Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cannot SSH to server over PPTP from within ISA 2004 (SBS2k3) network using firewall client??

Posted on 2009-06-30
2
Medium Priority
?
893 Views
Last Modified: 2012-05-07
I am on an SBS 2003 Network using ISA 2004 and my machine is using the Firewall Client.  

I recently got a virtual server at softlayer and I can open a vpn connection to the softlayer network and ping my server however I cannot connect using SSH with PuTTY.  

I can disable the firewall client temporarily and SSH to the server and then re-enable the firewall client and my SSH connection will stay up.

Does anyone have any ideas about why the firewall client / ISA Server is not allowing the SSH connection?  

Also, the ISA logs do not show any blocked connections.

Thanks in advance,

David
0
Comment
Question by:dtsmith1984
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 24749725
It is not logging anything being block because it is not blocking it.  The problem is that this is a VPN and the IP Range on the Remote Network (SoftLayer) is not configured within ISA as being part of the Internal Network,...therefore the FWC interprets it as being a connection attempt to "External" and winging it out to the Internet where it fails.  So it isn't being denied,..it is being allowed,...it is just failing because it is being tossed down the wrong path.
Why does it work without the FWC?  Because without the FWC the local machine's regular "routing" takes over.  By the very nature of how VPN works,..the VPN is overriding the local machines Default Gateway with itself (the VPN becomes the new Default Gateway).  Since the target IP# is obviously not part of the local machine's local network the traffic gets "tossed" to the Default Gateway (which happens to be the VPN at the moment) and it works.
So....
Option #1
Find out the IP Range (or at least the one you are targeting) and add it to the Internal Network Definition.  This would be the IP Range inside the Tunnel,...not the outside of the Tunnel.  Then from a command prompt create a "blackhole" Static Route on the ISA machine for the same IP Range.  This route will never actually get used,...it is only there so that ISA has a route that corresponds to all the listed IP Ranges in the Internal Network Definition.  Without the Route it will probably whine and complain about it and give alerts that it sees address on the LAN that may be spoofed. In other words it will complain that is see addresses on the Internal Interface that have no corresponding route.
Option #2
Just disable/enable the FWC as needed as you are already doing and don't worry about it.
0
 

Author Closing Comment

by:dtsmith1984
ID: 31598519
Thank you for the great explanation.  
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question