If I have a client that is setup, as both a Web Proxy, and a SNAT, and i want to block a protocal, or a web site for this client, should i do this by username or by ip address? Also does a rule allowing Anonymous apply first to these clients before any deny rules? I'm running AD, and all clients are SNAT clietns,and WEb Proxy clients, running WinXP
Yes the reason I dont install the firewall client is because all the client machines need to VPN into a cisco 3000 VPN server that uses IPSEC. So I was wondering if i could still take advantage of the web cache, by setting the clients up as both SNAT & Web proxy
hmm... I see. If all clients are Web proxy clients, then for the protocols HTTP, HTTPS and FTP download you can control access by username. If the Cisco VPN client requires a SecureNAT client (although it is UDP encapsulated or NAT traversal compatibel) you can only control other protocols by IP-addresses. This is nearly not a workable solution in a DHCP environment.
However, it is my understanding that the Cisco VPN3000 concentrator also supports PPTP. Is that an option or must you use IPSec? If PPTP is an option, I believe PPTP passthrough is also supported by ISA with the Firewall client installed.
have you already tested the Cisco VPN client on a SecureNAT client? If that works OK, have you also tried it on a Firewall client? However, I'm not sure it *can* work on a Firewall client.
I regret I couldn't test it myself, but I think it all depends on which level in the protocol stack the IPSec client is implemented. Will the Firewall client redirect the request before the IPSec client can do his work?
So, if you can do the tests and report back, you'll help a lot of people with the same problem.
But I still have no good technical explanation why it cann't work with the Firewall client, only some thoughts. Moreover, why does PPTP work with the Firewall client? Is there some special support for it in the Firewall client?
Nice Diagram I cant figure it out why it doesnt work with the firewall client as well. Im thinking it might be an authentification issue, because it should work with the firewall client. IF you find out why some day let us know, I will to
I'd like to know why it doesn't work with the Firewall client too
I know that the "enable PPTP through the firewall" feature actually invokes some kind of application filter (which isn't documented). I'd do a trace of the connection and see what shows up. Until then, install the Firewall client and then disable it when you need to and make the client a SecureNAT client.
Hey spousee I followed your post about how to get ISA to sync to an external time server, and it worked no problems. Now im trying to do the samething at a clients network, but i cant get it to work. I can get the ISA to sync just fine, but when i try to get the AD machine to sync with ISA, it keeps saying that the requested port is already in use. Any thoughts on this one
From: Auburn, AL USA
From the limited testing I have done, it seems that the firewall client does some screwy things with the winsock files. I would guess that the firewall client replaces the local machine winsock with a redirector that forwards the requests to the ISA Server. I know that Cisco is attempting to have direct control over the TCP/IP stack since none of the MS routing or ipconfig commands seem to indicate anything about the status of the Cisco VPN tunnel. So maybe the issue is the removal/modification of the winsock?