• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA filtering VPN traffic (PPTP demand-dial)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Installation >> ISA filtering VPN traffic (PPTP demand-dial) Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA filtering VPN traffic (PPTP demand-dial) - 11.Jul.2004 11:38:00 PM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
My ISA LAT contains 192.168.X.X. My main network is 192.168.1.X. I have networks at six remote offices with addresses 192.168.n.X where "n" is 2 through 7. RRAS is configured for demand-dial/persistent VPN to these remote networks (each remote network is connected to the Internet via a NAT router that is also a VPN gateway).

Everything was working until last weekend when I upgraded from SBS2000 to SBS2003 and applied all available service packs and hotfixes.

From any SNAT host in 192.168.1.X I am able to ping any host in the remote 192.168.n.X networks. Therefore, routing works fine. I am able to Remote Desktop (RDP) from hosts in 192.168.1.X to hosts in 192.168.n.X. Therefore, TCP packets are definitely being routed (not just ICMP). However, I have a UNIX-based SNAT client in 192.168.1.X that is not able to print to printer servers via RAW TCP/9100 in the 192.168.n.X networks. This traffic is being filtered by the Microsoft Firewall Service (if I stop the Microsoft Firewall Service, printing works flawlessly). Yes, all IP traffic is allowed for SNAT clients and there is a protocol definition for TCP/9100, but this should not be needed since all remote/VPN networks are in the LAT. I am also unable to TELNET or FTP to the printer servers in the remote networks unless I stop the Microsoft Firewall Service. Disabling packet filtering does not fix it.

KEEP IN MIND that this all worked fine under SBS2000 (except that RRAS routing would periodically choke -- the connections stayed up and I could ping the remote VPN endpoints but could not ping hosts beyond them until the connections were reset -- it did not happen on all VPN connections at the same time but was random). The demand-dial VPN connections seem much more solid now except for this damned filtering issue.

The Access Policies under ISA2000 did not change when I upgraded to SBS2003 (I did not re-run ISA setup as part of the SBS2003 Premium installation), nor did the Protocol Definitions. NAT is not enabled in RRAS. No filtering has been enabled on RRAS interfaces. There is nothing related in my firewall or packet filter logs.

I've scoured the 'net for hints over the past seven days to no avail. I'm no amateur...I feel I have a very good understanding and command usage of the underlying concepts involved. Nevertheless, this one is kicking my ass.

Any/all expert help would be appreciated.

--Kevin

[ July 12, 2004, 07:02 AM: Message edited by: Kevin Sawyer ]
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Installation >> ISA filtering VPN traffic (PPTP demand-dial) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts