• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Outbound VPN through ISA 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Outbound VPN through ISA 2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Outbound VPN through ISA 2004 - 21.Apr.2007 6:56:32 AM   
ASHRID

 

Posts: 68
Joined: 6.Nov.2001
From: Southampton, Hampshire, UK
Status: offline
I've just upgraded from ISA 2000 to 2004 and have encountered a small problem.

Previously I could PPTP VPN out through my ISA server, however since the upgrade this is no longer working.

I've created an outbound PPTP rule which allows the VPN to connect, unfortunately I dont appear to be getting  any traffic across the link.
Post #: 1
RE: Outbound VPN through ISA 2004 - 7.May2007 8:53:42 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is this a name resolution problem?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ASHRID)
Post #: 2
RE: Outbound VPN through ISA 2004 - 15.May2007 8:20:09 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
I have just been working with Microsoft on a similar problem.  Do you have a NAT ADSL or other broadband router providing your connection to the Internet?

If you do it may not be handling the PPTP Call ID properly and if so ISA will just drop the connection.  I am working on either replacing all my routers or getting the vendor to resolve it through firmware.

(in reply to tshinder)
Post #: 3
RE: Outbound VPN through ISA 2004 - 16.May2007 10:41:43 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MP,

So the problem is that the PPTP NAT editor on the broadband NAT device is broken?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 4
RE: Outbound VPN through ISA 2004 - 16.May2007 10:47:43 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
That's the theory being put forward by Microsoft.  To confirm this I need to do some tracing for them which I will be doing soon.  I have also asked the supplier to comment.

The routers play happily with other routers and firewalls, just not ISA.  I also have other (non PPTP) VPN issues with a user getting disconnections and errors about Routing tables changing, not sure if it is related as I currently am not using the NAT routers and PPTP works ok but the other VPN problem persist.

(in reply to tshinder)
Post #: 5
RE: Outbound VPN through ISA 2004 - 16.May2007 9:07:09 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MP,

Well, keep us up to date on what you find out. It should be interesting!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 6
RE: Outbound VPN through ISA 2004 - 23.May2007 9:58:13 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
I have done the traces and am waiting for Microsoft to get back to me.

I have also contacted the manufacturer and supplier of the router and they are looking into it for me.  I found that this particular router can only support a single VPN pass through connection at any one time, so this might limit my use of this model anyway.

There are other routers from SnapGear and Draytek that might be a better solution, guess I will have to persist and try them all.

Will update when I have news from Microsoft, etc.

(in reply to tshinder)
Post #: 7
RE: Outbound VPN through ISA 2004 - 23.May2007 11:21:38 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MP,

Thanks for the update! I know that the Windows RRAS and ISA both support multiple outbound PPTP connections as I've tested that scenario. Maybe you can put a Windows RRAS NAT in front of the ISA Firewall :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 8
RE: Outbound VPN through ISA 2004 - 24.May2007 9:31:53 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
It seems MS suspicions were correct... so now I need to try a firmware patch and then if that doesn't work buy a new router to test (any recommnedations on good dual wan routers with ability to do failover as well as protocol binding?) this is the response I got from them:

Frame 1531, Local VPN client (192.168.x.y) tried to set the Caller ID to 512 Frame 1540, remote VPN server accepted the original Caller ID and initiated a new Caller ID 51136 Frame 1542, Local VPN client accepted the new Caller ID 51136 and tried to "set link info"
Frame 1580, remote VPN response with "set link info" and the original Caller ID is suddenly changed to 53380
 
From this frame, we clearly know that it is your router which change the original Caller ID, so ISA reject the session and drop the packet.
 
This is actually not an ISA defect but a security enhancement on ISA server.
 
The ISA server needs to map and translate these PPTP packets and pass them on to the inside network. For this we use the 'Call ID' and remote IP address as out NAT mapping key. However, the hardware router ignore the Caller ID sent by remote VPN server and replace with its own Caller ID, (according to the netmon traces), the ISA server is unable to find the correct NAT mapping and the packet is dropped by the NAT/PPTP module.
 
Actually, in the PPTP traffic, Caller ID is important to identify the network host and transfer the data. Matching the correct Caller ID is important to ensure the security of PPTP traffic.
 
Furthermore, checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack. So, the only solution currently for you is to change a hardware router.

(in reply to tshinder)
Post #: 9
RE: Outbound VPN through ISA 2004 - 25.May2007 4:35:23 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
Hi Money Penney,
I know that it is late now but if you have posted the traces here(of course if you could do this) we would answered to this for free with pretty much the same answer.
quote:

checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack.

this would be plain stupid because it will break RFC2637.
It is an old wish of mine to explain bit by bit the operations of PPTP and L2TP/IPSec in context of ISA and put it on the Internet and actually I have wrote something on this. Maybe in a month I will be able to finish it.
Best Regards!

(in reply to Money Penney)
Post #: 10
RE: Outbound VPN through ISA 2004 - 25.May2007 4:39:22 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Thanks for that, luckily I don't have to pay for this type of support from Microsoft.  Also as there is a lot of information that can be gleaned from the trace logs (I did not have time to sterilise them or just filter the relevant bits) it was a safer bet to secure FTP them to Microsoft.

Would be keen to see that article, I have to admit VPN and WAN is not my strong point when I have to go outside of what I do day to day (but always keen to gain knowledge).

Cheers
Mark

(in reply to justmee)
Post #: 11
RE: Outbound VPN through ISA 2004 - 25.May2007 1:06:01 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

Thanks for the update!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 12
RE: Outbound VPN through ISA 2004 - 1.Jun.2007 11:07:45 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
A firmware update from the manufacturer to specifically solve this problem was sent to me and so far it is working well.  I have to say that they worked quickly to help me resolve this once I got their attention.  I since learned that this router only supports a single VPN pass through connection at a time (in either direction) so this creates another issue for me, even though this PPTP pass through problem has been resolved.

So now I need to find an alternative that has similar functions.

(in reply to tshinder)
Post #: 13
RE: Outbound VPN through ISA 2004 - 2.Jun.2007 1:04:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi MP,

Thanks! I think this problem is more prevalent than most people think.

You can always use a Windows Server 2003 RRAS box, that allows unlimited inbound and outbound PPTP passthrough connections.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 14
RE: Outbound VPN through ISA 2004 - 3.Jun.2007 1:53:40 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Yes but using a Windows 2003 RRAS box would be several orders of magnitude more expensive, require much more administration overhead, be more complex to manage and I am not sure it would handle Protocol binding as well as load balancing and failover and some of the other features that a more dedicated router would provide.

I have found some other devices that provide dual WAN and multiple VPN pass through, however they don't quite have the same feature set.

Cheers
Mark

(in reply to tshinder)
Post #: 15
RE: Outbound VPN through ISA 2004 - 3.Jun.2007 10:24:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mark,

I think you might be surprised. I have a couple of customers who decided to go with that decision when Win2k was in beta in 1999 and have been using it since then, along with NLB support. I never touch the boxes, they just update themselves and all is well. Same disk drives, same RAM same everything for 8 years. And if I ever do need to change the drives, no problem -- its a totally vanilla install, just reinstall Windows, update, configure RRAS and install certificate and bam :)

Not something many people would want to do, but these customers swear by its reliability and performance.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Money Penney)
Post #: 16
RE: Outbound VPN through ISA 2004 - 3.Jun.2007 7:36:14 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Still a big difference in initial cost, but it's definately something to consider for the bigger SMB sites.

Cheers!

(in reply to tshinder)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Outbound VPN through ISA 2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts