One thing I would like to add, is the DHCP server has to be started and functioning BEFORE the Routing and Remote access server starts, other wise it will never discover that the DHCP server is alive and use the DHCP pool.
It will issue the 169.254.x.x addresses.
We discovered this the hardway when we lost a switch.
1. Full support for the Firewall client 2. Logging user names, application names, and site names in the ISA firewall logs 3. Full support for user certificate authentication 4. Avoidance of RADIUS authentication, which passes credentials using PAP 5. Centralized security adminstration via group policy 6. Full support for domain group policy for IPSec secured connections using Kerberos 7. And many more.
Does this granular access for VPN clients require the Firewall Client? I am assuming that the answer is yes because you are authenticating users for these protocols, but I've not had the opportunity to implement this scenario yet.
No! That's the beauty of the VPN client access control. The Firewall client is required to auth the users with the ISA firewall on the internal network.
But VPN users have to auth with the ISA firewall to *establish the VPN connection*. This means the ISA firewall has the user's identity and you can use the strong user/group based access control *without the Firewall client* for VPN users.
Great article. I hope you can shed some light on these follwing observtions I have made whilst implementing some of the rules in you article. I am using global groups in my domain for the user groups. I have set up the DNS, Outlook MAPI and File Share rules.
1. for the Outlook MAPI access to work I have to add the RPC16 protocol to the access rule.
2. I am being asked for authentication to my exchange mailbox when I open Outlook. Having given my credentails it connects no problem.
3. If I attempt to browse the network I get an error message that I 'might not have permission to browse this network resource'
To try and see where the problem lies I modified all rules so that they allow 'all outbound traffic' to the specified destinations.
I can then observe the following:
A. LDAP (UDP) calls that were being denied are now being allowed.
B. There are now Kerberos-Sec (UDP) and (TCP) calls that weren't present before.
C. Everything works fine (not a great surprise) and I don't have to give authentication information when I open Outlook.
I guess I could just allow these extra protocols but I think I should at least understand why before I do this. Any help on this will be appreciated
Why does the Active Directory domain users weÆll place in this ISA firewall groups ? And we donÆt need to create this groups on a domain controller, as these are ISA firewall Groups, not Active Directory Global groups ? I had some confused about this. Could you please explain more ? Thanks.
quote:Originally posted by jossebrice: I'm ok with the article, but i want to know how to just allow vpn client with specific public ip. In fact i don't want to allow all wolrdwide vpn client. How can i do it?
This is a great article, as I didn't realize before, what can be done with ISA to grant access to Exchange, but not shares, etc.
I have implemented Toms tutorial, beside the UNIX one. I have a coulple of questions: - Tom do you have a schedule on the anounced parts on CMAK and the logs in regards to the VPN - if I want to share a single network printer (actually the fax) ony through the VPN, what are the different settings - can the access on file sharing only be on a "server" basis, or also on single shares (usually there a many shares on file servers, which we control via the file system security). It would be great for e.g. contractors to only see "their" single share.