Re: Outgoing VPN Error 619

No; ISA doesn't dynamically move anything between the VPN network and the
internal network address ranges.
This network address range is based on the setting you apply when you run
the VPN wizard.
As long as the VPN client is assigned an address from this predefined range,
all will be well.

The "dynamic motion" you allude to is the movement of the VPN client between
Quarantine and VPN networks; nothing else.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23Pr2SxJpIHA.548@xxxxxxxxxxxxxxxxxxxxxxx
"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D2EF7C2-BDCE-43CF-B29F-5BE8D75945DB@xxxxxxxxxxxxxxxx
I only beat you when you ask me to; it's part of our "special
relationship"... :-p

Fair enough :-)

"stealing" from the LAT for the VPN network
without actually changing the LAT network (includes actually changing that
network ) creates an overlap

That's what I was thinking of and is what I do with my VPN Clients. I'm not
having any trouble in the sense that it "works." I had expected to get the
spooing alerts although there is none listed at the moment related to VPN
Clients. So yes,..I just treated the alerts as "safe to ignore".

Ok, to make sure I understand the process...

So if I understand Tom's description of the VPN Clients Network near the
beginning of the article
(http://www.isaserver.org/tutorials/Enabling-Remote-Access-VPN-Clients-Access-Branch-Office-Site-to-Site-VPN.html)
correctly, ISA will dynamically move an IP# from the Internal into the VPN
Clients Network when a connection is made,..but during that brief amount of
time, before it completes, a spoofing alert is triggered. When the VPN
Client is done and disconnects the process is dynamically reversed.

Coupling that with what you are saying, if an admin makes sure that the IP#
a VPN Client receives is already not in the Internal Network definition (or
any other network def) then the ISA dynamically adds it to the VPN Clients
Network when needed and there is no spoofing alert generated.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN from workstation behind ISA 2006
    ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ...
    (microsoft.public.isa.vpn)
  • RE: VPN Access to External Site
    ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
Loading