zeheb
asked on
ISA block VPN packet
I'm searching forever on this one. your help would be generous appreciate.
we gat an I.S.A server in the front of our organization.
I config my system so that local users on my LAN can connect to our firewall server through VPN connection. this part is working perfectly right.
I now need to config ISA server to allow remove users to gain access to our network throgugh the internet.
I can monitor our router to see that 1723 port traffic is indeed route to our I.S.A server machine, however our I.S.A machine is not response back to client and a "Error 678: There was no answer" message appear.
Here is what I did so far with no luck:
1) In "IP Packet Filter" section I created two additional rule the allow port 1723 and port 47 to be route.
also in that section I right click on "IP Packet Filter" and select "properties" Then select "Enabled packet filtering", "Enabled IP routring" and "Enabled intrustion detection" from the general tab.
I allso select "PPTP through ISA firewall" from the PPTP tab.
2) I open port 1723 and port 47 in "protocol rules" section
3) I repeat step 2 also for "access policy" and "Server publishing rules section".
Network structure (not sure if relevant)
--------------------------
* In the front of our organization there is a router which redirect all relevent protocol traffic from the internet to I.S.A server machine.
* Our I.S.A server machine has it's own segment and it's is working on workgroup mode outside our domain.
* Our I.S.A server has two network adapter one for in/out Internet to lan connection and the other one is for just inside the LAN trafic
we gat an I.S.A server in the front of our organization.
I config my system so that local users on my LAN can connect to our firewall server through VPN connection. this part is working perfectly right.
I now need to config ISA server to allow remove users to gain access to our network throgugh the internet.
I can monitor our router to see that 1723 port traffic is indeed route to our I.S.A server machine, however our I.S.A machine is not response back to client and a "Error 678: There was no answer" message appear.
Here is what I did so far with no luck:
1) In "IP Packet Filter" section I created two additional rule the allow port 1723 and port 47 to be route.
also in that section I right click on "IP Packet Filter" and select "properties" Then select "Enabled packet filtering", "Enabled IP routring" and "Enabled intrustion detection" from the general tab.
I allso select "PPTP through ISA firewall" from the PPTP tab.
2) I open port 1723 and port 47 in "protocol rules" section
3) I repeat step 2 also for "access policy" and "Server publishing rules section".
Network structure (not sure if relevant)
--------------------------
* In the front of our organization there is a router which redirect all relevent protocol traffic from the internet to I.S.A server machine.
* Our I.S.A server machine has it's own segment and it's is working on workgroup mode outside our domain.
* Our I.S.A server has two network adapter one for in/out Internet to lan connection and the other one is for just inside the LAN trafic
ASKER
>> It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit
Do you know what port must I open, that is correspondence to the above protocol? How do I config it?
Do you know what port must I open, that is correspondence to the above protocol? How do I config it?
ISA will not allow PPTP to connect inbound through the ISA. That would require the ISA server to be able to publish GRE. It cannot. The only thing you can do is allow ISA to terminate the VPN, you cannot pass it through.
ASKER
You mean to tell me there is no way I can allow my remote users to use VPN to gain access to my network?
>> I allso select "PPTP through ISA firewall" from the PPTP tab.
Then what is it mean?
How are other organization allow VPN?
>> I allso select "PPTP through ISA firewall" from the PPTP tab.
Then what is it mean?
How are other organization allow VPN?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Geoffryn is correct. Terminate your VPN connection at the ISA server itself.
geoffryn.
check out ISAserver.org its has a large number of VPN related step by step guidelines..
there are too many of them to list here however they are extremely easy to find.
this site is a must have for any ISA configs..
check out ISAserver.org its has a large number of VPN related step by step guidelines..
there are too many of them to list here however they are extremely easy to find.
this site is a must have for any ISA configs..
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
ASKER
>> Other orgs terminate the VPN on the ISA....
o.k: How do I config that?
I'm new to this field.
o.k: How do I config that?
I'm new to this field.
Run the Local VPN wizard in ISA Management.
ASKER
Sorry for the delay.
I can't seem to find this wizard.
Where can I found it?
How can I tigger it?
I'm new to this field so take it easy please.
I can't seem to find this wizard.
Where can I found it?
How can I tigger it?
I'm new to this field so take it easy please.
ASKER
I was hearded that ISA can be work in "client server" configuration.
This mean, so I heard, that ISA should be install both at server and workstation size (i.e at "win2k pro" and "win2k server" os) in this configuration. could it be that ISA "Local VPN wizard" can be found only in the above configuration? because I did some reading and in every tutorial I was read they insist that "Local VPN wizard" should be trigger by right click "Network Configuration" node and choose that wizard from the menu that appeard.
I triple check it, however, and I'm positive that there is no such option in that menu in my case. could it be because I'm not working with "client server" configuration and the refered tutorial just assume that I am? If so how can I change that configuration?
Thank you
zeheb -)
This mean, so I heard, that ISA should be install both at server and workstation size (i.e at "win2k pro" and "win2k server" os) in this configuration. could it be that ISA "Local VPN wizard" can be found only in the above configuration? because I did some reading and in every tutorial I was read they insist that "Local VPN wizard" should be trigger by right click "Network Configuration" node and choose that wizard from the menu that appeard.
I triple check it, however, and I'm positive that there is no such option in that menu in my case. could it be because I'm not working with "client server" configuration and the refered tutorial just assume that I am? If so how can I change that configuration?
Thank you
zeheb -)
In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.
ASKER
>>In ISA Management, click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN
But there is no such option in my case.
I don't know why. You can look at my ISA screenshot at:
http://www.bluebird-optical-mems.com/ISAScreenshot/ISAScreenshot.jpg
But there is no such option in my case.
I don't know why. You can look at my ISA screenshot at:
http://www.bluebird-optical-mems.com/ISAScreenshot/ISAScreenshot.jpg
Lower right hand corner of the screen. Click Home, Configure Servers and Arrays, Configure Network Connection, then click the configure Local VPN.
ASKER
I'm appreciate very muth you time and effort to help me.
I'm sorry for the long periot of waiting time.
I affrid I get no "Configure Network Connection" section in my isa. I don't know why? I just don't have it as shown in the site above. Is it o.k with you if just erase this question sine no one has been abled to resolve this issue?
If so how shell I do it? I cold'nt find to link for this as wall
I'm sorry for the long periot of waiting time.
I affrid I get no "Configure Network Connection" section in my isa. I don't know why? I just don't have it as shown in the site above. Is it o.k with you if just erase this question sine no one has been abled to resolve this issue?
If so how shell I do it? I cold'nt find to link for this as wall
zeheb:
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
This old question needs to be finalized -- accept an answer, split points, or get a refund. For information on your options, please click here-> http:/help/closing.jsp#1
EXPERTS:
Post your closing recommendations! No comment means you don't care.
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: geoffryn {http:#8196264}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Julian Crawford
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: geoffryn {http:#8196264}
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Julian Crawford
EE Cleanup Volunteer
It is not TCP port 47, it is PROTOCOL 47, GRE that you must permit