Re: Internet access with local PPP links

Tech-Archive recommends: Fix windows errors by optimizing your registry

OK, I think I understand why I can't have the ISA client enabled when using
the local PPP link, but why does my point #2 occur?

For example, if I disable the ISA client but leave IE setup to use the proxy
server at port 8080 then the user can still surf the Internet fine. But, as
soon as they dial out the local PPP link (which works properly since the ISA
client is disabled), the user can no longer access the Internet. They get
this error for every external Internet access:
"Error Code: 403 Forbidden. The ISA Server denied the specified Uniform
Resource Locator (URL). (12202)"

As soon as they close down the PPP link the Internet begins working again.

I verified that the PPP link is not becoming the default gateway with
nslookup - it remains pointed at our server throughout this so I don't
understand why the Internet traffic stops.


--
Allan Williams



""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:tb268V16FHA.1240@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Williams,
>
> Thank you for posting in SBS newsgroup.
>
> From the situation you have described, can I assume that you are trying to
> connect to some specialized equipment from the client machine and the
> client machine having local modems attached to it? If so, you actually
> need
> to disable the ISA 2004 firewall client on the client computer. Because
> the
> firewall client will forward the request of the client to SBS firstly, you
> can not use the dial successfully.
>
> As I know, the firewall client application identifies the
> internal/external
> traffic according to the LAT and the routing table. When the traffic is
> identified as outgoing external traffic, it would be picked up by the
> firewall client application and then sent to the ISA server. Since the
> remote VPN network is not in the local ISA server's LAT (for ISA 2004,
> it's
> the address range of internal network objects), the firewall client picks
> up the traffic and send it to the ISA server. This caused the problem.
>
> However, as a workaround, you can do as following:
>
> 1. You can try to add the remote equipment address range into the local
> ISA
> server 'Internal' network address range. Go to the ISA server. Open ISA
> Management console. Navigate to Configuration\Network. Open the properties
> of the Internal network object. Add the remote equipment address range
> into
> the object.
>
> 2. Add the route table on client computer. You can run the following
> command on client computer:
>
> route add IP of NIC which connect to modem mask 255.255.255.0 gateway -p
>
> For example: route add 10.171.2.0 mask 255.255.255.0 10.171.1.254 -p
>
> You can also refer to the following document:
>
> http://www.isaserver.org/tutorials/Bypassing-Firewall-Client-using-Locallate
> xt-Files.html
>
> Hope it helps and I look forward to hearing from you.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
> | Reply-To: "Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx>
> | From: "Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx>
> | Subject: Internet access with local PPP links
> | Date: Wed, 16 Nov 2005 10:19:53 -0700
> || Newsgroups: microsoft.public.windows.server.sbs
> | |
> | SBS2003 Premium SP1, all patches.
> |
> | Some of our support people need to dial out with PPP to some specialized
> | equipment we sell on local modems attached to their XP PC's. This all
> | worked fine with SBS 4.5 and the Proxy client. With the ISA 2003 client
> | things work fine (ie: they can surf the Internet, etc.) UNTIL they dial
> out
> | their PPP link. Specifically:
> |
> | 1) If they dial out the local PPP link with the ISA client enabled the
> PPP
> | link does not work. From what we can see any data intended to go out
> the
> | PPP link is redirected to the ISA server and rejected. Why?
> |
> | 2) If they dial out the local PPP link with the ISA client disabled the
> PPP
> | link works properly. However, the users can no longer access the
> internet
> | while this PPP link (which is not setup as the default gateway) is
> active.
> | If they drop the PPP connection they can immediately access the internet
> | (which is manually configured for proxy on port 8080).
> |
> | This also seesm to affect some of our engineers who have multiple NIC's
> in
> | their PC's to access specialized equipment on a different network. The
> ISA
> | client seems to block that as well.
> |
> | Note that the Windows firewall client is turned off in all cases.
> |
> | Any ideas?
> |
> | --
> | Allan Williams
> |
> |
> |
> |
> |
>


.

Relevant Pages

  • RE: ISA 2000 - Open Remote Port
    ... website on the internet by using a port other than 443. ... Blank page or page cannot be displayed when you view SSL sites through ISA ... Do you configure all the internal clients as both the Web Proxy client ... configure ISA server as your Proxy ...
    (microsoft.public.windows.server.sbs)
  • RE: RWW not accessible over web
    ... If this happens on all internal clients, I think this is a ISA server 2004 ... Click the "Connect to the Internet" link. ... 'Microsoft Firewall' service. ... | outlook client of exchange server. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outbound VPN
    ... Your SBS client cannot establish PPTP VPN through ISA 2004. ... Chapter 6: ISA Server 2004 VPN Deployment Kit: Configuring the ISA Server ... 2004 Firewall for Outbound PPTP and L2TP/IPSec Access ...
    (microsoft.public.windows.server.sbs)
  • Re: Local computers cannot conect to the internet.
    ... Please run CEICW after you install ISA server. ... to configure the ISA to allow internal clients access Internet. ... Ensure client computer join SBS domain thru connectcomputer wizard. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA Messenger 6.2
    ... initiate it and I can accept :-) Long winded but the only way with ISA2000. ... Firewall Client on the client PC. ... For Microsoft Internet ... ISA Server SecureNAT clients require an application ...
    (microsoft.public.isaserver)