Cannot browse web over VPN (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN



Message


JW -> Cannot browse web over VPN (12.Feb.2008 11:08:49 AM)

I just set up a new ISA 2006 Std server running on Server 2003 Enterprise.  Everything is working well except for the ability to browse the web while connected to the VPN.  I've already been through the steps in http://www.isaserver.org/tutorials/Solving_the_Mystery_of_the_VPNRASWeb_Proxy_Client.html with no success.  I've set the proxy settings on both the VPN connection and the browser as well.  It appears to me to be a routing issue.  With my current configuration, I can see an HTTP Proxy/Initiated Connection entry in the ISA logs (closely followed by a Closed Connection entry) when I try to go to a web site, but the browser stops almost immediately and doesn't display anything.  Intranet pages work fine.  Client is getting correct DNS settings through DHCP when connecting.  Similar scenario works on our ISA 2000 server's RAS setup.  Any help would be appreciated; the 2000 box is on its last legs.  Thanks!




JW -> RE: Cannot browse web over VPN (13.Feb.2008 12:07:23 PM)

Additional info - web browsing over the VPN does work IF I turn off the proxy settings on the VPN connection.  The browser proxy settings have no effect at all.  I would expect the proxy settings on the connection to work the way they do on our 2000 box...




elmajdal -> RE: Cannot browse web over VPN (13.Feb.2008 3:09:36 PM)

Hi,

read this : http://www.isaserver.org/tutorials/2004vpnclientnetaccess.html




JW -> RE: Cannot browse web over VPN (13.Feb.2008 3:33:53 PM)

Thank you, Tarek. That does work, although very slowly (the one thing I was missing from that was the network rule to NAT from the VPN clients to the web).  Just before I read this I came up with a rule structure that proxies the VPN user's web connection, regardless of how their browser or VPN connection is configured, and it is quite a bit faster (and also subject to my lists of allowed/denied sites).




elmajdal -> RE: Cannot browse web over VPN (13.Feb.2008 3:47:03 PM)

Hi,

Glad it worked and thanks for the follow up.

quote:

Just before I read this I came up with a rule structure that proxies the VPN user's web connection, regardless of how their browser or VPN connection is configured


Can you refer this to us.




wlazzell -> RE: Cannot browse web over VPN (20.Feb.2008 3:58:26 PM)

I am having the same issue, I have tried what was suggested in the linked article, but the VPN users STILL cannot access either internal or external web sites.
Does anyone have any other ideas to try?




JW -> RE: Cannot browse web over VPN (20.Feb.2008 4:07:36 PM)

Here's how I did mine.  With this setup, the client's proxy settings are irrelevant (if I set it on the VPN connection, it works but very slowly; the browser setting makes no difference).

Add a firewall rule as follows:
Action:  Allow
Protocols:  HTTP,HTTPS,FTP (and whatever else)
From:  VPN Clients
To:  External
Condition:  All (or whatever groups you want).

Put this after any rule that allows/denies specific sites.  In my setup it's one of the last rules.  If the requested site makes it past the allowed/denied site lists, then this rule passes it through.  This way, the client requests get processed through the firewall rule set as opposed to a proxy request (or at least that's how it seems to be working; I can't really articulate why it does what it does, all I can say is that it does what it does).

You may also need a rule like so, to fix the internal issue:

Action:  Allow
Protocols:  HTTP,HTTPS,FTP (and whatever else; mine is wide open but subject to authentication)
From:  VPN Clients
To:  Internal
Condition:  Authenticated Users (or whatever groups you want).




wlazzell -> RE: Cannot browse web over VPN (21.Feb.2008 2:45:14 PM)

Actually, I found the error. apparently, when our "expert" installed ISA2006, he hard-coded the DNS server instead of pulling it from DHCP. The DNS server is was pointing to no longer exists on our network. Once I found this error and corrected it, everything works fine.




Page: [1]