HELP - guest machine needs to VPN out to his home site

Setup: SBS 2003 Premium, ISA 2003, two NICs with Linksys RV082 firewall.
Guest machine is not member of our domain. The user is working with the big
boss to work on data at the user's home site.
He can't get a VPN connection to his home server.
What ports do I need to open? Do I need to add his computer to our domain?
(That'll go over like a ton of bricks). Or can I just give him a guest
login?

 

Hi Axel -

The reason this is happening is that by default, ISA on SBS only allows
outbound access for members of the Internet Users security group. As a
result, in order for this to work with a default ISA configuration, this
user would have to have a login that is a member of that group, and would
have to be running the Firewall Client on their machine.

However, the easiest way to do this is to tweak your ISA configuration on
your SBS. First, configure a reservation for his machine in DHCP. Then,
create a new Client Address Set in ISA that includes the IP of his machine.
Next, create a new Protocol Rule that allows all IP traffic from the Client
Address Set you just created. Last, edit the HTTP Redirector Filter to
forward http requests from Secure NAT / Firewall clients directly to the
requested web server. Restart the ISA Server Control service and you should
be good to go (assuming he's using a standard PPTP VPN over TCP 1723). If
he's using a 3rd party VPN client (e.g. Cisco), then you'll need to create
additional Protocol Definitions within ISA . . .

--

Chad A. Gross - SBS MVP
SBS ROCKS!

www.msmvps.com/cgross
www.gosbs.org

 

Hi Axel,

Thank you for the post!

I understand that you want to establish VPN connection from the SBS domain
to an external server.

To achieve the goal, you can choose any suggestions below:

1. Make the client a SecureNAT client;

2. Make sure ALL Protocol Rules or Site and Content Rules are applied to
"Any Request". In other words, you should not restrict users in rules.

If you have any update, please feel free to post back.

Have a nice day!

Bill Peng
MCSE 2000, MCDBA
Microsoft Partner Support Professional

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

 

Have you been successful is getting the Cisco VPN client to work? I can
connect to a Cisco VPN concentator when sitting at a workstation behind SBS
but no traffic is routed thus my connection is meaningless for
functionality. I followed MSKB 812076 but still no go...

Rick

 

How do I make a client a SecureNAT client. I read several articles on this
but all I could find was "make the client gateway the internal ip address of
the ISA server". Is that it? That is the default setting for SBS 2003 dhcp.
Does this mean all the client machines are SecureNAT clients.

Or did I miss something entirely?

Sleepless in Sacramento

 

Hi Rick -

I have been able to get a Cisco VPN client working successfully behind ISA -
but it's been quite a while since I set it up, so I'll have to see if I can
find my notes . . .

--

Chad A. Gross - SBS MVP
SBS ROCKS!

www.msmvps.com/cgross
www.gosbs.org

 

Hi Axel -

Any device that has its default gateway set to the IP of the ISA server is a
SecureNAT client. ISA supports three different types of clients: firewall
client, secure nat client and web proxy client. Any device can be any
combination of these clients, and by default workstations in an SBS Premium
network are configured as all three types.

Smallbizserver.Net > SBS 2000 > ISA Server 2000 > ISA for Dummies:
http://www.smallbizserver.net/Default.aspx?tabid=91


--

Chad A. Gross - SBS MVP
SBS ROCKS!

www.msmvps.com/cgross
www.gosbs.org

 

Gosh, I sure would love to know.

 

Thank you, Chad. I really appreciate your detailed answers and the link to
additional info.

 

Glad to help :^)

 

Hi Rick - try this:

Create three new protocol definitions in ISA -

Cisco VPN 1: UDP 500 Send/Receive
Cisco VPN 2: UDP 4500 Send/Receive
Cisco VPN 3: UDP 10000 Send/Receive

Then create a new Protocol Rule in ISA that allows these three protocols for
Any Request.

Any PC that needs to use the Cisco VPN client cannot have the Firewall
Client running. As a result, you'll either need to reconfigure the HTTP
Redirector Filter in ISA to send web requests from SecureNAT clients
directly to the requested server instead of redirecting to the web proxy
service, and remove the proxy settings from the PCs that need to run the
Cisco VPN client, OR you'll need to reconfigure ISA so that it doesn't
require authentication for outbound web requests.

Restart the Microsoft ISA Server Control service and you should be good to
go . . .

 

Hi Chad,

Thank you for your support here!

Axel, sorry for the delay response since we're having Luna New Year in
China here.

Any update, let's get in touch!

Bill Peng
MCSE 2000, MCDBA
Microsoft Partner Support Professional

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------