RE: IPSEC VPN connection from client in SBS 2003 premium

Dear Eric:
Thank you for posting here.

Technically speaking, the IPSec protocol cannot pass through ISA if IPSec
implementation doesn't support NAT Traversal. So first we should make sure
NAT-T is supported.

The reason for this is that the IPSec protocols are not NAPT (Network
Address & Port Translation) compatible. The IPSec protocols are designed to
authenticate and/or encrypt information in the packet. When a NAPT device
(i.e. an ISA server) tries to change the information in the packet, it will
either cause the packet to be considered invalid by an IPSec protocol, or
it will be unable to perform the translation because information the NAPT
device needs to access is encrypted.

More information:
http://isaserver.org/articles/IPSec_Passthrough.htm

If NAT-T is supported, please help me confirm the following information:

1. Please make sure that the clients are running in SecureNAT mode. The VPN
pass-through would not work in firewall client method. If firewall client
is installed, please temporarily disable it.

2. To enable the deployment of the IPSec protocol in a client-to-gateway
VPN scenario, between the remote client and the VPN gateway, all VPN
clients must be using the IPSec NAT-T VPN client.

Note: An IPSec NAT-T client update is available, with improvements to IPSec
to better support VPN clients behind NAT devices. For computers running
Microsoft Windows XP Service Pack 1 (SP1) and Windows 2000, a download is
available from article:
818043 L2TP/IPSec NAT-T update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043

3. What VPN client do you use (Cisco, Checkpoint, or any other 3rd-party
VPN client)?

4. We may also need to disable IP Fragment Filtering on the ISA server
(right click IP Packet Filter and click Properties).

5. What VPN server does your vendor use?
IPSec NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators.
http://support.microsoft.com/Default.aspx?id=885348

To allow IPSEC VPN connection pass through ISA2000, we need to do the
following steps:
1. Create two new protocol definitions:
Open ISA management console, navigate to Policy Elements\Protocol
Definitions, right click it and choose New->Definition, and then create the
following protocol definitions (If you use 3rd-party VPN client, we may
need to open different port):

Port number: 500
Protocol type: UDP
Direction: Send Receive
Secondary Connections: No

Port number: 4500
Protocol type: UDP
Direction: Send Receive
Secondary Connections: No

2. Then create a new protocol rule:
Navigate to Access Policy\Protocol Rules, right click it and select
New->Rule. Create this new protocol rule as following:
Rule Action: Allow
Protocols: the two protocols created before
Apply the rule to: Any request

After doing that please restart the ISA Firewall Service.


Hope it helps. Please feel free to let me know if you have any questions or
concerns.
Have a nice day! :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: IPSEC VPN connection from client in SBS 2003 premium
| thread-index: AcWoOeJtpgZtehghSVy+1gLyLXj3Lg==
| X-WBNR-Posting-Host: 209.220.211.18
| From: "=?Utf-8?B?RXJpYw==?=" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: IPSEC VPN connection from client in SBS 2003 premium
| Date: Tue, 23 Aug 2005 16:25:01 -0700
| Lines: 7
| Message-ID: <07625BDD-5F05-46C1-B29C-11C347B85370@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147166
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I have a client PC inside the SBS 2003 domain that needs to establish an
| IPSec VPN connection to one of their vendor's networks. The vendor
suggested
| allowing any requests out to the IP address of their VPN server. I feel
| comfortable with this, but have not been able to configure the ISA 2000
| server to allow this. I also noticed that as the VPN connection starts
to
| connect, the firewall client pops up as disabled. Any help to allow this
| connection through is greatly appreciated.
|

.

Relevant Pages

  • Re: VPN problems
    ... If you are using the IPSec protocol, you need to know that IPSec cannot handle NAT. ... We are attempting to set up the ZyWALL to test the VPNs ... compatibility with the Windows VPN client inbuilt with XP Pro. ...
    (Security-Basics)
  • Re: VPN problems and Linksys BEFSR411????
    ... that we successfully use Nortel client software to connect to a Nortel ... Contivity switch using IPsec VPN from behind a linksys BEFSR41. ... If you're using the VPN client that comes with Windows, ...
    (comp.security.firewalls)
  • Re: VPN problems and Linksys BEFSR411????
    ... that we successfully use Nortel client software to connect to a Nortel ... Contivity switch using IPsec VPN from behind a linksys BEFSR41. ... If you're using the VPN client that comes with Windows, ...
    (comp.security.firewalls)
  • Re: LAN_A - VPN to VPN- LAN_B using Windows 2003 and PreSHared KEY
    ... you may want to create ipsec on ... this may help even it talks about client. ... > Company B have their own network LAN_B and have devices deployed on> our Network LAN_A, in order to service these devices remotely they> want to VPN into our site using a site - to site VPN. ... > They have said that the VPN at our lan, LAN_A must be setup to use> Pre-Shared KEY and not usernames and password, so just the pre shared> key to get on the VPN. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Dropped Connections
    ... I'm not at all sure my suspicion is rational, though: Both the VPN protocol and the RDP protocol are encrypted. ... Neither, however, loads the router--the VPN is unencrypted by the server itself, and RDP by the end-point client machine. ... I guess the source of my feeling here is that I know of nothing in the ISA/Windows Server/Remote Desktop Client axis that would cause the symptom you are seeing. ... Client one can connect through the VPN tunnel then use Remote Desktop to ...
    (microsoft.public.isa.vpn)