Solved

HELP!!! I have a Windows 7 Home Premium laptop passing through my ISA 2004 firewall.

Posted on 2010-09-22
15
403 Views
Last Modified: 2012-05-10
Hi, I need some assistance or pointing in the right direction.  I have a user's laptop that has Windows 7 Home Premium 64-bit that is passing through my ISA 2004 firewall that shouldn't be.  I require users to use a VPN client that I have created and downloadable from our website.  If the user doesn't have the VPN client connected or installed it will redirect them to the page to download it.

I have another user that has Windows 7 Home Premium 32-bit that it does exactly what it is suppose to do.  So, unless I am missing something is it possible 64-bit version is able to bypass my ISA firewall protection?

Also, I thought maybe IPv6 is doing something and had them disable it, yet still able to pass-thru.

I only have Server 2003 , no 2008, yet.

Let me know if I missed anything or you require further information to assist.

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
  • 7
  • 5
  • 3
15 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33738726
You're not making any sense.   Please explain the situation more clearly and accurately.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33738755
BTW - There is really no such thing as "by passing" a proxy.

You either use the proxy,....or you don't use the proxy,...that's it.

If you don't use the proxy,...then something else (independent of the proxy) has to get the user to the Internet,...which has nothing to do with your proxy itself.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 500 total points
ID: 33739020
Home Premium computers can't be domain members, you are probably allowing all Non-Authenticated HTTP traffic outside, but I'm just guessing..  

You can also monitor sessions of these users and compare the differences. You can do this in ISA SErver Console, Logs and reporting -> Logging tab

But as Pwindell said already, please explain your situation, also how do you redirect your users? Also what does pass through mean exactly? Do you block HTTP traffic if not using Proxy, do you mean that a user has access eventhough he shouldn't have? Why are you pushing a VPN to your users, just curious here :) ?  

0
 

Author Comment

by:rsnellman
ID: 33745438
OK, sorry, I was in a bit of a rush.  

Let me try again.  

I have a Windows Server 2003 (32-bit) that is running DHCP Server services, Routing & Remote Access services & ISA 2004 standard.  It is what I am referring to as our beachhead for the wireless network.

Our wireless network is on a private network, 172.x.x.x that the DHCP server handles.

I have rules set in the ISA that require laptops(wireless devices) to run a pre-built VPN client created for Windows based wireless devices using PPTP.

If they do not use the VPN client than when they try to surf anywhere other than our main website page, it redirects them to the VPN client download page.

Well, some Windows 7 users are not being redirected to this VPN client download page.  In fact, they are able to surf the Internet without the VPN client.

I am not sure what else to check at this point.

Any ideas or suggestions or links will be greatly appreciated.

I hope this makes more sense.


Bob
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747336
I have rules set in the ISA that require laptops(wireless devices) to run a pre-built VPN client created for Windows based wireless devices using PPTP.

If they do not use the VPN client than when they try to surf anywhere other than our main website page, it redirects them to the VPN client download page.

That is the part that doesn't make any sense.  VPN to what?
Our wireless network is on a private network, 172.x.x.x that the DHCP server handles.
Ok, so that is a private network,...what about the private network (Internal)?
ISA2004 only does two types of VPN:
1. Site-to-Site VPN (aka Router-to-router VPN)
2. Remove Access VPN.  Clients out on the Internet use VPN to connect inbound to the private protected LAN
Nothing that you are doing seems to fit that.
0
 

Author Comment

by:rsnellman
ID: 33749238
Hmmm...maybe I am confused.

Without the VPN client they are denied access outside of the private 172.x.x.x wireless network.  So, they go no where and no ports are open for use without the VPN client.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 33749406
That isn't the way VPN works and ISA does not use VPN in that way.
You keep explaining what you are doing at the "10,000 foot level",....I need the explaination to be explained at the lower level where all the gory details are and all the "whys" and the "what for's"  are answered.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Expert Comment

by:pwindell
ID: 33749421
Basically it sounds to me like you are doing it backwards,...you're trying to make internal users use VPN to get out (or to another internal LAN segment),....instead of making external users use VPN to get in.
0
 

Author Comment

by:rsnellman
ID: 33749458
Yes, that is what we are doing, we are using it backwards, but it works or well for most users it does.  I never set this up or was involved in the planning or deployment stages, but it was a way to allow wireless users access to the Internet through our network with as minimal as possible security risk or compromise.

I am not sure what you are asking or looking for.  I guess this is more complex of a design than I thought it was initially.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 33754831
There is no benefit to using the VPN for that at all.  I have no idea what the people who set that up were thinking, but they were wrong.   ISA is not built to do it that way and I am completely shocked that it even worked at all the begin with.  On top of that you are gaining absolutely nothing by doing that,...it's just based on "superstition".
In the IT world there seems to be a lot of fables and superstitions swirling around security.  One ot those is that wireless Hosts are somehow different and somehow less secure than wired.  That is not true at all.  Also keep in mind that there is no such thing as a true wireless network,...all networks are wired,...the only thing that wireless replaces on desktops and laptop is the patch cable,...that's it,...just the patch cable,...the cable between the Host and the first Switch.  Everything after that is wired.
So if your wireless hosts play the same Role and do the same Job on the lan as wired desktops then they should be treated just like the desktop,...granted that you secure the Radio Signal of the WAP using one of the WPA encryption vaiations,...but beyond that they are just normal hosts on the LAN.
If the wireless hosts represent Guests on your LAN then you create a subnet just for guest and deal with it that way,...you'd do the same thing if Guests were using regular wired desktops,...the fact that they are wireless is irrelevant.
 
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33755619
Pwindell,

My thoughts exactly..

You then block or allow the wireless clients through the ISA for that wireless guest network.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33755721
Exactly.  
The first most straight forward way it can be done is to use a "wireless router" and put its WAN interface on the "outside" with a Public IP# if you have such resources to do that,....then none of it ever touches the LAN at all
The second most straight forward way it can be done is:
1.  Add another Nic to the ISA/TMG (nics are cheap).
2.  Create a new Network defintion with a new address range in the ISA MMC that corresponds to the new Nic.  When creating that it would be of the Type "internal" or "perimeter" (not really any real difference between those two choices in this case).  When you give it a Name you can call it "Guest" for the sake of simplicity and being "self-documenting"
3. Create Access Rules to allow traffic from Guest to External.  That lets them get to the Internet but has no access to Internal at all and no access to the ISA/TMG (LocalHost) either.
4. You then connect the WAP or "wireless router" to that nic and "go with it".  Using a WAP is the cleanest and simplest (WAP being just a glorified wireless Switch) but you would lack DHCP unless you setup the DHCP Relay Agent in RRAS on the ISA/TMG Machine and created a new Scope in the DHCP Server you are already using for the LAN.    If you used a "wireless router" it would be more complex and less flexible,..but the device would provide the DHCP for the guests for you easily by itself
0
 

Author Comment

by:rsnellman
ID: 33885564
Umm...guess I forgot to explain further.  We use dual NICs.  One for the internal (wireless network) and the other for external (LAN network).  Then I use DHCP server to assign IPs to wireless devices and depending on whether they have vpn access via ISA rules they can gain access to the internet or if not then denied access to anywhere on our network.

Hope that makes more sense.

Thanks.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 500 total points
ID: 33885624
So it's basically a homegrown NAP :)

Ok, If you monitor the traffic from that host with ISA console > Logs and reports > logging tab,

Monitor all traffic coming from that IP, why does it allow this traffic.
0
 

Author Comment

by:rsnellman
ID: 33885720
Yep, that is the only way I could think of too.  Thanks.

Have a good day.

Bob
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

So many times I have seen the words written in a question "if only I could show you" or " I know how hard it is for you since you can't see it" in any zone. That has inspired me to write about this tool in windows 7 called "Problem Steps Recorder…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now