Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

HELP!!! I have a Windows 7 Home Premium laptop passing through my ISA 2004 firewall.

Posted on 2010-09-22
15
Medium Priority
?
457 Views
Last Modified: 2012-05-10
Hi, I need some assistance or pointing in the right direction.  I have a user's laptop that has Windows 7 Home Premium 64-bit that is passing through my ISA 2004 firewall that shouldn't be.  I require users to use a VPN client that I have created and downloadable from our website.  If the user doesn't have the VPN client connected or installed it will redirect them to the page to download it.

I have another user that has Windows 7 Home Premium 32-bit that it does exactly what it is suppose to do.  So, unless I am missing something is it possible 64-bit version is able to bypass my ISA firewall protection?

Also, I thought maybe IPv6 is doing something and had them disable it, yet still able to pass-thru.

I only have Server 2003 , no 2008, yet.

Let me know if I missed anything or you require further information to assist.

Thanks for your time.

Bob
0
Comment
Question by:rsnellman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
15 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33738726
You're not making any sense.   Please explain the situation more clearly and accurately.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33738755
BTW - There is really no such thing as "by passing" a proxy.

You either use the proxy,....or you don't use the proxy,...that's it.

If you don't use the proxy,...then something else (independent of the proxy) has to get the user to the Internet,...which has nothing to do with your proxy itself.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 2000 total points
ID: 33739020
Home Premium computers can't be domain members, you are probably allowing all Non-Authenticated HTTP traffic outside, but I'm just guessing..  

You can also monitor sessions of these users and compare the differences. You can do this in ISA SErver Console, Logs and reporting -> Logging tab

But as Pwindell said already, please explain your situation, also how do you redirect your users? Also what does pass through mean exactly? Do you block HTTP traffic if not using Proxy, do you mean that a user has access eventhough he shouldn't have? Why are you pushing a VPN to your users, just curious here :) ?  

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:rsnellman
ID: 33745438
OK, sorry, I was in a bit of a rush.  

Let me try again.  

I have a Windows Server 2003 (32-bit) that is running DHCP Server services, Routing & Remote Access services & ISA 2004 standard.  It is what I am referring to as our beachhead for the wireless network.

Our wireless network is on a private network, 172.x.x.x that the DHCP server handles.

I have rules set in the ISA that require laptops(wireless devices) to run a pre-built VPN client created for Windows based wireless devices using PPTP.

If they do not use the VPN client than when they try to surf anywhere other than our main website page, it redirects them to the VPN client download page.

Well, some Windows 7 users are not being redirected to this VPN client download page.  In fact, they are able to surf the Internet without the VPN client.

I am not sure what else to check at this point.

Any ideas or suggestions or links will be greatly appreciated.

I hope this makes more sense.


Bob
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747336
I have rules set in the ISA that require laptops(wireless devices) to run a pre-built VPN client created for Windows based wireless devices using PPTP.

If they do not use the VPN client than when they try to surf anywhere other than our main website page, it redirects them to the VPN client download page.

That is the part that doesn't make any sense.  VPN to what?
Our wireless network is on a private network, 172.x.x.x that the DHCP server handles.
Ok, so that is a private network,...what about the private network (Internal)?
ISA2004 only does two types of VPN:
1. Site-to-Site VPN (aka Router-to-router VPN)
2. Remove Access VPN.  Clients out on the Internet use VPN to connect inbound to the private protected LAN
Nothing that you are doing seems to fit that.
0
 

Author Comment

by:rsnellman
ID: 33749238
Hmmm...maybe I am confused.

Without the VPN client they are denied access outside of the private 172.x.x.x wireless network.  So, they go no where and no ports are open for use without the VPN client.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 33749406
That isn't the way VPN works and ISA does not use VPN in that way.
You keep explaining what you are doing at the "10,000 foot level",....I need the explaination to be explained at the lower level where all the gory details are and all the "whys" and the "what for's"  are answered.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33749421
Basically it sounds to me like you are doing it backwards,...you're trying to make internal users use VPN to get out (or to another internal LAN segment),....instead of making external users use VPN to get in.
0
 

Author Comment

by:rsnellman
ID: 33749458
Yes, that is what we are doing, we are using it backwards, but it works or well for most users it does.  I never set this up or was involved in the planning or deployment stages, but it was a way to allow wireless users access to the Internet through our network with as minimal as possible security risk or compromise.

I am not sure what you are asking or looking for.  I guess this is more complex of a design than I thought it was initially.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 33754831
There is no benefit to using the VPN for that at all.  I have no idea what the people who set that up were thinking, but they were wrong.   ISA is not built to do it that way and I am completely shocked that it even worked at all the begin with.  On top of that you are gaining absolutely nothing by doing that,...it's just based on "superstition".
In the IT world there seems to be a lot of fables and superstitions swirling around security.  One ot those is that wireless Hosts are somehow different and somehow less secure than wired.  That is not true at all.  Also keep in mind that there is no such thing as a true wireless network,...all networks are wired,...the only thing that wireless replaces on desktops and laptop is the patch cable,...that's it,...just the patch cable,...the cable between the Host and the first Switch.  Everything after that is wired.
So if your wireless hosts play the same Role and do the same Job on the lan as wired desktops then they should be treated just like the desktop,...granted that you secure the Radio Signal of the WAP using one of the WPA encryption vaiations,...but beyond that they are just normal hosts on the LAN.
If the wireless hosts represent Guests on your LAN then you create a subnet just for guest and deal with it that way,...you'd do the same thing if Guests were using regular wired desktops,...the fact that they are wireless is irrelevant.
 
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 33755619
Pwindell,

My thoughts exactly..

You then block or allow the wireless clients through the ISA for that wireless guest network.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33755721
Exactly.  
The first most straight forward way it can be done is to use a "wireless router" and put its WAN interface on the "outside" with a Public IP# if you have such resources to do that,....then none of it ever touches the LAN at all
The second most straight forward way it can be done is:
1.  Add another Nic to the ISA/TMG (nics are cheap).
2.  Create a new Network defintion with a new address range in the ISA MMC that corresponds to the new Nic.  When creating that it would be of the Type "internal" or "perimeter" (not really any real difference between those two choices in this case).  When you give it a Name you can call it "Guest" for the sake of simplicity and being "self-documenting"
3. Create Access Rules to allow traffic from Guest to External.  That lets them get to the Internet but has no access to Internal at all and no access to the ISA/TMG (LocalHost) either.
4. You then connect the WAP or "wireless router" to that nic and "go with it".  Using a WAP is the cleanest and simplest (WAP being just a glorified wireless Switch) but you would lack DHCP unless you setup the DHCP Relay Agent in RRAS on the ISA/TMG Machine and created a new Scope in the DHCP Server you are already using for the LAN.    If you used a "wireless router" it would be more complex and less flexible,..but the device would provide the DHCP for the guests for you easily by itself
0
 

Author Comment

by:rsnellman
ID: 33885564
Umm...guess I forgot to explain further.  We use dual NICs.  One for the internal (wireless network) and the other for external (LAN network).  Then I use DHCP server to assign IPs to wireless devices and depending on whether they have vpn access via ISA rules they can gain access to the internet or if not then denied access to anywhere on our network.

Hope that makes more sense.

Thanks.
0
 
LVL 10

Assisted Solution

by:simonlimon
simonlimon earned 2000 total points
ID: 33885624
So it's basically a homegrown NAP :)

Ok, If you monitor the traffic from that host with ISA console > Logs and reports > logging tab,

Monitor all traffic coming from that IP, why does it allow this traffic.
0
 

Author Comment

by:rsnellman
ID: 33885720
Yep, that is the only way I could think of too.  Thanks.

Have a good day.

Bob
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question