Cannot SSH to server over PPTP from within ISA 2004 (SBS2k3) network using firewall client??

I am on an SBS 2003 Network using ISA 2004 and my machine is using the Firewall Client.  

I recently got a virtual server at softlayer and I can open a vpn connection to the softlayer network and ping my server however I cannot connect using SSH with PuTTY.  

I can disable the firewall client temporarily and SSH to the server and then re-enable the firewall client and my SSH connection will stay up.

Does anyone have any ideas about why the firewall client / ISA Server is not allowing the SSH connection?  

Also, the ISA logs do not show any blocked connections.

Thanks in advance,

David
dtsmith1984Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
It is not logging anything being block because it is not blocking it.  The problem is that this is a VPN and the IP Range on the Remote Network (SoftLayer) is not configured within ISA as being part of the Internal Network,...therefore the FWC interprets it as being a connection attempt to "External" and winging it out to the Internet where it fails.  So it isn't being denied,..it is being allowed,...it is just failing because it is being tossed down the wrong path.
Why does it work without the FWC?  Because without the FWC the local machine's regular "routing" takes over.  By the very nature of how VPN works,..the VPN is overriding the local machines Default Gateway with itself (the VPN becomes the new Default Gateway).  Since the target IP# is obviously not part of the local machine's local network the traffic gets "tossed" to the Default Gateway (which happens to be the VPN at the moment) and it works.
So....
Option #1
Find out the IP Range (or at least the one you are targeting) and add it to the Internal Network Definition.  This would be the IP Range inside the Tunnel,...not the outside of the Tunnel.  Then from a command prompt create a "blackhole" Static Route on the ISA machine for the same IP Range.  This route will never actually get used,...it is only there so that ISA has a route that corresponds to all the listed IP Ranges in the Internal Network Definition.  Without the Route it will probably whine and complain about it and give alerts that it sees address on the LAN that may be spoofed. In other words it will complain that is see addresses on the Internal Interface that have no corresponding route.
Option #2
Just disable/enable the FWC as needed as you are already doing and don't worry about it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dtsmith1984Author Commented:
Thank you for the great explanation.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.