• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot Access HTTP port 80 over Site-to-Site VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Cannot Access HTTP port 80 over Site-to-Site VPN Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Cannot Access HTTP port 80 over Site-to-Site VPN - 17.Aug.2009 5:10:07 PM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Well, its been a while since I posted, but I got one that's greatly puzzling me, and I know this is the place to come for the sharpest ISA minds!

Ok, the problem is simple: we have site-to-site VPNs set up between our main site and remote sites, allowing ALL traffic for ALL users, but cannot communicate on port 80 (HTTP). Monitoring the traffic doesn't turn up much at all besides this:





Failed Connection Attempt
REMOTE ISA SERVER 8/17/2009 4:51:40 PM

Log type: Web Proxy (Forward)

Status: 10065 A socket operation was attempted to an unreachable host.

Rule: REMOTE / MAIN SITE

Source: Internal (X.X.X.X)

Destination: REMOTE / MAIN SITE (webserver.ourdomain.local X.X.X.X:80)

Request: GET http://X.X.X.X/somewhere.aspx

Filter information: Req ID: 0da01d91; Compression: client=No, server=No, compress rate=0% decompress rate=0%

Protocol: http

User: anonymous

Very unhelpful, especially as host is reachable and can be accessed remotely, just not when trying to access it on port 80 (http). I would have thought that this was some other issue, but our WSUS management servers will not sync up with each other through the site-to-site VPN either because they talk over port 80 (http). That traffic gets the same unhelpful errors.

Is there some extra configuring that I need to do on a Site-to-Site VPN in order to allow intra-site http browsing? One note I should make: on the "Remote Site" object in the VPN settings on the ISA servers, on the Addresses tab for the Remote site, I removed the external IP address of the remote site from the "IP address ranges included in this network:" box. I did this because that address still shows up on the Connection tab as the remote gateway, and if I have that address in that tab, then remote users are unable to log into our published SharePoint intranet via its external address...The are unable to log in successfully to the FBA login page at the remote ISA server for the SP intranet. Once I removed that gateway external IP from the Address Range tab on both ends of the site-to-site tunnel, the remote users could log in through the FBA page with no problem.

As I said, all other traffic seems to be passing through the VPN just fine. Any help or suggestions would be GREATLY appreciated! Looking forward to the feedback...

v/r

Josh Blalock
Post #: 1
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 19.Aug.2009 10:35:22 AM   
pwindell

 

Posts: 2243
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

One note I should make: on the "Remote Site" object in the VPN settings on the ISA servers, on the Addresses tab for the Remote site, I removed the external IP address of the remote site from the "IP address ranges included in this network:" box.


The Network Definitions are simple and straightforward.  The full address range of the IP Segment goes in the Addresses Tab.   Anything else does not.  There are no "tricks",...you do anything beyond that, then you are doing it wrong.  If doing it "right" causes problems then the Network Definition is "revealing" the problem,...not "causing" it.

quote:

I did this because that address still shows up on the Connection tab as the remote gateway, and if I have that address in that tab, then remote users are unable to log into our published SharePoint intranet via its external address...


You are never supposed to do that.  Pubished sites should never be accessed with the Public External Address by the LAN users.  The LAN Users should always resolve the FQDN to the actual specific internal LAN IP# of the Site,...users should never "make a u-turn" through the ISA.   Anytime a web site from the LAN is published to the public Internet you need to setup Split-DNS so that everything resolves correctly to the proper IP# for the particular situation.

These two things are probably the root of your problem.  But even it it turns out to not be,...solve the problems that you know you have first,...then solve the problems you discover that remain after the obvious problems are corrected, but many times the obscure problems vanish after the obvious ones are corrected..

_____________________________

Phillip Windell

(in reply to ren_freak)
Post #: 2
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 19.Aug.2009 10:48:30 AM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Thanks for the reply!

Trust me, I am 100% with you on setting up split DNS in our environment. I have run it by IT management several times, stressing the need, the reasons, and the fact the everybody on this forum tells me we should have split DNS set up. I am sure you know where this is going: They always say no and have me work around it.

Anyway, back to my problem. When a user at the remote site accesses the internal URL (http://servername/virtualdirectory.aspx), DNS at the remote site's DC resolves the servername with it's correct LAN IP. The traffic is then sent over the Site-to-Site VPN, and is handled by the rule for the site-to-site VPN. However, the ISA server at the remote location where the HTTP request is coming from returns the error I posted in my initial post. It says the attempt is being made to "an unreachable host". I don't know why it is coming up this way across the Site-to-Site VPN connection, but it is this way for http (port 80) traffic between internal addresses over the VPN setup, no matter which site or server is being accessed. This problem does not happen when someone at the main site attempts to hit the exact same Internal URL. And people at the remote site can hit the published URL just fine.

Not sure if I clarified myself a bit more, or if I just didn't understand where you were going with your reply very well, but if ALL other traffic is communicated and flowing between the Site-to-Site VPN just fine, then I see no reason why HTTP traffic should be any different between server names and IPs that are on the same domain, just different sites connected with the site-to-site VPN. There must be something I am missing, and from other posts out there, I am definitely not the first one to encounter this. Unfortunately, there isn't much out there that I have seen in terms of fixes or solutions. I would greatly appreciate your continued help and troubleshooting on this issue...

Thanks!

Josh

(in reply to pwindell)
Post #: 3
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 19.Aug.2009 12:00:51 PM   
pwindell

 

Posts: 2243
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Trust me, I am 100% with you on setting up split DNS in our environment. I have run it by IT management several times, stressing the need, the reasons, and the fact the everybody on this forum tells me we should have split DNS set up. I am sure you know where this is going:


Yea,...I have no patients for those kind of people,...don't get me started.  Hmm,..well too late,...but I'll save it till the end.

quote:

When a user at the remote site accesses the internal URL (http://servername/virtualdirectory.aspx), DNS at the remote site's DC resolves the servername with it's correct LAN IP. The traffic is then sent over the Site-to-Site VPN, and is handled by the rule for the site-to-site VPN. However, the ISA server at the remote location where the HTTP request is coming from returns the error I posted in my initial post. It says the attempt is being made to "an unreachable host".


I don't know for sure. All I can think of is:

1.  Double check the address ranges for the involved network definitions, don't take anything for granted.

2. Make sure there are no unexpected Static Routes on the ISA machines that either shouldn't be there or are inorrect.

For the problematic IT Management,...buy a small pair of children's scissors,..the kind with the rounded tips so no one puts an eye out.  Tell them that the General Manager wants them to go outside and mow the yard around the building,...slap the sissors down on their desk and say,..."The lawn mower isn't running,...here's your work-around.",...and you only have an hour to get it mowed.   If they ever figure that one out tell them that is what they are doing to you with not setting up the Split-DNS.    You could also tell them that any real IT Team that is not incompetent or just lazy already has their Split-DNS setup,..but that one might not go over so well.

_____________________________

Phillip Windell

(in reply to ren_freak)
Post #: 4
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 19.Aug.2009 12:04:37 PM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Thanks for the feedback, and I will go and triple-check the settings to make sure everything is in place correctly.

In the mean time, is there anyone else out there with any ideas? As I mentioned in the last post, I know there are other people out there who have run into this exact issue, so if any of you have found fixes, I would immensely appreciate it if you shared!

v/r

Josh

(in reply to pwindell)
Post #: 5
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 20.Aug.2009 1:54:53 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
It's not an issue, it may be an (expected) consequence of the combination of a web proxy and a VPN gateway.
You need to tell IPsec how to handle this traffic or to tell to the web proxy not to proxy this traffic.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ren_freak)
Post #: 6
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 20.Aug.2009 2:17:02 PM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Ok, I understand, as this is how ISA works. You tell it which traffic goes where through a series of rules and settings. The problem is, is that as far as I can see, I have specified everything to the best of my knowledge as to what traffic should be flowing between this site-to-site VPN, and for some reason everything else is flowing fine, except HTTP. Now naturally I would go and check the rules and protocols being allowed between the two VPN connected sites, but the rules state EVERYTHING. HTTP is not being excluded.

So, I agree with you, something must be missing or out of place, but obviously I do not know what that is, or where else to look for it. It doesn't help that the logging gives me no more that what is posted above. All this to say, given the information that you see above, what settings could I begin to look for that would cause the above described problem? What else might need to be in place, IPSEC-wise or other, that I am not seeing in these rules and VPN settings, to allow HTTP to flow through this VPN site-to-site setup like every other protocol. I need specific suggestions of things to check for, as I have poured over all the mundane details more than once on this already.

Thanks!

v/r

Josh

(in reply to adimcev)
Post #: 7
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 20.Aug.2009 4:21:35 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
You didn't say, is that an IPsec tunnel mode s2s ?
If so, when a host behind ISA tries to access a web server, the HTTP traffic will be proxied. The source IP address will be replaced with the IP address from ISA's external interface.
Next ISA will attempt to send this traffic over the VPN tunnel. Because IPsec tunnel mode depends on proxy ids, you need to have proxy ids for ISA's external interface and the remote subnet. On local ISA this should not be a problem, but on the remote VPN gateway(which as I understand is another ISA), you should have configured on the remote site address range the remote ISA's external IP address. Or else IKE QM will fail and web traffic won't be sent over the VPN tunnel because you don't have IPsec SAs for that.

If you don't want to proxy the s2s web traffic(and keep the clients' original IP address), you can configure the needed destination addresses for direct access for web proxy clients(using autoconfig script) and unbind the Web proxy filter from the HTTP protocol, so that secureNAT clients' s2s web traffic to not be proxied.
Or create a custom protocol using TCP port 80(without the web filter bound to it), and create a top access rule(not necessarily top, just make sure this traffic isn't being "caught" by another rule) allowing this custom protocol for the needed sources and destinations, and right bellow it a rule denying the regular HTTP traffic for same sources and destinations.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ren_freak)
Post #: 8
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 20.Aug.2009 5:40:24 PM   
pwindell

 

Posts: 2243
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If it is an ISA on each end then it should be done with L2TP, not IPsec.  Not that it can't be done,..but MS designed ISA's VPN with the idea the IPSec would be used when it is operating with a third-party product on the opposite end,...but use PPTP or L2TP (preferably L2TP) when it is a pair of ISAs.

The web site being accessed is on the private network but just on another segment on the other side of the VPN. So it should not be proxied at all and it should be a routed relationship instead of NATed.  The user should be able to go to it directly to the web site just as they would if the site was right on their own segment in the same room with them.

_____________________________

Phillip Windell

(in reply to adimcev)
Post #: 9
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 8:41:29 AM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
I agree. That should be exactly the way that it works! Now, with you saying "segments", let me clarify. Is it ok that both sites are same domain, but that the IP segments are different ranges? Actually, I guess they would have to be, because I don't think ISA would let you create another network with IP segments that already exist in another network...

(in reply to pwindell)
Post #: 10
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 9:17:29 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
That's a VPN s2s definition from the stone edge and a silly generalization.
Even if the remote site belongs to the same company, it does not mean it shares the same security zone with the HQ, and I mean security from all points of view, physical security, users level of education, employees selection process, management, admins level of education, reaction time, etc.
If you just make the remote site(a branch office) a "segment" of the network and you pretty much allow everything without much inspection between it and HQ, if this branch office is not at the same level in terms of security with HQ, it will be enough to attack the weakest link, meaning the branch office and then simply get access to HQ through the branch office. Or have a worm to propagate from a branch office to HQ over the VPN s2s with no major problems.
Some vendors allow you to turn of completely the firewall for VPN s2s.
But this does not mean this is how it should be done.
It's all about one needs(assuming it understands what it does, sheesh). One may need separation, limited access, level of protocol compliance, etc. for the certain resources, and it's nothing wrong with this. One may need a simple, fast path between sites, and again is nothing wrong with that.
In the same way, these days, a VPN gateway is not anymore just a VPN gateway, a VPN server just a VPN server, a firewall just a firewall or a router just a router. Simply said, this is stone age thinking.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ren_freak)
Post #: 11
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 9:28:26 AM   
pwindell

 

Posts: 2243
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

I agree. That should be exactly the way that it works! Now, with you saying "segments", let me clarify. Is it ok that both sites are same domain, but that the IP segments are different ranges? Actually, I guess they would have to be, because I don't think ISA would let you create another network with IP segments that already exist in another network...


Yes,..exactly correct.  But it is not simply that the IP#s are already in the same "ISA Network" although that is an element of it,...it is about Layer3 -vs- Layer2.  ISA will not do a Layer2 VPN,..so each end of the VPN must be a different Layer3 Segment.

A domain is an "Administrative Boundary",..not a network boundary,...so domains are totally irrelevant to any of this as far as createing the VPN is concerned

adimcev:
I don't know what you're trying to get at.  No one is telling him that he can't use additional access controls based on protocols, sources, destinations, user accounts, etc.  No one is telling him to run it "wide open".  And we all know that security goes well beyond the concepts of Layer3 and Layer4,...but the setting up of the VPN with ISA does not concern all those things,..those are done afterwards and independent of the VPN connection itself.

_____________________________

Phillip Windell

(in reply to ren_freak)
Post #: 12
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 9:50:38 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
quote:

No one is telling him that he can't use additional access controls based on protocols, sources, destinations, user accounts, etc. No one is telling him to run it "wide open".

Hmmm...
quote:

The web site being accessed is on the private network but just on another segment on the other side of the VPN. So it should not be proxied at all and it should be a routed relationship instead of NATed. The user should be able to go to it directly to the web site just as they would if the site was right on their own segment in the same room with them.

quote:

And we all know that security goes well beyond the concepts of Layer3 and Layer4,...but the setting up of the VPN with ISA does not concern all those things,..those are done afterwards and independent of the VPN connection itself.

Actually if he plans to use IPsec tunnel mode and use the web proxy(for various reasons, HTTP filtering, HTTP protocol compliance, user auth, etc.), this config is part of the s2s config, that's why it does not work for him... If you look on my web site, I may have probably mentioned this aspect(HTTP traffic being proxied) within almost every IPsec tunnel mode s2s with a third-party VPN gateway config example I did.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to pwindell)
Post #: 13
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 9:57:16 AM   
pwindell

 

Posts: 2243
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

If you look on my web site, I may have probably mentioned this aspect(HTTP traffic being proxied) within almost every IPsec tunnel mode s2s with a third-party VPN gateway config example I did.


Ok.
Do you have a direct link to that? I'll go check it out a little later when I get some time.


_____________________________

Phillip Windell

(in reply to adimcev)
Post #: 14
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 10:15:46 AM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Ok, when looking at the s2s VPN connection between our main site and our branch site, how would I go about setting that up as L2TP or PPTP? On the Connection tab of the s2s VPN, there is an IPsec Settings button, but no where to say "Don't use IPsec, but instead use L2TP or PPTP." Not sure where to configure the connection in the way you suggest. Also, where all the networks are defined, under the Network Rules tab, the Relation listed for our Branch Office network in regards to our Main site is a "Route", and not a NAT. So that is already taken care of...

quote:

 
Because IPsec tunnel mode depends on proxy ids, you need to have proxy ids for ISA's external interface and the remote subnet. On local ISA this should not be a problem, but on the remote VPN gateway(which as I understand is another ISA), you should have configured on the remote site address range the remote ISA's external IP address.


The problem with that is that if I put the ISA server external IP into the address range for our main site on the remote ISA connection definition, for some reason the remote site cannot access our SharePoint intranet via its external URL. Crazy...Makes my head spin. That is why I was hoping that by having this s2s VPN opened up for all traffic between the two, that HTTP would flow as well...Apparently, from what both of you are saying, this isn't so easy with IPsec, so how can I use L2TP or PPTP for our s2s VPN? Thanks for both inputs!

v/r

Josh

(in reply to pwindell)
Post #: 15
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 10:16:24 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Sure. For example, from this one I've quoted myself in some of my above posts:
http://www.carbonwind.net/ISA/CheckPointVPNs2s/CheckPointVPNs2s.htm#toCfgISA
quote:

On the Network Addresses window enter the VPN remote subnet, in my case 192.168.10.0/24, see Figure8. Note that the remote VPN gateway's IP address was automatically added by the wizard, this is useful when you want to ping directly from the remote VPN gateway, or the VPN traffic(from subnet 192.168.10.0/24) might be NAT-ed(sourced with the remote VPN gateway's IP address) or the remote VPN gateway also acts as a web proxy(say another ISA Server 2006 firewall).

http://www.carbonwind.net/ISA/CheckPointVPNs2s/CheckPointVPNs2s.htm#toCfgCP
quote:

Also note that I've added a third security rule, allow VPN traffic from ISA itself to the subnet behind the Check Point VPN gateway. This rule is needed to allow the web proxied traffic by ISA. Since ISA acts as a proxy, the web traffic(including the HTTP one of SecureNAT clients) from the host behind ISA to hosts behind the Check Point, will be sourced with ISA's external IP address. To avoid this see Tom Shinder's Quick Review - Configure Sites for Direct Access, or if you have only SecureNAT clients behind ISA, you can create a custom HTTP protocol with the Web Proxy unbound from this protocol, and then create, in this order, an allow rule for this custom protocol and a deny rule for the "normal" HTTP protocol for HTTP traffic between the hosts behind ISA to hosts behind the Check Point. You may consider twice before excluding the HTTP the traffic between the hosts behind ISA to hosts behind the Check Point from ISA's HTTP application filter's inspection, as it may decrease your level of security.
As you can note, this third rule also allows echo-requests too, just in case you want to test from ISA itself, although this is pretty meaningless, because, due to IPsec tunnel mode, testing from ISA itself, you will endup with a SA for the 192.168.22.240 and 192.168.10.0/24 proxy ids, and to actually allow the traffic between the hosts behind ISA to hosts behind the Check Point and vice-versa you need SAs for the 192.168.40.0/24 and 192.168.10.0/24 proxy ids.


Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to pwindell)
Post #: 16
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 10:26:48 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Just delete the IPsec tunnel mode s2s, and recreate it using L2TP/IPsec for example if you don't want IPsec tunnel mode no more. You can switch from PPTP to L2TP/IPsec, but not from IPsec tunnel mode to L2TP/IPsec.

Maybe this will help(applies to ISA 2004):
http://download.microsoft.com/download/c/3/c/c3c121ad-2c3f-49b8-ad47-aacecc174d6e/Creating%20a%20Site%20to%20Site%20L2TP-IP%20with%20Pre-shared%20key%20-%20MDW.doc
With ISA Server 2006 compared to ISA 2004 the initial config is easier due to the VPN s2s wizard.
Additionally you may take something -if any- from here(applies to ISA 2006):
http://www.carbonwind.net/ISA/ISAVPNPartialMesh/ISAVPNPartialMesh.htm
http://www.carbonwind.net/ISA/ISAVPNHubAndSpoke/ISAVPNHubAndSpoke.htm

Thanks,
Adrian

< Message edited by adimcev -- 21.Aug.2009 10:29:51 AM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to adimcev)
Post #: 17
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 10:31:24 AM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Ah!! So that's how you create that. From scratch. Cool. Well I may have to test this out after hours, as I don't want to disturb the connection between the two sites right now. But perhaps I should change to L2TP. Would this allow the HTTP traffic to just flow normally back and forth like the rest of the traffic, instead of having to factor in all these proxy configs? Thanks for sticking with me on this!

(in reply to adimcev)
Post #: 18
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 10:48:53 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
If you want to experiment with ISA, the simplest and convenient way is to use a virtual lab, VMware Server, Workstation, VMware ESXi, Hyper-V, VirtualBox, etc. That's one of ISA's feature, and an advantage over some "hardware" firewalls which you cannot virtualize. So you can mess all day long, test the configs prior to deployment, break the VMs. It does not matter, no one cares, just take a snapshot on each clean VM, and you will be back to a clean lab in minutes, and do another tests.

Aaa, and about the sharepoint thing, if you add the remote VPN gateways IP address to the remote site definition on the other ISA, on this ISA, if you use on the hosts behind the remote ISA the "public URL", such traffic will be sourced with the remote ISA's external IP address(and this IP address should not belong now to the External Net) and will be destined to the public IP address on this ISA. I'm not sure if your web server publishing rule was configured like so, or if it is any point in doing that.
It would have been advised to avoid the .local TLD("webserver.ourdomain.local"), and have the split DNS properly implemented. In this way, for users won't be any local and public URLs, just one URL, and things will happen in the background, a pleasant experience for users.

Thanks,
Adrian

< Message edited by adimcev -- 21.Aug.2009 10:56:59 AM >


_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to ren_freak)
Post #: 19
RE: Cannot Access HTTP port 80 over Site-to-Site VPN - 21.Aug.2009 11:05:01 AM   
ren_freak

 

Posts: 82
Joined: 12.Jan.2009
Status: offline
Hmmm...So, are you saying that if I add the Remote Site Gateway IP to the list of IP ranges that define the Remote site (doing all this on the ISA server for the Main site), then HTTP traffic coming from the remote site in the form of the public URL for our SharePoint site will be looked at like it is coming from the Remote Site network (because of the external URL being included in the ranges)? And if that is the case, and our Listener for our SharePoint site publishing rule is listening on the External network, then of course those requests would not be heard on the ISA firewall. So I would need to add the Remote Site network to the Listener being used by our SharePoint site publishing rule?? Am I following you correctly?

v/r

Josh

(in reply to adimcev)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Cannot Access HTTP port 80 over Site-to-Site VPN Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts