I'm currently trying to establish an IPSec connection using Kerberos through an ISA server from a server in the LAN to a server in the DMZ

IP DMZ server : 10.10.15.10

IP1 ISA server : 10.10.15.1
IP2 ISA server : 10.10.1.1

IP LAN server : 10.10.1.2

Which filters/rules need to be set up to allow the IPSec communication ?

AH and Kerberos won't work through the NAT. So, this configuration cannot work with ISA Server with a client on the LAT.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/

Get It Here!

Under Access policy right click and go into the properties of IP Pakcet Filters. Then enable both Packet filtering AND IP routing with intrusion detection. Then hop over to the PPTP tab and select "PPTP through firewall". When you leave the screen the appropriate filter will be automatically created to allow PPTP. With that out of the way simply open up the nessisary Kerberos ports (good idea to lock down source and destination as oppossed to any/any) and your done.

On the servers on either side of the internal ISA, either set your default gateway to the ISA server or add a static route to it. Lastly, review any name resultion issues you might have and your done.

End result? PPTP connections through the internal ISA to a VPN server. A nice way to control who can manage boxes in your DMZ.