Solved

pptp vpn clients are not able to open shared network drives on ISA server

Posted on 2009-05-04
6
445 Views
Last Modified: 2012-05-06
hi, we have the following:´
LAN---ISA SERVER---LINKSYS RV042---INTERNET
We connect using PPTP VPN to the LINKSYS RV042 and from there we would like to run some SQL applications and also see some shared network drives on that ISA server. We created a rule on the ISA to allow acces from the VPN clients into it, the rule was defined to treat the VPN client network as a trusted network so all IP protocol (TPC and UDP) comes in and goes out from and to the VPN clients however we can run any application on any port except for the networking shared drives. Is there anything we can configure on that ISA so we can go to run and type \\172.16.1.1 (actual IP address of the ISA SERVER WAN interface) and the see the shared drives? by default ISA does not allow windows networking on its WAN unless you defined the source IP as trusted is what we thought but still not working. TOPOLOGY changes suggestions are welcome however we were unable to find the way to forward the protocol ESP to and inbound host on this Linksys rv042. thanks
0
Comment
Question by:wirlan
  • 3
  • 3
6 Comments
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
If you use the router in front of ISA to establish VPN connections, ISA is not aware about the fact, that this should be an internal user.

I would recommend to use ISA as VPN server. You can arrange that by setting your router to VPN pass through (or by opening the associated ports, if ther is no such setting). In that case, your VPN client is handled by ISA and therefore handled by the VPN client rules. As the client is on the internal network in that case, you can get full access to any internal resources.


0
 

Author Comment

by:wirlan
Comment Utility
I understand the suggestion however I couldn`t find the way to port forward the 1753 port and the ESP protocol. Linksys only allows to port forward on TCP and UDP ports, it woun`t do forwarding for the ESP protocol itself so that is why the PPTP VPNs are connecting to the router... We want to keep the router in front of the ISA server for security porpuses. thanks for the reply!
0
 

Author Comment

by:wirlan
Comment Utility
Correction. GRE protocol I meant. NOT ESP. thanks
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
Comment Utility
ISA is a fully featured firewall solution. There is no reason, to protect ISA itself (if setup correctly). Most of the routers have a (simple) Firewall included. Your RV042 is not the cheapest one, so I would assume, that it provides, what is needed.

Most of the routers (also the cheap ones) provides a setting which is called VPN pass through. This opens all ports (mostly for PPP or IPSEC / L2TP). You can do this also by hand of course. If this also includes ESP depends from the router itselves.

ESP is IP protocol number 50.
So you may have a look where you can enable this within your router. As this is on IP level, not on TCP level,  it has nothing to do with port forwarding (which is on TCP level). Port forwarding for TCP ports are protocol type 6.

You may find either some directly configuration options for IP based protocols or you may have to change the default firewall filters. Most of the routers are preset to allow everthing outgoing and nothing incoming. And this may also block all kinds of protocol types, which the exception of the basic TCP / UDP protocol types, which are controlled by port forwarding.

Have a look here, what I found about linkssys:
http://www.astaro.org/astaro-gateway-products/vpn-site-site-remote-access/3497-open-port-ike-phase-2-a.html

The advantage of passing through VPN through the router is, that you have a better control on your VPN clients using ISA. otherwise you would have to drill some holes into the ISA. ISA directyl supports all kinds of VPN clients and authentication types including certificates and so on. Your client is inside the network. If the VPN connection ends at your router, you have to explicitely open all needed services one by one through ISA as your client is outside the network.
0
 
LVL 35

Assisted Solution

by:Bembi
Bembi earned 500 total points
Comment Utility
OK, GRE is usually a Cisco issue. Mostly in combination with cisco firmware and MS VPN clients as well as servers.

GRE is protocol type 47

Have a look here, if this helps:
http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&message.id=112185
0
 

Author Closing Comment

by:wirlan
Comment Utility
thank you guys
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now