• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: MS KB951748 - Causing Issue with VPN for FW Client Users?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> RE: MS KB951748 - Causing Issue with VPN for FW Client Users? Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 29.Jul.2008 11:48:15 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hi Tom,
 
Since you're an IT Guy that's a good guess that I'm already extremely busy :)  My life in IT is yes, BUSY, but providing assistance with problems like these to Microsoft or the IT community is something I feel compelled to do.  Especially since there are many others in the community that are great about sharing solutions to troublesome problems which helps us all out.
 
Do you have a magic wand that you could wave that would solve all of IT's problems?  Oh wait then there would be no need for IT folks :)  Nevermind that thought.
 
Thanks!
 
Mike Driest

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 21
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 30.Jul.2008 10:41:33 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

I lost my wand, but I'm working on something better. As you know, our IT infrastructure depends on the "smoke" inside the devices. When the smoke is released, they stop working correctly.

So, I'm working on a device that will put the "smoke" bad in. So far it looks promising. My first formal test will be on "hardware" firewall admins

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 22
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 30.Jul.2008 12:33:30 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hi Tom,
 
Haha that's too funny!
 
We have a set of PIX Firewalls on the Front End and they're good for blocking your standard garbage attacks, but our Production ISA Firewalls are the Back End brains of the operation so I consider myself an ISA Firewall Admin NOT a Hardware Firewall Admin.
 
I never like placing all of my eggs in one basket.  Back to Back ISA is ugly as it doesn't permit two way NAT with multiple IP Addresses maybe MS will fix that someday.
 
Mike Driest

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 23
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 5.Aug.2008 9:07:39 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That's the point. Use the right tools to get the desired results. The "hardware" v. "software" debate is over -- all devices use both.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 24
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 5.Aug.2008 2:58:53 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
I would hope that the "hardware" vs. "software" debate is over because you're exactly right - all devices use both.
 
I'd consider the Cisco PIX or ASA to be an appliance because it uses hardware and software.
 
Now our ISA Servers I don't consider an appliance since they're servers from an OEM running Microsoft Windows Server 2003 and finally ISA Server 2006 Enterprise (we sourced, installed and configured ourselves).  It is good to see though that ISA Servers are being sold as appliances.
 
Have you had experience with ISA appliances?

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 25
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 7.Aug.2008 7:11:52 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

I've used a few different ISA appliances and really like the Celestix offerings. The nice thing about appliances is that you have a one stop shop for hardware and software support. So, I don't have to call MS for ISA and Windows assistance and another vendor to get a replacement unit if the one I have fails. Celestix also has a nice bare metal recovery system so you can get back up to speed pretty quick if you want to crater the box (or if the box has been crated for you) and start over.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 26
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 7.Aug.2008 7:28:14 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Another thumbs up for Celestix from me...

Not all customers like the appliance approach, but some do and Celestix provide a great product with very good technical support.

Cheers

JJ

< Message edited by Jason Jones -- 7.Aug.2008 9:38:19 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 27
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 7.Aug.2008 9:34:41 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Good to hear in regards to Celestix.  About 3 years ago I stumbled across them but we've decided to stick with our server vendor and layer ISA on top of that.
 
Do the Celestix appliances have any sort of lights-out remote management capability like HP's Integrated Lights-Out (iLO) or Dell's Remote Access Controller (RAC)?
 
Thanks!

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 28
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 11.Aug.2008 12:45:17 PM   
celestix_rhicks

 

Posts: 3
Joined: 22.May2008
Status: offline
Hi Mike,
 
None of our Celestix appliances include any sort of 'lights out' management such as HP's ILO.  We have not had many customers request this feature, and honestly with an appliance such as our it really isn't a requirement.  Our appliances are designed to be operated 'headless', and as such you can configure the system from the front panel using the jog dial.  If there are catastrophic issues, you can restore the unit from either a 'last good version' (an image that you create of your fully configured appliance), or the factory default image.
 

_____________________________

Richard Hicks
Celestix Networks, Inc.
http://www.celestix.com/

(in reply to mdriest)
Post #: 29
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 11.Aug.2008 1:15:56 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
Hello Richard,
 
The reason I ask about the lights out feature is because if you run into a hard server crash (blue screen of death) or other crash where the server isn't pingable or able to be managed using conventional methods.  With Dell's RAC they provide a dedicated NIC (completely seperate from OS) where you could start or restart the server remotely along with the ability to interact with the server using a virtual console.
 
I will say that this feature is rarely ever used with our Production ISA Servers but it is used with other Production Servers.  Having the option is great peace of mind knowing I could try to resolve an issue remotely without the requirement to physically be at the server which would involve driving into the office after hours or on a weekend.
 
It's good that the appliances are designed to be "headless" and configuration from the Front Panel is definitely a benefit.
 
Thanks for the information!
 
Mike Driest

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to celestix_rhicks)
Post #: 30
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 11.Aug.2008 8:11:53 PM   
celestix_rhicks

 

Posts: 3
Joined: 22.May2008
Status: offline
Hi Mike,

As a veteran of many years as a systems engineer for a large financial services company, I have supported thousands of servers at various remote locations and definitely know the value of ILO.  I'll suggest this feature to our product management team, and if enough people ask for it, it will be a feature eventually.  : )


Thanks!


_____________________________

Richard Hicks
Celestix Networks, Inc.
http://www.celestix.com/

(in reply to mdriest)
Post #: 31
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 12.Aug.2008 9:10:33 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Richard,

Another thing to consider is Intel vPro. A lot of servers have this feature but the admins don't turn it on. vPro can give you that kind of "lights out" support too.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to celestix_rhicks)
Post #: 32
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 12.Aug.2008 9:18:14 AM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
I hadn't heard back from MS/ISA Product Team on this so I sent a quick follow up email today.

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 33
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 13.Aug.2008 12:47:45 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: celestix_rhicks

Hi Mike,

As a veteran of many years as a systems engineer for a large financial services company, I have supported thousands of servers at various remote locations and definitely know the value of ILO.  I'll suggest this feature to our product management team, and if enough people ask for it, it will be a feature eventually.  : )


Thanks!



Hi Richard,

I think it would be a good addition to the feature set.

As an alterantive, how about conneting an existing server which does have ILO to the console connection on the celestix appliance - would this work?

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to celestix_rhicks)
Post #: 34
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 15.Aug.2008 8:53:29 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Have you guys checked into the Intel vPro feature set? I think that vPro might give us a lot more "lights out" functionality than what HP has to offer. Its *very* cool and something I've been studying lately.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jason Jones)
Post #: 35
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 15.Aug.2008 2:21:14 PM   
mdriest

 

Posts: 70
Joined: 18.Dec.2003
Status: offline
I've heard about Intel vPRO and that it's supposed to offer new cool remote management options but I've had no spare time to read about it.
 
I'll add this to my ideas list for cool new things to look into.  Thanks Tom!

_____________________________

Mike Driest
Network/Systems Administrator
MCSA + Security

Industrial Control Repair
www.industrialcontrolrepair.com

(in reply to tshinder)
Post #: 36
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 16.Aug.2008 9:38:36 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Mike,

You bet. The best paper to introduce you to vPro is at:

http://download.intel.com/products/vpro/whitepaper/crossclient.pdf

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mdriest)
Post #: 37
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 8.Feb.2010 2:47:52 AM   
kas

 

Posts: 9
Joined: 19.Mar.2005
Status: offline
we are experiencing this identical issue with vpn clients of our isa 2006 ee array.   

a. if the vpn client worksation has the isa firewall client installed and enabled,  dns requests from the vpn client workstation to our internal dns servers will be denied with the WSA_RWS_ERROR_ACCESS_DENIED error

b.  if the vpn client workstation disables the isa firewall client service,  dns request from the vpn client workstation to our internal dns servers will work sucessfully - (of course without making any isa rule changes)

the issue occurs regardless if the vpn client is pptp or l2tp

this is a pretty old post,   so i am hoping that this issue has by now been identified and resolved,   and that someone would be able willing to update this post with that solution.

thank you in advance for your assistance




(in reply to tshinder)
Post #: 38
RE: MS KB951748 - Causing Issue with VPN for FW Client ... - 16.Feb.2010 4:44:12 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
Kas, I just stumbled on to this problem too. Not sure whether it's the same scenario, though.

Here, the VPN client connection is being made from computers on the internal network (behind ISA) to a business partner's system. We've tried Cisco AnyConnect client to ASA to the partner's system, and Windows PPTP client to my company's RRAS, both with the same DNS problem that seems to be described here: DNS packets destined for the remote system's DNS servers go to our ISA (2004 SE in this case) and are dropped, instead of routing to the remote system.

Disable FWC and DNS works. (Assuming I've hacked the DNS search order.)

OTOH, when I uninstall KB951748 from the VPN client, nothing changes.

Would also love to know if there's an answer but it's been awfully quiet on this thread since it veered wildly off-topic.

< Message edited by JeffVandervoort -- 16.Feb.2010 4:52:43 PM >

(in reply to kas)
Post #: 39

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> RE: MS KB951748 - Causing Issue with VPN for FW Client Users? Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts