ISA and VPN configuration
From: Sarah (Sarah_at_TT.com)
Date: 06/17/04
- Next message: Marc Meltzer: "ISA2004 denying HTTPS to OWA"
- Previous message: Bruno GUERPILLON: "publishin 2 FTP server"
- Next in thread: Sarah: "Re: ISA and VPN configuration"
- Reply: Sarah: "Re: ISA and VPN configuration"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Jun 2004 16:59:57 +0100
Hi all.
A while ago I was working on a VPN project. I was pulled off to do something
else, but 1 month later I am back on it again.
To recap I am having a problem getting a VPN server (RADIUS client) talking
through an ISA server to a IAS box. Everything works fine without the ISA
server in the middle.
Below is a message from Tristan about a 'good' config.
=========
As a rule, avoid multiple "default" gateways. In the simplest possible
layout, all machines should have one DG, and static routes for everything
else.
Packet filtering on the RADIUS box (if that's what you've got) isn't useful
at this point and might be what's breaking it. For now, use ISA Server to
protect internal servers (the VPN Server should have packet filtering or an
external firewall applied too).
Typically, I'd expect a layout like this to work:
Client (Internet).
|
VPN Server
Ext Interface has DG (Internet) (IPSec/RRAS packet filters)
"Internal" network (probably more accurate to call it a DMZ network)
10.0.1.x doesn't actually need to route to the internal network (when server
publishing).
If the VPN server sits here, clients will end up in this network when
they're un-tunnelled.
|
ISA Server
Ext Interface 10.0.1.x (has DG) (ISA packet filters)
Int Interface 172.x (internal network)
Server publish only RADIUS ports.
| (LAN)
RADIUS Server
172.x (DG is ISA)
|
DC
172.x (DG is ISA)
That's enough to get VPN clients to connect to the VPN server, get
authenticated, and then work in the DMZ network.
Now, the problem (if it's a problem at all - it might be what you want?)
with the above is that the clients *only* make it to the DMZ network, and so
will only be able to use published resources once they've connected - that's
not a problem now, right now, the authentication's failing, which implies a
problem getting RADIUS chatter to/from the IAS box from the VPN server.--
======
I am still experiencing the problem. I think my setup is pretty much as is
above, but I am just double checking.
If all this works without the ISA server in the middle, I am now assuming
that my ISA server config must be incorrect somewhere. (this is going on the
assumption that I do not need any static routes anywhere in this config).
Therefore I am confused as to what my DG on the ISA server external
interface should be. I have created packet filters for now that allow
everything through (I'll lock it all down when I get the basics up).
TIA
Sarah
- Next message: Marc Meltzer: "ISA2004 denying HTTPS to OWA"
- Previous message: Bruno GUERPILLON: "publishin 2 FTP server"
- Next in thread: Sarah: "Re: ISA and VPN configuration"
- Reply: Sarah: "Re: ISA and VPN configuration"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
