Our set-up: SBS 2003 Server R2 with ISA2004 Firewall; all latest patches and service packs installed.
I have a laptop in my network that is on a separate Domain for a different company. This system is also connected with our Exchange e-mail via IMAP. This all works perfectly most of the time. He can connect to his IMAP account when he's at this other company's office, or on the road, and while in our office NOT on the VPN.
When he's in our office, this computer sometimes connects to the "other domain" via SonicWall VPN. The issue I'm running into is this: Once he's connected to the VPN, he can't connect to OWA, RWW, or his IMAP e-mail on our server. All other websites work and his IMAP AOL account works, so it's not an internet connectivity issue. But, the above 3 items give an error saying the server can't be found. However, while on the VPN, he CAN access our local network drive and ping the server.
My hunch is the issue is with our ISA Firewall, but I'm stumped on how to solve it. It seems the firewall doesn't like something about the VPN connection, but again I don't know what to do about it.
I did notice a couple interesting things in the ISA firewall log when Sending/Receiving mail for IMAP. , I'm not sure they're relevant. When doing a Send/Receive in his IMAP account, I get the following: Protocol IMAPS Desination Port 993 Source: Internal [Internal IP of Laptop] Destination: External [External IP of our Server] Result Code: 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN Status: A connection was abortively closed after one of the peers sent a RST segment
Also, when I try to go to the OWA website, it has an interesting entry: Source: External Destination: Local Host. Client IP: External IP of the server. Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer.
My hunch is the issue is with our ISA Firewall, but I'm stumped on how to solve it. It seems the firewall doesn't like something about the VPN connection, but again I don't know what to do about it.
You did not mention how the VPN connection is being made but if the client is connecting using the SW IPSec client then it’s probably due to split tunneling issue?
So how are you connecting to the VPN?
RB
_____________________________
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003
You did not mention how the VPN connection is being made but if the client is connecting using the SW IPSec client then it’s probably due to split tunneling issue?
So how are you connecting to the VPN?
Well, the system is using SonicWall VPN NetExtender to connect to the other server. I am not privy to that organization's set-up, so I don't know how the VPN is configured. That's the best I can tell you at this point.
Reading through the documentation, you will find that you need to configure the client software for routing on the local host network, especially if the client is configured in “Route all tunnel mode”. Possibly, you also have a network ID conflict?
ISA is dropping the traffic because the remote network is not defined.
If you have a SLA with SonicWall, I suggest you give them a call.
HTH
RB
_____________________________
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003
Also, have you consulted with the IT staff from the other Company? I would think that they do not want their client split-tunneling between two networks.
RB
_____________________________
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003
I have informed them of what I'm trying to do, so I don't think they have a problem with it.
It looks like I need to get with this other company's IT department to change the configuration of the SonicWall VPN. I don't have access to the admin panel in that PDF, so I can't make those changes. But, this gives me an idea of the direction I need to go so thanks for your assistance.
ORIGINAL: Rotorblade Reading through the documentation, you will find that you need to configure the client software for routing on the local host network, especially if the client is configured in “Route all tunnel mode”. Possibly, you also have a network ID conflict?
ISA is dropping the traffic because the remote network is not defined.
Rotorblade, 2 quick questions. Assuming the client software is set for routing on the local host network (I suspect it is), is there anything I can do on my end to get this to work? Anything I can do about the remote network not being defined? I have a request in with their IT Dept. related to the VPN, but I'm curious if there's anything I can do on the ISA.
From your description it sounds like a routing issue. Check the routing tables of the client (VPN connected) to see what the default GW’s are. You might try adding the remote network ID to the ISA’s Internal network IP definition. Internal requests also should be configured to bypass.
HTH
RB
_____________________________
David Melvin Ohio MCSE: Security 2003, MCSA:Security 2003
I'd like to resurrect this post as I've learned something new about the issue that seems to point in a different direction for a solution.
I believe the problem lies with the SSL Certificate. On my SBS box, external users access the mail.mydomain.com cert, but I've noticed internal users access the publishing.mydomain.local SSL cert. All this is set to the defaults as per the CEICW wizard.
Now, here's what I noticed about this laptop. When in our network and disconnected from the VPN, that system uses the publishing.mydomain.local cert, which is fine. BUT, after he connects to the VPN, he STILL uses the publishing.mydomain.local cert. This seems to break everything and make it no longer able to access the server.
Any ideas of something I can do about this? Is there any way I can have all users, including internal users, use the mail.mydomain.com cert in all cases? I imagine that would solve my VPN issue.
By the way, this VPN connection is using split tunneling, don't know how that affects things.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> Internal user cannot connect to IMAP/OWA/RWW when on another VPN 
Internal user cannot connect to IMAP/OWA/RWW when on an... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread