• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Bypass ISA with FWC installed

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Firewall Client >> Bypass ISA with FWC installed Page: [1]
Login
Message << Older Topic   Newer Topic >>
Bypass ISA with FWC installed - 19.Feb.2007 12:28:00 PM   
provtcnelson

 

Posts: 9
Joined: 12.Feb.2007
Status: offline
Hi,

Am new to this group (and ISA), so hopefully this is clear. We have ISA 2006 and recently deployed the FWC to our users. This breaks some user connections to a VPN via PIX. We have network routes (in router) in place to point the destination VPN nets directly to the PIX which worked OK before installing FWC. FWC appears to send this traffic to ISA as expected. However, I tried adding the VPN networks to the 'Internal' network properties Web browser 'direct access' section and the Addresses section to no avail. I also tried adding the addresses to the local host file on ISA and gave it a address1.testdomain.com entry. Then added this domain to the domains tab (as this is the only tab that refers to exceptions for the FWC instead of the browser). Still no good. ISA client logging still shows traffic being denied at ISA.

So bottom line ... is there a way to bypass ISA for certain network destinations for a XP user with the FWC installed ?

Tom 
Post #: 1
RE: Bypass ISA with FWC installed - 19.Feb.2007 1:46:34 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

check out How to pass IPSec traffic through ISA Server, particular section 4. Configuring ISA Clients.

HTH,
Stefaan

(in reply to provtcnelson)
Post #: 2
RE: Bypass ISA with FWC installed - 19.Feb.2007 2:21:36 PM   
provtcnelson

 

Posts: 9
Joined: 12.Feb.2007
Status: offline
Thanks Stefaan,

After a brief review that looks like where we would want to get to, but was looking for a quick fix around ISA. The PIX rule for the VPN is pointed to an interface not connected to ISA. So to implement via that article, I would need to engage the vendor at the other end of the VPN and interrupt our connection to work through it.
Was hoping for some setting to get ISA to ignore this traffic and let the router handle it internally like the Web Proxy allows for.

Tom

(in reply to spouseele)
Post #: 3
RE: Bypass ISA with FWC installed - 19.Feb.2007 3:04:13 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

quote:

So to implement via that article, I would need to engage the vendor at the other end of the VPN and interrupt our connection to work through it.

Where is that suggested?

If it works before installing the FWC than you need only configure those destinations for direct access, that means in the Web Proxy *and* the Firewall client.

HTH,
Stefaan

(in reply to provtcnelson)
Post #: 4
RE: Bypass ISA with FWC installed - 19.Feb.2007 6:45:49 PM   
provtcnelson

 

Posts: 9
Joined: 12.Feb.2007
Status: offline
Hi back,

This did work before installing the FWC, and does work if you disable it. I did try your suggestion as best I could find it. In the ISA mgmt tool under Configuration >Networks, I selected Internal > properties. On the Web Browser tab I added the addresses to the box under 'directly access these servers or domains'. The 'Firewall Client' tab does not have any place to add addresses. I found under the 'Domains' tab, it says 'Firewall Clients will not use ISA Server when connecting to these domains'
It does not allow addresses, and the server IP's are not in external DNS. So I added entries in our DNS server (that ISA queries) as Server1.ourdomain.com and server2.ourdomain.com . In this 'Domains' tab we already had an entry for *.ourdomain.com so I was hoping this would work. When logging for my client IP, I still get a deny message for one of the server#.ourdomain.com IP's . I would expect this as I have no rule to allow it through, but my current goal was to avoid ISA altogether for the time being.

Tom

(in reply to spouseele)
Post #: 5
RE: Bypass ISA with FWC installed - 20.Feb.2007 3:28:53 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I suggest you re-read that section in my article very carefully!

For the Web Proxy client you have to configure direct access for the domains/IP's reachable through he VPN. You can do this centrally on the ISA server in the Web Browser tab.

For the Firewall client you have to configure direct access for the IP's reachable through he VPN. There are two ways yo can do that. If it involves only a small number of workstations, I would use a 'locallat.txt' file on the workstation itself. However, if it involves all workstations you could tell ISA that those IP's belong to the internal network. The result is nearly the same.

BTW --- use the fwctool command to verify what the Firewall client considers as LAT.

HTH,
Stefaan

(in reply to provtcnelson)
Post #: 6
RE: Bypass ISA with FWC installed - 20.Feb.2007 7:10:55 PM   
provtcnelson

 

Posts: 9
Joined: 12.Feb.2007
Status: offline
Stefaan,

Thanks for the info on the fwctool. This really helped me. I had put the VPN networks in the 'addresses' tab for my Internal network. Using the fwctool, I found they were not making it to the client. After alittle digging, I found an article that states after making such a change in ISA, the firewall client only updates itself on reboot, 6 hour interval, or a 'manual refresh is activated on the firewall client computer' (they did not elaborate on how to do this ... a disable/enable of the client didn't seem to do it).
So, I had the modification correct, but I did not know the update needed 'forcing' or wait 6 hours to become effective on the FWC computer.
This seems to have worked. Thanks agin for your help, it has been very much appreciated.

Tom

(in reply to spouseele)
Post #: 7
RE: Bypass ISA with FWC installed - 21.Feb.2007 2:15:15 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

good to hear you have it working and thanks for the follow up!

Stefaan

(in reply to provtcnelson)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Firewall Client >> Bypass ISA with FWC installed Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts