
Hmm... in that case I would use the ISA Server as VPN gateway instead of the Checkpoint box because ISA can than apply access rules to the authenticated VPN users.
Is this an option for you? If so, check out the VPN Deployment Kit at http://www.microsoft.com/technet/prodtechnol/isa/2004/technologies/vpn.mspx.
The DNS stuff looks good to me. If you can also nslookup different external FQDN's from the internal DNS server itself than you can remove the DNS servers from the ISA external interface and leave those fields blank.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Behind isa Server - 25.Aug.2006 5:02:50 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Hello Sir,
Still I’m downloading the VPN Kit; I want to access my internal resource. Still no idea about that kit,
If it’s not clear those pls help to me. I hope you will see my drawings,
Pls advices to me solve my problem.
Thanks
Chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 26.Aug.2006 12:44:18 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chanaka,
take your time to study the VPN Deployment Kit. Changing the VPN gateway from the Checkpoint to the ISA server is a fundamental change in your network setup.
HTH,
Stefaan
|
|
|
|
|
RE: VPN Behind isa Server - 26.Aug.2006 2:10:24 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Dear Stefaan
thanks for your answer, how can i change the VPN gateway from the checkpoint to isa server?
why do you think my network setup is wrong?
Can you pls advise to me.
REgards,
chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 26.Aug.2006 6:36:10 PM
|
|
|
namal
Posts: 21
Joined: 5.Jul.2006
Status: offline
|
Hello Stefaan,
Thanks for your answers, after I change back to normal the DNS settings, now I’m in home I hope do it on Monday.
Currently I’m using the windows Remote Access VPN client, there I’m using the PPTP protocol, and it’s working without any problem, I can access internal resource, such as file servers,OWA.
ISA server machine I’m using the windows Remote access server/IIS FOR WEB AND FTP also, I thought all my services running on ISA server then my pc will slow, that’s why I decide to use the checkpoint safe@office box VPN server. I hope safe@office box has the low traffic.
Below sentence is not clear for me. ps tell me how to do that.
You are better of making the ISA server the VPN gateway instead of the Checkpoint box
I can see the checkpoint box log file there showed the my ping request to internal network it’s also accept the checkpoint, but my client cannot ping, So you can better tell me which port do I have to enable for the ping request for the isa server, if ping is working then after I can decide, which port do I need.
I tried to get support from checkpoint they said from there part is ok, because of VPN client can connect to safe@office box and even ISA server also (client can pint to isa server), they told me to asked from Microsoft with what are ports have to enable for the ISA server to the ping request for vpn client. Of checkpoint.
I study lot of things from you.
If you can pls support to me.
Best Regards,
Chanaka.
|
|
|
|
|
RE: VPN Behind isa Server - 26.Aug.2006 11:42:18 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Chanaka,
quote:
Currently I’m using the windows Remote Access VPN client, there I’m using the PPTP protocol, and it’s working without any problem, I can access internal resource, such as file servers,OWA. OK, that means you already have it running with the ISA server as the VPN gateway. That's good!
quote:
ISA server machine I’m using the windows Remote access server/IIS FOR WEB AND FTP also, I thought all my services running on ISA server then my pc will slow, that’s why I decide to use the checkpoint safe@office box VPN server. I hope safe@office box has the low traffic.
In my opinion you should remove IIS from the ISA box and just use the ISA server as a Firewall and VPN server!
quote:
I can see the checkpoint box log file there showed the my ping request to internal network it’s also accept the checkpoint, but my client cannot ping, So you can better tell me which port do I have to enable for the ping request for the isa server, if ping is working then after I can decide, which port do I need.
As said in one of my previous posts, because the network relationship is NAT, any client that is external to the ISA server will only have access to those services you have published on the ISA external interface. Keep in mind that the services you can publish must be TCP/UDP based. In example, ping is ICMP based and can therefore *not* be published. In other words, external clients will not be able to ping internal hosts.
In conclusion: let the VPN clients connect to the ISA server instead of to the safe@office box and your problems are solved. 
HTH,
Stefaan
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
