Re: VPN clients routing to other internal networks
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Wed, 09 Nov 2005 09:13:01 GMT
Hi:
Thanks for your reply.
Yes, you are right. The VPN client is pointing to the PPP interface of the
VPN Server by default. (and the option is also checked once we manually
configure the VPN connection).
If the option is unchecked, the VPN client will use its local gateway which
don't know the way to the internal networks on the VPN server side. In this
case, we should add static routes one by one so that the VPN client will
determine when it should go through the default gateway and when it should
go through the PPP adapter.
Hope the above information helps.
Have a nice day! :)
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Newbievn" <khoa.le@xxxxxxxxxxxxxxxx>
| References: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
<1MKeWDB5FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: VPN clients routing to other internal networks
| Date: Wed, 9 Nov 2005 14:25:13 +0700
| Lines: 181
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <e$T1M5P5FHA.3880@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.isa
| NNTP-Posting-Host: TK2MSFTNGP12.phx.gbl 203.210.213.82
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.isa:60393
| X-Tomcat-NG: microsoft.public.isa
|
| Hi,
|
| One more question, VPN client is pointing to the PPP adapter of VPN
server
| as default, right ? And the option "Use default gateway on remote
| network..." must be checked, right ? If this option uncheck then we have
to
| add static route ?
|
| Thanks,
|
| "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:1MKeWDB5FHA.1172@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi:
| > Thank you for posting here. Also many thanks for Virgil's inputs.
| >
| > From the description, I understand that you have configured the ISA
2004
| > as
| > a VPN Server. There are several subnets which are connected to the W2k3
| > Server via a router. You want to give the remote VPN users access to
these
| > subnets. If I have misunderstood your concern, please do let me know.
| >
| > Based on my experience, if the internal clients the different subnet,
for
| > example, the W2k3/ISA Server was in the 192.168.0.x subnet, and
| > 192.168.1.x
| > for subnet A and 192.168.2.x for the internal subnet B, we may need to
do
| > some additional configuration in ISA 2004 MMC. As in ISA 2000 scenario,
we
| > only need to add all the subnets to the LAT.
| >
| > 1. a. Open ISA management console, navigate to
| > Servername\Configuration\Networks, on the "Networks" pane, double click
| > Internal.
| > b. Go to the Addresses tab, remove the existed address range.
| >
| > 2. Add several static routes on the ISA 2004 Server.
| > Suppose the IP address of the router which is connected to the ISA
Server
| > is 192.168.0.2, we should add the following static route from the
command
| > prompt:
| > "route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.2 Metric 1"
| > (without
| > the quotation mark)
| > "route add -p 192.168.2.0 mask 255.255.255.0 192.168.0.2 Metric 1"
| >
| > Then add the static routes one by one if you have a couple of subnets.
| >
| > 3. a. Open ISA management console, navigate to
| > Servername\Configuration\Networks, on the "Networks" pane, double click
| > Internal.
| > b. Go to the Addresses tab, Click "Add Adapter", and add the internal
NIC
| > of your ISA Server. Then click Apply.
| > c. You will find all the internal subnets are included in the network
| > "Internal".
| >
| > For your information, I attached the network diagram as following:
| > Internet---ISA(192.168.0.1)--(192.168.0.2)Router--(192.168.1.x)subnet A
| >
| > |____(192.168.2.x)subnet B
| >
| > |____(192.168.3.x)subnet C
| >
| > |____(192.168.4.x)subnet D
| >
| >
| > We call the network behind the router as Network Behind Another
| > Network(NBAN).
| >
| > After performing the above steps, we should create an access rule as
| > Virgil
| > mentioned to allow VPN clients to access the internal subnets. You can
| > create this access rule as following:
| >
| > Rule name: Allow VPN traffic
| > Rule Action: Allow
| > Protocols: ALL protocol
| > Sources: VPN clients
| > Destination: Internal and Local Host
| > User Sets: All Users
| >
| > In addition, we should make sure the default gateway of the VPN client
is
| > pointing to the PPP adapter of the VPN Server. If not, we should add
| > static
| > route on the VPN client to route the traffic. (Tell the VPN client that
| > for
| > traffic destined to 192.168.x.x subnets, it should go through the PPP
| > adapter of the VPN server)
| >
| > There is an option called "Use default gateway on remote network check
| > box", if we check this option, the VPN client will use the VPN Server as
| > its default gateway, you can find the option at:
| >
| > 1). Double-click My Computer, and then click the Network and Dial-up
| > Connections link.
| > 2). Right-click the VPN connection that you want to change, and then
click
| > Properties.
| > 3). Click the Networking tab, click Internet Protocol (TCP/IP) in the
| > 'Components checked are used by this connection' list, and then click
| > Properties.
| > 4). Click Advanced, and then you will find the Use default gateway on
| > remote network check box.
| >
| > Hope the above information helps. Please feel free to let me know if you
| > have any questions or concerns.
| >
| > Have a good day!
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | Thread-Topic: VPN clients routing to other internal networks
| > | thread-index: AcXjk6EiB9g5x7hWTzO9oaGoYAda6g==
| > | X-WBNR-Posting-Host: 217.89.116.196
| > | From: =?Utf-8?B?TWFyY3Vz?= <wws@xxxxxxxxxxxxxxxx>
| > | Subject: VPN clients routing to other internal networks
| > | Date: Mon, 7 Nov 2005 04:06:05 -0800
| > | Lines: 12
| > | Message-ID: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.isa
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:14595
| > | X-Tomcat-NG: microsoft.public.isa
| > |
| > | Hi,
| > | I am running ISA 2004 on a W2K3 Server and want to use it as a
| > VPN-Server.
| > | VPN clients can access the directly attached internal network.
However I
| > | have other internal Networks being in another subnet connected with a
| > router.
| > | I want to give the VPN-Users access to these networks too.
| > | How do I setup ISA to use the internal router to forward all requests
| > with a
| > | specific IP-Subnet to this router? I tried to add a static route to
| > RRAS
| > but
| > | it won't work.
| > |
| > | Thanks
| > | br
| > | Marcus
| > |
| >
|
|
|
.
- Follow-Ups:
- Re: VPN clients routing to other internal networks
- From: Newbievn
- Re: VPN clients routing to other internal networks
- References:
- RE: VPN clients routing to other internal networks
- From: Edward Tian
- Re: VPN clients routing to other internal networks
- From: Newbievn
- RE: VPN clients routing to other internal networks
- Prev by Date: Witch rule to allow firewal client to connect to isa server ?
- Next by Date: Re: Witch rule to allow firewal client to connect to isa server ?
- Previous by thread: Re: VPN clients routing to other internal networks
- Next by thread: Re: VPN clients routing to other internal networks
- Index(es):
Relevant Pages
|
Loading
