• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN out

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> VPN out Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN out - 20.Nov.2008 1:26:55 PM   
zevan4

 

Posts: 14
Joined: 16.Nov.2008
Status: offline
I did a rule to see remote VPN netwrks and it works (for now i did it ALL USERS)
.
Once connected I can see a remote PC in that network BUT I CANNOT RDP

why?

_____________________________

Evan Camilleri
Holistic Malta
Post #: 1
RE: VPN out - 21.Nov.2008 11:14:15 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is this a site to site VPN or a remote access client VPN connection?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to zevan4)
Post #: 2
RE: VPN out - 21.Nov.2008 4:12:38 PM   
zevan4

 

Posts: 14
Joined: 16.Nov.2008
Status: offline
my pc is behind ISA and I want to RDP to a server that is behind a VPN (outside my network)

_____________________________

Evan Camilleri
Holistic Malta

(in reply to tshinder)
Post #: 3
RE: VPN out - 22.Nov.2008 10:10:40 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

from what I understood, your pc is on your internal network and is trying to connect to a server on the internet. If so, you need to create an access rule allowing the access beteween those networks.

Regards,
Paulo Oliveira.

(in reply to zevan4)
Post #: 4
RE: VPN out - 23.Nov.2008 12:16:26 PM   
holistic

 

Posts: 6
Joined: 13.Jul.2006
Status: offline
that's what i did. in fact vpn works. i can ping the remote server.  i cannot RDP even if RDP is allowed.

on the other hand i can RDP to remote servers which are NOT through a VPN

_____________________________

Evan Camilleri

http://www.holistic.com.mt
http://www.dotnetmushroom.com
http://www.mobilesalesman.com
http://www.evancamilleri.com

(in reply to paulo.oliveira)
Post #: 5
RE: VPN out - 24.Nov.2008 10:39:25 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

is your network relationship route or NAT?

Regards,
Paulo Oliveira.

(in reply to holistic)
Post #: 6
RE: VPN out - 25.Nov.2008 7:58:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Is the Firewall client installed on your computer?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to paulo.oliveira)
Post #: 7
RE: VPN out - 28.Nov.2008 3:35:58 PM   
zevan4

 

Posts: 14
Joined: 16.Nov.2008
Status: offline
Yes. Firewall client installed.  (Even when i tried it on another ISA with no client still same rules)

In ISA monitor I can see that the RDP is trying to use 192.168.100.100, i.e. using the 'internal ip' and thus i assume that it does not try to pass through the VPN (?)

Funny thing is that this happens on XP pcs.  Windows 2003 server all works perfect.

_____________________________

Evan Camilleri
Holistic Malta

(in reply to tshinder)
Post #: 8
RE: VPN out - 29.Nov.2008 9:35:44 AM   
zevan4

 

Posts: 14
Joined: 16.Nov.2008
Status: offline
found a solution, section 4 of http://www.isaserver.org/articles/IPSec_Passthrough.html

If the client host is configured as a Firewall client, you must make sure that the destinations reachable through the VPN tunnel are not redirected to the Firewall service on ISA server. The simplest solution for that problem is to disable the Firewall client for the duration of the VPN session. If that isn't a workable solution in your environment, you will have to fine tune the Firewall client configuration. More precisely, you should put the network ID's reachable through the VPN tunnel in the LAT. Because only a very small number of internal hosts should be involved, I would make the Firewall client configuration changes only on the client host and not globally on the ISA server. Otherwise, you should not allow a client-to-gateway VPN scenario through ISA server, but go for a gateway-to-gateway VPN scenario with ISA server as the VPN endpoint.

To make the Firewall client configuration changes on the client host, use a text editor to create a custom client LAT file named Locallat.txt and place it into the Microsoft Firewall Client folder on the client computer. You can add there additional IP address ranges that the client recognizes as part of the internal network. The Firewall client uses both the Msplat.txt and Locallat.txt files to determine which IP addresses should not be redirected to the Firewall service on ISA server. For more info, check out the section Firewall Client components in the ISA help file.

_____________________________

Evan Camilleri
Holistic Malta

(in reply to zevan4)
Post #: 9
RE: VPN out - 30.Nov.2008 10:11:28 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yep! That's why I asked about the Firewall client

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to zevan4)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> VPN out Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts