HELP - guest machine needs to VPN out to his home site

Discussion in 'Windows Small Business Server' started by Axel, Feb 8, 2005.

  1. Axel

    Axel Guest

    Setup: SBS 2003 Premium, ISA 2003, two NICs with Linksys RV082 firewall.
    Guest machine is not member of our domain. The user is working with the big
    boss to work on data at the user's home site.
    He can't get a VPN connection to his home server.
    What ports do I need to open? Do I need to add his computer to our domain?
    (That'll go over like a ton of bricks). Or can I just give him a guest
    login?
     
    Axel, Feb 8, 2005
    #1
    1. Advertisements

  2. Hi Axel -

    The reason this is happening is that by default, ISA on SBS only allows
    outbound access for members of the Internet Users security group. As a
    result, in order for this to work with a default ISA configuration, this
    user would have to have a login that is a member of that group, and would
    have to be running the Firewall Client on their machine.

    However, the easiest way to do this is to tweak your ISA configuration on
    your SBS. First, configure a reservation for his machine in DHCP. Then,
    create a new Client Address Set in ISA that includes the IP of his machine.
    Next, create a new Protocol Rule that allows all IP traffic from the Client
    Address Set you just created. Last, edit the HTTP Redirector Filter to
    forward http requests from Secure NAT / Firewall clients directly to the
    requested web server. Restart the ISA Server Control service and you should
    be good to go (assuming he's using a standard PPTP VPN over TCP 1723). If
    he's using a 3rd party VPN client (e.g. Cisco), then you'll need to create
    additional Protocol Definitions within ISA . . .

    --

    Chad A. Gross - SBS MVP
    SBS ROCKS!

    www.msmvps.com/cgross
    www.gosbs.org
     
    Chad A. Gross [SBS MVP], Feb 8, 2005
    #2
    1. Advertisements

  3. Hi Axel,

    Thank you for the post!

    I understand that you want to establish VPN connection from the SBS domain
    to an external server.

    To achieve the goal, you can choose any suggestions below:

    1. Make the client a SecureNAT client;

    2. Make sure ALL Protocol Rules or Site and Content Rules are applied to
    "Any Request". In other words, you should not restrict users in rules.

    If you have any update, please feel free to post back.

    Have a nice day!

    Bill Peng
    MCSE 2000, MCDBA
    Microsoft Partner Support Professional

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
     
    Bill Peng [MSFT], Feb 8, 2005
    #3
  4. Axel

    Rick F Guest

    Have you been successful is getting the Cisco VPN client to work? I can
    connect to a Cisco VPN concentator when sitting at a workstation behind SBS
    but no traffic is routed thus my connection is meaningless for
    functionality. I followed MSKB 812076 but still no go...

    Rick
     
    Rick F, Feb 8, 2005
    #4
  5. Axel

    Axel Guest

    How do I make a client a SecureNAT client. I read several articles on this
    but all I could find was "make the client gateway the internal ip address of
    the ISA server". Is that it? That is the default setting for SBS 2003 dhcp.
    Does this mean all the client machines are SecureNAT clients.

    Or did I miss something entirely?

    Sleepless in Sacramento
     
    Axel, Feb 8, 2005
    #5
  6. Hi Rick -

    I have been able to get a Cisco VPN client working successfully behind ISA -
    but it's been quite a while since I set it up, so I'll have to see if I can
    find my notes . . .

    --

    Chad A. Gross - SBS MVP
    SBS ROCKS!

    www.msmvps.com/cgross
    www.gosbs.org
     
    Chad A. Gross [SBS MVP], Feb 8, 2005
    #6
  7. Hi Axel -

    Any device that has its default gateway set to the IP of the ISA server is a
    SecureNAT client. ISA supports three different types of clients: firewall
    client, secure nat client and web proxy client. Any device can be any
    combination of these clients, and by default workstations in an SBS Premium
    network are configured as all three types.

    Smallbizserver.Net > SBS 2000 > ISA Server 2000 > ISA for Dummies:
    http://www.smallbizserver.net/Default.aspx?tabid=91


    --

    Chad A. Gross - SBS MVP
    SBS ROCKS!

    www.msmvps.com/cgross
    www.gosbs.org
     
    Chad A. Gross [SBS MVP], Feb 8, 2005
    #7
  8. Axel

    Rick F Guest

    Gosh, I sure would love to know. :)

     
    Rick F, Feb 9, 2005
    #8
  9. Axel

    Axel Guest

    Thank you, Chad. I really appreciate your detailed answers and the link to
    additional info.
     
    Axel, Feb 9, 2005
    #9
  10. Glad to help :^)
     
    Chad A Gross [SBS-MVP], Feb 9, 2005
    #10
  11. Hi Rick - try this:

    Create three new protocol definitions in ISA -

    Cisco VPN 1: UDP 500 Send/Receive
    Cisco VPN 2: UDP 4500 Send/Receive
    Cisco VPN 3: UDP 10000 Send/Receive

    Then create a new Protocol Rule in ISA that allows these three protocols for
    Any Request.

    Any PC that needs to use the Cisco VPN client cannot have the Firewall
    Client running. As a result, you'll either need to reconfigure the HTTP
    Redirector Filter in ISA to send web requests from SecureNAT clients
    directly to the requested server instead of redirecting to the web proxy
    service, and remove the proxy settings from the PCs that need to run the
    Cisco VPN client, OR you'll need to reconfigure ISA so that it doesn't
    require authentication for outbound web requests.

    Restart the Microsoft ISA Server Control service and you should be good to
    go . . .
     
    Chad A Gross [SBS-MVP], Feb 9, 2005
    #11
  12. Hi Chad,

    Thank you for your support here!

    Axel, sorry for the delay response since we're having Luna New Year in
    China here.

    Any update, let's get in touch!

    Bill Peng
    MCSE 2000, MCDBA
    Microsoft Partner Support Professional

    Get Secure! - www.microsoft.com/security
    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
     
    Bill Peng [MSFT], Feb 10, 2005
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.