VPN passthru using ISA Server 2004

From: John Davidson (JohnDavidson_at_discussions.microsoft.com)
Date: 01/24/05

• Next message: np: "Re: random 721 error"
• Previous message: interflex_at_hotmail.com: "What if I don't have Win 2003 or ISA 2004 (VPN and Exchange)?"
• Next in thread: Phillip Windell: "Re: VPN passthru using ISA Server 2004"
• Reply: Phillip Windell: "Re: VPN passthru using ISA Server 2004"
• Messages sorted by: [ date ] [ thread ]

---

Date: Sun, 23 Jan 2005 19:33:01 -0800

I have 2 ISA 2004 Firewalls. The firont connects to the Internet and to the
Backend Firewall. The backend firewall connects to an internal network. The
backend firewall is part of the internal domain and runs a PPTP VPN server. I
have followed the instructions in the ISA VPN Deployment kit, but this
configuration does not allow the VPN client to connect from the Internet.

The VPN client is able to successfully connect when it is on the same subnet
as the network connecting the 2 firewalls. This validates that the VPN Client
configuration is correct. The IPSEC NAT-T upgrade has been installed on the
VPN Client.

When the VPN client initiates the connection from the Internet the Front
firewall shows the PPTP Server connection to the backend Firewall being
initiated. this is confirmed by viewing the 2-way traffic for the initial
PPTP handshake using network monitor. When the Client and VPN Server agree on
encryption and initiate the encrypted traffic is when it breaks. The Front
Firewall shows "Port 0 - Unidentified IP Traffic" from the client to the
local host of the Front Firewall. This traffic is denied.

Inspecting the Denied Traffic with Network Monitor, shows that it is LCP
inside GRE. This traffic should be going directly to the Backend Firewall,
but is not, causing the connection to fail.

What have I missed? Many hours of searching have not turned up any answers.

John Davidson

---

• Next message: np: "Re: random 721 error"
• Previous message: interflex_at_hotmail.com: "What if I don't have Win 2003 or ISA 2004 (VPN and Exchange)?"
• Next in thread: Phillip Windell: "Re: VPN passthru using ISA Server 2004"
• Reply: Phillip Windell: "Re: VPN passthru using ISA Server 2004"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages VPN passthru using ISA Server 2004 ... The backend firewall connects to an internal network. ... configuration does not allow the VPN client to connect from the Internet. ... The VPN client is able to successfully connect when it is on the same subnet ... (microsoft.public.platformsdk.security) Re: VPN clients routing to other internal networks ... VPN client is pointing to the PPP adapter of VPN server ... You will find all the internal subnets are included in the network ... click Internet Protocol in the ... (microsoft.public.isa) Re: VPN Clients not able to communicate with network behind ISA Server ... The network relationship between the VPN Client Network and the internal ... > static host route on the ISA Server to access the 10.0.0.0/8 network. ... > external resources on the internet work fine, but the VPN Clients are not ... (microsoft.public.isa.vpn) Re: VPN clients routing to other internal networks ... our VPN client can access to other internal networks. ... Our VPN client have the rule to access Internet thru VPN ... > don't know the way to the internal networks on the VPN server side. ... You will find all the internal subnets are included in the network ... (microsoft.public.isa) Internal network cannot access VPN clients (ISA 2004) ... In my small network, my VPN clients can connect to the internal ... network, access the internet etc., but none of the computers ... I would like for instance to take remote control of a VPN client ... But this can only be done from the ISA server computer. ... (microsoft.public.isa.vpn)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.vpn  > 2005-01