• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

HELP!! ***Nat / Route network relationship problem with ISA 2006 ENT ***

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> HELP!! ***Nat / Route network relationship problem with ISA 2006 ENT *** Page: [1]
Login
Message << Older Topic   Newer Topic >>
HELP!! ***Nat / Route network relationship problem with... - 23.Jul.2007 4:51:15 AM   
robcmk

 

Posts: 33
Joined: 21.Apr.2006
Status: offline
Hi all,

I have a bit of a tricky problem that I could really use some help with.  In our current network scenario we have two layers of firewalling as below

int networks --- isa 2006 --- checkpoint --- internet
                                                    |
                                                    |
                                                DMZ

Our VPN clients terminate on the ISA server and until recently have been fine, however we have starting receving reports that VPN users cannot view external websites that use SSL, and in addition they are unable to view SSL sites published on the ISA array.

The network relationship between our ISA and Checkpoint firewalls is set to route so that we can be more granular about who gets access to what resources on our DMZ etc.

Following a lot of pain we decided to call MS and there only resolution was as follows:

1) change network relationship to NAT 
2) change the vpn client login to not present their domain in the login

This has major implications for our network design and therefore I would really like some guidance and advice, firstly on how to properly resolve this problem and secondly whether there is a problem with having the external network relationship set to route when behind a further layer of firewalling.

Any and all help would be great.

Thanks

Rob.
Post #: 1
RE: HELP!! ***Nat / Route network relationship problem ... - 14.Aug.2007 4:22:33 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:


1) change network relationship to NAT 
2) change the vpn client login to not present their domain in the login


I don't know how #1 would even matter
On #2 the Domain has to be the Domain that contains the accounts that the user is "using".

quote:

int networks --- isa 2006 --- checkpoint --- internet
                                                   |
                                                   |
                                               DMZ 


Your option #3,...get rid of the Checkpoint and put the Internal-to-External relationship back to NAT

int networks --- isa 2006 --- internet 
                               | 
                               | 
                           DMZ 

_____________________________

Phillip Windell

(in reply to robcmk)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> HELP!! ***Nat / Route network relationship problem with ISA 2006 ENT *** Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts