Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN client routing to remote sites
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN client routing to remote sites - 13.Jul.2008 12:56:10 PM
|
|
|
JeffVandervoort
Posts: 93
Joined: 20.Nov.2004
Status: offline
|
ISA 2004 SE VPN Server at main office
ISA 2006 EE at branch offices
Site-to-site VPN connection between all offices
Each office on its own subnet, of course, and VPN also on its own subnet.
All offices have connectivity to each other, and VPN Clients have connectivity to MO (where the VPN server is). But VPN Clients do not have connectivity to the BO's.
MO ISA logs show VPN Client connections are permitted to BO destinations, but BO ISA logs show all connections from VPN Clients being denied with this Result Code: 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED.
I've created an (Internal) Enterprise Network named "Enterprise VPN Clients" consisting of the address range assigned to VPN Clients, and have added that Enterprise Network to the Enterprise Network Rules with a Route relationship to all MO/BO networks as both Source and Destination. A corresponding Network Rule is in place on ISA SE at the MO (the VPN Server).
An Enterprise Access Rule is also set up for VPN Clients to access the BOs, but is not being processed at this point, I gather because the packets are dropped as spoofed before they get far enough to have Access Rules applied.
How do I configure ISA at the BOs to not consider these packets as spoofed?
FWIW, 2 of the BOs' VPN Endpoints are RRAS instead of ISA. I added the VPN Client subnet as a Static Route and have connectivity from VPN Clients through ISA at the MO. So I'm fairly certain it's something I'm doing wrong configuring the Network definition at the ISA EE BOs.
Anticipating an objection: I realize it would be more efficient to set up each BO as a VPN Server and have users connect to all of them. And this problem would go away. But VPN Client access to remote sites is only a very occasional need, so I'd rather just route through the MO than set up 5 additional VPN Servers and reconfigure CMAK connections on all computers to add connections, and will live with the performance hit.
[Edited to better describe the system.]
< Message edited by JeffVandervoort -- 13.Jul.2008 6:42:35 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
