Outbound VPN through ISA 2004 (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> VPN



Message


ASHRID -> Outbound VPN through ISA 2004 (21.Apr.2007 6:56:32 AM)

I've just upgraded from ISA 2000 to 2004 and have encountered a small problem.

Previously I could PPTP VPN out through my ISA server, however since the upgrade this is no longer working.

I've created an outbound PPTP rule which allows the VPN to connect, unfortunately I dont appear to be getting  any traffic across the link.




tshinder -> RE: Outbound VPN through ISA 2004 (7.May2007 8:53:42 AM)

Is this a name resolution problem?

Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (15.May2007 8:20:09 AM)

I have just been working with Microsoft on a similar problem.  Do you have a NAT ADSL or other broadband router providing your connection to the Internet?

If you do it may not be handling the PPTP Call ID properly and if so ISA will just drop the connection.  I am working on either replacing all my routers or getting the vendor to resolve it through firmware.




tshinder -> RE: Outbound VPN through ISA 2004 (16.May2007 10:41:43 AM)

Hi MP,

So the problem is that the PPTP NAT editor on the broadband NAT device is broken?

Thanks!
Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (16.May2007 10:47:43 AM)

That's the theory being put forward by Microsoft.  To confirm this I need to do some tracing for them which I will be doing soon.  I have also asked the supplier to comment.

The routers play happily with other routers and firewalls, just not ISA.  I also have other (non PPTP) VPN issues with a user getting disconnections and errors about Routing tables changing, not sure if it is related as I currently am not using the NAT routers and PPTP works ok but the other VPN problem persist.




tshinder -> RE: Outbound VPN through ISA 2004 (16.May2007 9:07:09 PM)

Hi MP,

Well, keep us up to date on what you find out. It should be interesting!

Thanks!
Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (23.May2007 9:58:13 AM)

I have done the traces and am waiting for Microsoft to get back to me.

I have also contacted the manufacturer and supplier of the router and they are looking into it for me.  I found that this particular router can only support a single VPN pass through connection at any one time, so this might limit my use of this model anyway.

There are other routers from SnapGear and Draytek that might be a better solution, guess I will have to persist and try them all.

Will update when I have news from Microsoft, etc.




tshinder -> RE: Outbound VPN through ISA 2004 (23.May2007 11:21:38 AM)

Hi MP,

Thanks for the update! I know that the Windows RRAS and ISA both support multiple outbound PPTP connections as I've tested that scenario. Maybe you can put a Windows RRAS NAT in front of the ISA Firewall :)

Thanks!
Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (24.May2007 9:31:53 PM)

It seems MS suspicions were correct... so now I need to try a firmware patch and then if that doesn't work buy a new router to test (any recommnedations on good dual wan routers with ability to do failover as well as protocol binding?) this is the response I got from them:

Frame 1531, Local VPN client (192.168.x.y) tried to set the Caller ID to 512 Frame 1540, remote VPN server accepted the original Caller ID and initiated a new Caller ID 51136 Frame 1542, Local VPN client accepted the new Caller ID 51136 and tried to "set link info"
Frame 1580, remote VPN response with "set link info" and the original Caller ID is suddenly changed to 53380
 
From this frame, we clearly know that it is your router which change the original Caller ID, so ISA reject the session and drop the packet.
 
This is actually not an ISA defect but a security enhancement on ISA server.
 
The ISA server needs to map and translate these PPTP packets and pass them on to the inside network. For this we use the 'Call ID' and remote IP address as out NAT mapping key. However, the hardware router ignore the Caller ID sent by remote VPN server and replace with its own Caller ID, (according to the netmon traces), the ISA server is unable to find the correct NAT mapping and the packet is dropped by the NAT/PPTP module.
 
Actually, in the PPTP traffic, Caller ID is important to identify the network host and transfer the data. Matching the correct Caller ID is important to ensure the security of PPTP traffic.
 
Furthermore, checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack. So, the only solution currently for you is to change a hardware router.




justmee -> RE: Outbound VPN through ISA 2004 (25.May2007 4:35:23 AM)

Hi Money Penney,
I know that it is late now but if you have posted the traces here(of course if you could do this) we would answered to this for free with pretty much the same answer.
quote:

checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack.

this would be plain stupid because it will break RFC2637.
It is an old wish of mine to explain bit by bit the operations of PPTP and L2TP/IPSec in context of ISA and put it on the Internet and actually I have wrote something on this. Maybe in a month I will be able to finish it.
Best Regards!




Money Penney -> RE: Outbound VPN through ISA 2004 (25.May2007 4:39:22 AM)

Thanks for that, luckily I don't have to pay for this type of support from Microsoft.  Also as there is a lot of information that can be gleaned from the trace logs (I did not have time to sterilise them or just filter the relevant bits) it was a safer bet to secure FTP them to Microsoft.

Would be keen to see that article, I have to admit VPN and WAN is not my strong point when I have to go outside of what I do day to day (but always keen to gain knowledge).

Cheers
Mark




tshinder -> RE: Outbound VPN through ISA 2004 (25.May2007 1:06:01 PM)

Hi Mark,

Thanks for the update!

Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (1.Jun.2007 11:07:45 PM)

A firmware update from the manufacturer to specifically solve this problem was sent to me and so far it is working well.  I have to say that they worked quickly to help me resolve this once I got their attention.  I since learned that this router only supports a single VPN pass through connection at a time (in either direction) so this creates another issue for me, even though this PPTP pass through problem has been resolved.

So now I need to find an alternative that has similar functions.




tshinder -> RE: Outbound VPN through ISA 2004 (2.Jun.2007 1:04:17 PM)

Hi MP,

Thanks! I think this problem is more prevalent than most people think.

You can always use a Windows Server 2003 RRAS box, that allows unlimited inbound and outbound PPTP passthrough connections.

HTH,
Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (3.Jun.2007 1:53:40 AM)

Yes but using a Windows 2003 RRAS box would be several orders of magnitude more expensive, require much more administration overhead, be more complex to manage and I am not sure it would handle Protocol binding as well as load balancing and failover and some of the other features that a more dedicated router would provide.

I have found some other devices that provide dual WAN and multiple VPN pass through, however they don't quite have the same feature set.

Cheers
Mark




tshinder -> RE: Outbound VPN through ISA 2004 (3.Jun.2007 10:24:09 AM)

Hi Mark,

I think you might be surprised. I have a couple of customers who decided to go with that decision when Win2k was in beta in 1999 and have been using it since then, along with NLB support. I never touch the boxes, they just update themselves and all is well. Same disk drives, same RAM same everything for 8 years. And if I ever do need to change the drives, no problem -- its a totally vanilla install, just reinstall Windows, update, configure RRAS and install certificate and bam :)

Not something many people would want to do, but these customers swear by its reliability and performance.

Tom




Money Penney -> RE: Outbound VPN through ISA 2004 (3.Jun.2007 7:36:14 PM)

Still a big difference in initial cost, but it's definately something to consider for the bigger SMB sites.

Cheers!




Page: [1]