VPN with Back-to-Back ISA 2006 DMZ

VPN with Back-to-Back ISA 2006 DMZ (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN

Message

LitiaM -> VPN with Back-to-Back ISA 2006 DMZ (6.Sep.2007 3:32:37 AM)
I have a Back-to-Back ISA 2006 DMZ (authenticated). I now want to create a VPN to the Branch Office. 1. I want to know where I should terminate the tunnel whether at FE ISA or BE ISA. 2. How can I make the FE ISA (in the DMZ) to use the CSS in the default internal network of the BE ISA Litia

tshinder -> RE: VPN with Back-to-Back ISA 2006 DMZ (21.Sep.2007 8:14:35 AM)
It would be best to terminate the site to site VPN on the back end ISA Firewall. HTH, Tom

LitiaM -> RE: VPN with Back-to-Back ISA 2006 DMZ (28.Sep.2007 2:05:55 AM)
I have created a site to site vpn (using the creating a site to site vpn with isa200 firewall branch office connection wizard - 7 part series by Dr. Thomas Shinder). 1. My network has a back to back dmz (isa2006) with the back-end being a member of the domain while the front-end is member of the dmz workgroup. 2. I have created the vpn (L2TP/IPsec) rules on the back-end firewall (using branch office connection wazard). I have also created an answer file that I run on the Branch Office ISA Firewall. PROBLEM When I run the answer file on the Branch ISA Firewall, I 'm failing to connect to the Back-end Firewall at the Main Office. How do I configure the Front-end Firewall to allow communication between the Back-end ISA Firewall and the Branch ISA Firewall? Do I need to publish the Back-end ISA Firewall (and which protocols do I need to publish - L2TP or IKE or PPTP or IPsec NAT-T) Or do I need to create access rules to allow communication between the branch office and default internal network of the back-end ISA firewall. Thanking in advance Rgds, LitiaM

tshinder -> RE: VPN with Back-to-Back ISA 2006 DMZ (28.Sep.2007 8:29:49 AM)
Yes, you'll need to published the L2TP/IPSec and IKE and NAT-T protocols and the PPTP protocols. HTH, Tom

LitiaM -> RE: VPN with Back-to-Back ISA 2006 DMZ (3.Oct.2007 12:53:57 PM)
Depsite publishing IKE, L2TP, PPTP & PIsec NAT-T I still cannot cennect to the back-end server (which is the VPN svr). In addition I have created rules allow all outbound traffic from the back-end to the external. As well as publishing my internal DNS svr. What else should I do so that when I connect from the branch office machine and establish a connection?

justmee -> RE: VPN with Back-to-Back ISA 2006 DMZ (4.Oct.2007 8:45:17 AM)
Hi Litia, Why you have published L2TP and PPTP since you have a L2TP/IPsec site to site connection? You just need IKE Server and IPsec NAT-T server. It's very easy to see if you have published correctly your BE VPN server. Just "Enable VPN Clients Access" and check if you can connect with a VPN client. Don't forget the registry setting for NAT-T for a VPN server located behind a NAT device(the FE ISA) for your VPN client(either XP or Vista). Or you can take a Wireshark trace on the BE ISA's external interface and see if IKE packets are reaching it and if so how far negotiations go. So your scenario looks like: Branch ISA <----> Internet <---> FE ISA -----BE ISA(VPN Server) I know it's strange but the Branch ISA is acting like a VPN client(some sort of) to BE ISA when trying to initiate the tunnel. Even more strange, if my memory helps me, you need to add the registry entry for NAT-T on your Branch ISA(I suppose it's a Windows 2003 server) with a value of 1(the responder is behind a NAT device). I know there aren't any KB articles on Microsoft site related to Windows 2003, only to Windows XP SP2. But some time ago I remember I have run into a similar scenario(except it was for SE). The reg entry did the trick if I recall it correctly. But I might be wrong(do not blame me, blame my memory). Regards!

tshinder -> RE: VPN with Back-to-Back ISA 2006 DMZ (4.Oct.2007 9:15:52 AM)
Hi JM, Glood idea regarding the reghack for NAT-T. I wonder if that is required or will work with Win2003? Tom

justmee -> RE: VPN with Back-to-Back ISA 2006 DMZ (4.Oct.2007 9:32:44 AM)
Hi Tom I just tested in my VMware lab: Branch ISA 2006 SE Win2003 R2 Std SP2 <--> "Internet" <-> FE ISA 2006 Win2003 R2 Std SP2<-->BE ISA 2006 SE Win2003 R2 Std SP2 It's not working without the reg hack no matter who initiate the tunnel. So my memory appears to work(some sort of). Let's wait and see if Litia can confirm this with his/her real machines. Best, J

tshinder -> RE: VPN with Back-to-Back ISA 2006 DMZ (5.Oct.2007 8:41:09 AM)
Hi JM, Great! Thanks for following up on that. Tom

Page: [1]