• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA filtering VPN traffic (demand-dial PPTP)

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> ISA filtering VPN traffic (demand-dial PPTP) Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA filtering VPN traffic (demand-dial PPTP) - 12.Jul.2004 7:51:00 AM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
My ISA LAT contains 192.168.X.X. My main network is 192.168.1.X. I have networks at six remote offices with addresses 192.168.n.X where "n" is 2 through 7. RRAS is configured for demand-dial/persistent VPN to these remote networks (each remote network is connected to the Internet via a NAT router that is also a VPN gateway).

Everything was working until last weekend when I upgraded from SBS2000 to SBS2003 and applied all available service packs and hotfixes.

From any SNAT host in 192.168.1.X I am able to ping any host in the remote 192.168.n.X networks. Therefore, routing works fine. I am able to Remote Desktop (RDP) from hosts in 192.168.1.X to hosts in 192.168.n.X. Therefore, TCP packets are definitely being routed (not just ICMP). However, I have a UNIX-based SNAT client in 192.168.1.X that is not able to print to printer servers via RAW TCP/9100 in the 192.168.n.X networks. This traffic is being filtered by the Microsoft Firewall Service (if I stop the Microsoft Firewall Service, printing works flawlessly). Yes, all IP traffic is allowed for SNAT clients and there is a protocol definition for TCP/9100, but this should not be needed since all remote/VPN networks are in the LAT. I am also unable to TELNET or FTP to the printer servers in the remote networks unless I stop the Microsoft Firewall Service. Disabling packet filtering does not fix it.

KEEP IN MIND that this all worked fine under SBS2000 (except that RRAS routing would periodically choke -- the connections stayed up and I could ping the remote VPN endpoints but could not ping hosts beyond them until the connections were reset -- it did not happen on all VPN connections at the same time but was random). The demand-dial VPN connections seem much more solid now except for this damned filtering issue.

The Access Policies under ISA2000 did not change when I upgraded to SBS2003 (I did not re-run ISA setup as part of the SBS2003 Premium installation), nor did the Protocol Definitions. NAT is not enabled in RRAS. No filtering has been enabled on RRAS interfaces. There is nothing related in my firewall or packet filter logs.

I've scoured the 'net for hints over the past seven days to no avail. I'm no amateur...I feel I have a very good understanding and command usage of the underlying concepts involved. Nevertheless, this one is kicking my ass.

Any/all expert help would be appreciated.

--Kevin
Post #: 1
RE: ISA filtering VPN traffic (demand-dial PPTP) - 16.Jul.2004 5:26:00 AM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
OK, I guess I have all of you completely baffled here. I've learned a bit more but I don't have enough to fix the problem yet...

I have a LAN printer server appliance on 192.168.3.50. It has an embedded telnet server for monitoring. Its default gateway is 192.168.3.1 which is the LAN interface on a VPN router at a branch office/warehouse. My SBS2003/ISA2000 server has a demand-dial PPTP interface that creates a VPN tunnel between 192.68.1.X and 192.168.3.X.

If I stop the Microsoft Firewall Service then start Routing and Remote Access Service, I am able to establish a telnet connection to the LAN printer server appliance (192.168.3.50) from the SBS/ISA server (192.168.1.20) and from any other SecureNAT Clients or Firewall Clients within the 192.168.1.X network). As soon as I start the Microsoft Firewall Service I am no longer able to establish a telnet connection to 192.168.3.50. However, I am still able to ping that IP address.

I enabled and started the Microsoft Telnet Service on a Windows XP Pro system with address 192.168.3.102 and I am able to establish a telnet connection to it with no problems. This means that telnet protocol connections in general are not being filtered by the Microsoft Firewall Service. So, I decided to take a closer look at the packets involved.

I used the Network Monitoring utility to capture packets traversing the demand-dial VPN/PPTP interface that creates the between the 192.168.1.X and 192.168.3.X networks. I learned that telnet packets are making it to the LAN printer server appliance at 192.168.3.50 and response packets are arriving but never being delivered to the application. The response packet from the LAN printer server appliance has the SYN, ACK and PSH TCP flags set. The response packet from the Microsoft Telnet Service under Windows XP Pro only has SYN and ACK TCP flags set.

I believe that the problem here lies within the Microsoft Packet Filter Extension Driver. For some reason it is dropping packets with the SYN, ACK, and PSH TCP flags enabled. However, this is never logged anywhere. I do not believe that this behavior is by design. I am starting to believe that it is probably a bug in MSPFLTEX.SYS that has yet to be identified and addressed. I can find no evidence that these TCP flags should not be used together. There is no reason to assume that it is some sort of SYN attack.

I'd really like a response from anyone out there that has any thoughts.

--Kevin

(in reply to KevinSawyer)
Post #: 2
RE: ISA filtering VPN traffic (demand-dial PPTP) - 9.Oct.2004 6:16:00 PM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
Looks like I officially found a "bug" in ISA Server. Microsoft has issued me a Hotfix for this problem. It will allow you to set a registry value to disable TCP flag checking. So basically, ISA Server assumes that packets with the ACK, PSH, and SYN TCP flags all set at the same time must be some sort of attack (WRONG).

Cheers!

--Kevin

(in reply to KevinSawyer)
Post #: 3
RE: ISA filtering VPN traffic (demand-dial PPTP) - 10.Oct.2004 2:14:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Kevin,

waw... thanks for the excellent info! [Cool]

Stefaan

(in reply to KevinSawyer)
Post #: 4
RE: ISA filtering VPN traffic (demand-dial PPTP) - 27.Oct.2004 2:03:00 AM   
Guest
Any chance of getting this Registry entry info...Calling in their M$ to go through their BS for a fix to try out is a pain...

(in reply to KevinSawyer)
  Post #: 5
RE: ISA filtering VPN traffic (demand-dial PPTP) - 3.Nov.2004 7:32:00 AM   
KevinSawyer

 

Posts: 15
Joined: 26.May2004
From: Fairview Heights, IL, USA
Status: offline
It turns out that the "bug" isn't actually in ISA Server but is in IPNAT.SYS (kernel mode driver). This driver is used by RRAS in Windows Server 2003 and even Windows XP's Internet Connection Sharing (ICS). Microsoft will be releasing a new IPNAT.SYS that will allow you to change registry entries to toggle whether or not it does any TCP flag checking. Apparently the current IPNAT.SYS will filter packets with ACK+PSH+SYN TCP flags set. It seems that every print server appliance sets those flags on all raw TCP packets.

If you have an ISA Server or any other Microsoft-based IP NAT configured on Windows Server 2003 (including SBS 2003) or Windows XP and that machine also has a shared print queue that spools via raw TCP (port 9100, I believe) to an Ethernet/IP print server appliance, the packets will get dropped. I'm sure there are some frustrated SBS 2003 administrators who have a few printers on LinkSys or DLink print servers that are supposed to be accessible via a shared queue on the SBS 2003...

I'd post the registry entries but they are useless with out the replacement IPNAT.SYS. Watch for a hotfix from Microsoft with instructions.

(in reply to KevinSawyer)
Post #: 6
RE: ISA filtering VPN traffic (demand-dial PPTP) - 4.Nov.2004 1:12:00 PM   
YeOldeStonecat

 

Posts: 45
Joined: 6.Jan.2003
Status: offline
Hi Kevin, I'm experiencing an issue which your setup appears to have working...just curious if you did any steps specifically towards Remote Desktop once the VPN connection is established.

WinXPp machine behind a fresh install of SBS2K3, running ISA 2K with sp1, fp1, and sp2. All Windows updates, default ISA2K install. Firewall clients on all workstations, normal web and various other applications seem to be working fine.

SBS2K3 box running dual NICs, WAN NIC right to bridged DSL modem. Prior to this, was running SBS2K with single NIC, no ISA, all behind a Netopia NAT router.

On the WinXPp desktop, I had a native Windows VPN shortcut to my office, hitting a Cisco for VPN access. Office is 10.50.1.XXX. Used to connect to the VPN, then Remote Desktop to my workstation at the office through the VPN connection.

Well, since ISA went back in this weekend, I can still connect fine to the VPN, and I can ping the IP of my workstation, and get replies.

But...Remote Desktop cannot connect. Yet...I can connect with Remote Desktop out to someone else on the internet, I had a friend forward the ports on his router to their server, and I connected fine. Yet I can no longer connect to my office desktop.

I do have:
- IP routing enabled in the IP packet filter properties.
- PPTP passthrough enabled in the IP packet filter properties.

[ November 04, 2004, 01:19 PM: Message edited by: YeOldeStonecat ]

(in reply to KevinSawyer)
Post #: 7
RE: ISA filtering VPN traffic (demand-dial PPTP) - 4.Nov.2004 1:24:00 PM   
YeOldeStonecat

 

Posts: 45
Joined: 6.Jan.2003
Status: offline
Disregard, found if I disable the firewall client in my systray, I can connect fine.

(in reply to KevinSawyer)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> ISA filtering VPN traffic (demand-dial PPTP) Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts