Re: Valid scenario for ISA 2004 Site to Site Deployment?

Right - I understand your point regarding ping. I also got the ISA access
rule setup so the corpnet can talk to the hosted server w/o any problems.

So - back to the original question, would this be a valid scenario for ISA
2004 on the hosted server? As it stands right now this server is completely
exposed, given that once I enabled and configured RRAS it disables the
Windows Firewall / ICS service.

I thought I recalled reading somewhere that the ISA firewall doesn't work on
servers with a single NIC. I could install the loopback to work around this
I guess?


"Phillip Windell" <@.> wrote in message
news:u%23YQUVHwGHA.4512@xxxxxxxxxxxxxxxxxxxxxxx
"Gaylen Michael" <gaylen_nadaspam_michael@xxxxxxxxxxx> wrote in message
news:OukM9qCwGHA.4612@xxxxxxxxxxxxxxxxxxxxxxx
I got it working using RRAS on the hosted server by using a Demand Dial
connection back to the FQDN of the corpnet. I made this a persistent
connection like you described. In the Advanced TCP/IP properties for
that connection I set it to update Register this connection's address in
DNS which is working well. I think a big key was removing the DD
interface on the ISA / RRAS server which was creating too much confusion
for me. Maybe it can be done that way but this will work just fine.

This is exactly the way I was describing.

I can ping all machines on the corpnet from the hosted server while
connected, but I cannot ping the hosted server from any machine in the
LAN except from the ISA / RRAS server where the hosted server is
connected over VPN. I thought I'd do some further testing and come to
find out I can't ping any client that is VPN'd into the corpnet, except
again from that ISA / RRAS server.

Don't waist your time worring about "ping". *Ping only test for
ping*,....it does not test anything else but ping. Ping can be disallowed
and everything else allowed,...or,...ping can be allowed and everything
else disallowed,...so ping (or lack there of) is meaningless.

ISA still uses Access Rules to control traffic between VPN "users" and the
LAN. Anyone (or anything) that connects via VPN becomes part of the "VPN
Users Network" in ISA. Access Rules have to be in place to allow traffic
to flow between the "VPN Users Network" and the "Internal Network". Also
allowing it in one direction does not mean it will work in the opposite
direction.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com




.

Relevant Pages

  • Re: HTTP trouble in 2004
    ... > understand is why can't I ping the public address of the DC. ... >> separating the DC role from the ISA Server role. ... >>>I appear to be an ISA dummy and have a small problem. ... My nics are setup with teh DC being the DNS server and my IE ...
    (microsoft.public.isaserver)
  • RE: VPN Connects, but no Internal IP or network resources.
    ... versions of ISA yet seem to be having the same trouble. ... I just noticed in this post though, that you can't even ping the other ... an access issue rather than connectivity. ... My ISA server is going to be down until I rebuild it, so I can't even do any ...
    (microsoft.public.isa.vpn)
  • Re: Unable to PING a single host from ISA 2006 Server
    ... ping works. ... Q1 - have you done due diligence regarding the NIC drivers on the ISA? ... I would agree if my captures showed traffic leaving my ISA server and ... When I PING other host on same VLAN as ISA and F5, ...
    (microsoft.public.isa)
  • Re: Unable to PING a single host from ISA 2006 Server
    ... request and Ping reply come in and out of the internal interface that is on ... Q1 - have you done due diligence regarding the NIC drivers on the ISA? ... I would agree if my captures showed traffic leaving my ISA server and ... When I PING other host on same VLAN as ISA and F5, ...
    (microsoft.public.isa)
  • RE: Sercond ISA on SBS Member Server
    ... ISA on a SBS member server. ... Without a good backup, it's difficult to have the server ... - This is often used for ISA server configuration recovery. ...
    (microsoft.public.windows.server.sbs)