Re: VPN clients routing to other internal networks
- From: "Newbievn" <khoa.le@xxxxxxxxxxxxxxxx>
- Date: Fri, 11 Nov 2005 09:18:16 +0700
Thanks Edward, our VPN client can access to other internal networks. But we
have the new problem, we have intranet website www.abc.com point to
192.168.1.100 (private IP) and vpn client can open this website by IP, when
they use domain name www.abc.com they were redirected to external website
(Public IP). Our VPN client have the rule to access Internet thru VPN
server. This seems our DNS doesn't works properly for vpn client. Please
take note our internal users can access this website with no problem. In the
past, vpn client cannot ping our Internal servers with FQDN and after I
configure WINS, they can !May this is the problem ? Please help.
Thanks,
Newbievn
"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:pP14M3Q5FHA.3908@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi:
> Thanks for your reply.
>
> Yes, you are right. The VPN client is pointing to the PPP interface of the
> VPN Server by default. (and the option is also checked once we manually
> configure the VPN connection).
>
> If the option is unchecked, the VPN client will use its local gateway
> which
> don't know the way to the internal networks on the VPN server side. In
> this
> case, we should add static routes one by one so that the VPN client will
> determine when it should go through the default gateway and when it should
> go through the PPP adapter.
>
> Hope the above information helps.
>
> Have a nice day! :)
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Newbievn" <khoa.le@xxxxxxxxxxxxxxxx>
> | References: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
> <1MKeWDB5FHA.1172@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: VPN clients routing to other internal networks
> | Date: Wed, 9 Nov 2005 14:25:13 +0700
> | Lines: 181
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <e$T1M5P5FHA.3880@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.isa
> | NNTP-Posting-Host: TK2MSFTNGP12.phx.gbl 203.210.213.82
> | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.isa:60393
> | X-Tomcat-NG: microsoft.public.isa
> |
> | Hi,
> |
> | One more question, VPN client is pointing to the PPP adapter of VPN
> server
> | as default, right ? And the option "Use default gateway on remote
> | network..." must be checked, right ? If this option uncheck then we have
> to
> | add static route ?
> |
> | Thanks,
> |
> | "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | news:1MKeWDB5FHA.1172@xxxxxxxxxxxxxxxxxxxxxxxx
> | > Hi:
> | > Thank you for posting here. Also many thanks for Virgil's inputs.
> | >
> | > From the description, I understand that you have configured the ISA
> 2004
> | > as
> | > a VPN Server. There are several subnets which are connected to the
> W2k3
> | > Server via a router. You want to give the remote VPN users access to
> these
> | > subnets. If I have misunderstood your concern, please do let me know.
> | >
> | > Based on my experience, if the internal clients the different subnet,
> for
> | > example, the W2k3/ISA Server was in the 192.168.0.x subnet, and
> | > 192.168.1.x
> | > for subnet A and 192.168.2.x for the internal subnet B, we may need to
> do
> | > some additional configuration in ISA 2004 MMC. As in ISA 2000
> scenario,
> we
> | > only need to add all the subnets to the LAT.
> | >
> | > 1. a. Open ISA management console, navigate to
> | > Servername\Configuration\Networks, on the "Networks" pane, double
> click
> | > Internal.
> | > b. Go to the Addresses tab, remove the existed address range.
> | >
> | > 2. Add several static routes on the ISA 2004 Server.
> | > Suppose the IP address of the router which is connected to the ISA
> Server
> | > is 192.168.0.2, we should add the following static route from the
> command
> | > prompt:
> | > "route add -p 192.168.1.0 mask 255.255.255.0 192.168.0.2 Metric 1"
> | > (without
> | > the quotation mark)
> | > "route add -p 192.168.2.0 mask 255.255.255.0 192.168.0.2 Metric 1"
> | >
> | > Then add the static routes one by one if you have a couple of subnets.
> | >
> | > 3. a. Open ISA management console, navigate to
> | > Servername\Configuration\Networks, on the "Networks" pane, double
> click
> | > Internal.
> | > b. Go to the Addresses tab, Click "Add Adapter", and add the internal
> NIC
> | > of your ISA Server. Then click Apply.
> | > c. You will find all the internal subnets are included in the network
> | > "Internal".
> | >
> | > For your information, I attached the network diagram as following:
> | > Internet---ISA(192.168.0.1)--(192.168.0.2)Router--(192.168.1.x)subnet
> A
> | >
> | > |____(192.168.2.x)subnet B
> | >
> | > |____(192.168.3.x)subnet C
> | >
> | > |____(192.168.4.x)subnet D
> | >
> | >
> | > We call the network behind the router as Network Behind Another
> | > Network(NBAN).
> | >
> | > After performing the above steps, we should create an access rule as
> | > Virgil
> | > mentioned to allow VPN clients to access the internal subnets. You can
> | > create this access rule as following:
> | >
> | > Rule name: Allow VPN traffic
> | > Rule Action: Allow
> | > Protocols: ALL protocol
> | > Sources: VPN clients
> | > Destination: Internal and Local Host
> | > User Sets: All Users
> | >
> | > In addition, we should make sure the default gateway of the VPN client
> is
> | > pointing to the PPP adapter of the VPN Server. If not, we should add
> | > static
> | > route on the VPN client to route the traffic. (Tell the VPN client
> that
> | > for
> | > traffic destined to 192.168.x.x subnets, it should go through the PPP
> | > adapter of the VPN server)
> | >
> | > There is an option called "Use default gateway on remote network check
> | > box", if we check this option, the VPN client will use the VPN Server
> as
> | > its default gateway, you can find the option at:
> | >
> | > 1). Double-click My Computer, and then click the Network and Dial-up
> | > Connections link.
> | > 2). Right-click the VPN connection that you want to change, and then
> click
> | > Properties.
> | > 3). Click the Networking tab, click Internet Protocol (TCP/IP) in the
> | > 'Components checked are used by this connection' list, and then click
> | > Properties.
> | > 4). Click Advanced, and then you will find the Use default gateway on
> | > remote network check box.
> | >
> | > Hope the above information helps. Please feel free to let me know if
> you
> | > have any questions or concerns.
> | >
> | > Have a good day!
> | >
> | > Best Regards
> | > Edward Tian(MSFT)
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | Thread-Topic: VPN clients routing to other internal networks
> | > | thread-index: AcXjk6EiB9g5x7hWTzO9oaGoYAda6g==
> | > | X-WBNR-Posting-Host: 217.89.116.196
> | > | From: =?Utf-8?B?TWFyY3Vz?= <wws@xxxxxxxxxxxxxxxx>
> | > | Subject: VPN clients routing to other internal networks
> | > | Date: Mon, 7 Nov 2005 04:06:05 -0800
> | > | Lines: 12
> | > | Message-ID: <DFBCDA6C-1DF6-44EA-B021-D5CE5995C613@xxxxxxxxxxxxx>
> | > | MIME-Version: 1.0
> | > | Content-Type: text/plain;
> | > | charset="Utf-8"
> | > | Content-Transfer-Encoding: 7bit
> | > | X-Newsreader: Microsoft CDO for Windows 2000
> | > | Content-Class: urn:content-classes:message
> | > | Importance: normal
> | > | Priority: normal
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | > | Newsgroups: microsoft.public.isa
> | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.isa:14595
> | > | X-Tomcat-NG: microsoft.public.isa
> | > |
> | > | Hi,
> | > | I am running ISA 2004 on a W2K3 Server and want to use it as a
> | > VPN-Server.
> | > | VPN clients can access the directly attached internal network.
> However I
> | > | have other internal Networks being in another subnet connected with
> a
> | > router.
> | > | I want to give the VPN-Users access to these networks too.
> | > | How do I setup ISA to use the internal router to forward all
> requests
> | > with a
> | > | specific IP-Subnet to this router? I tried to add a static route to
> | > RRAS
> | > but
> | > | it won't work.
> | > |
> | > | Thanks
> | > | br
> | > | Marcus
> | > |
> | >
> |
> |
> |
>
.
- Follow-Ups:
- Re: VPN clients routing to other internal networks
- From: Edward Tian
- Re: VPN clients routing to other internal networks
- References:
- RE: VPN clients routing to other internal networks
- From: Edward Tian
- Re: VPN clients routing to other internal networks
- From: Newbievn
- Re: VPN clients routing to other internal networks
- From: Edward Tian
- RE: VPN clients routing to other internal networks
- Prev by Date: Re: ISA 2004 on Webserver 2003
- Next by Date: Re: VPN clients routing to other internal networks
- Previous by thread: Re: VPN clients routing to other internal networks
- Next by thread: Re: VPN clients routing to other internal networks
- Index(es):
Relevant Pages
|
