From: Oswaldo on
Crina,
Other question, what should I put on the prefered and alternate DNS server
on the properties of the LAN connection? Should I put the Internal IP of the
ISA server or the DNS from my ISP?
Thanks a lot
Oswaldo
--
Oswaldo Cortes


""Crina Li"" wrote:

> Hi Oswaldo,
>
> Thanks for your updates.
>
> SecureNAT means you need to configure the internal IP of the ISA server as
> client's default gateway. For your issue, I also recommend you to involve
> the Cisco support. Some settings on the VPN client or the server could also
> affect the VPN connection through a firewall.
>
> Thanks for your time and I look forward to hearing from you.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> | Thread-Topic: ISA 2004 cisco SSL vpn client
> | thread-index: AcahQc04C2KJ/haJT8iyJ/bcZhbA+g==
> | X-WBNR-Posting-Host: 208.33.47.68
> | From: =?Utf-8?B?T3N3YWxkbw==?= <Oswaldo(a)discussions.microsoft.com>
> | References: <u$97GScfGHA.4852(a)TK2MSFTNGP05.phx.gbl>
> <W3yb27NoGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: RE: ISA 2004 cisco SSL vpn client
> | Date: Thu, 6 Jul 2006 14:19:01 -0700
> | Lines: 108
> | Message-ID: <CE543673-D801-4FD2-9BFC-F36FC1422480(a)microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Newsgroups: microsoft.public.windows.server.sbs
> | Path: TK2MSFTNGXA01.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:279547
> | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi Crina,
> | I read all the articles and followed the instructions but I keep getting
> the
> | same error. One diference with the problems listed on some articles is
> that
> | they can get connected but I am unable to connect. After the Active X
> | installer starts I get a screen asking me for my proxy credentials I put
> the
> | correct User and Password and I get the screen telling me that The SSL
> VPN
> | Client was unable to succesfully verify the IP forwarding table
> | modifications. If put the wrong User/Pass or leave it blank I get other
> | screen telling me that Proxy authentication failed using the supplied
> | credentials.
> | I have the 3 protocols two, that were already there and the 10000 port
> that
> | I added, and I have the access rule to allow the traffic from Internal to
> | External. I checked that the CEICW has Virtual Private Networking (VPN)
> | selected in the Services Configuration page. And I know that VPN site is
> | using Cisco VPN 3030.The only thing that I don't know how to check is
> that
> | the clients are running in SecureNAT mode. Please could you tell me?
> | Also If you think that I need something else please let me know.
> | Thank you very much for all your time and consideration.
> | Regards,
> |
> | --
> | Oswaldo Cortes
> |
> |
> | ""Crina Li"" wrote:
> |
> | > Hi Oswaldo,
> | >
> | > Thank you for posting.
> | >
> | > Please refer to my reply for mugen.
> | >
> | > Thanks for your time.
> | >
> | > Best regards,
> | >
> | > Crina Li (MSFT)
> | >
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | >
> | > =====================================================
> | > This newsgroup only focuses on SBS technical issues. If you have issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you check
> the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | >
> | > =====================================================
> | >
> | > This posting is pr
From: "Crina Li" on
Hi Oswaldo,

Thanks for your update.

You do not need to stop using DHCP and assign a static IP to the machine.
You can configure as following:

1. Right click My Network Places and select Properties.
2. Right click Local Area Connection and select Properties.
3. High light TCP/IP and click Properties.
4. On General tab click Advanced button.
5. Add the internal NIC of ISA in Default gateways column in IP Settings
tab.

You also do not need to uninstall Firewall Client and can only stop it.

I also recommend you to involve the Cisco support. Some settings on the VPN
client or the server could also affect the VPN connection through a
firewall. And you may need to know which protocols and ports needed to be
used.

For another issue, for 2 NICs on SBS, you may need to configure your SBS
and client computer as following:

On SBS server:

External NIC:
IP: assigned by your ISP or your hardware router
Gateway: your ISP or your Hardware router IP
DNS: SBS INTERNAL NIC IP as the only entry

Internal NIC:
IP: Fixed IP
Gateway: None
DNS: SBS INTERNAL NIC IP as the only entry

In the DNS console (dnsmgmt.msc), right click your ServerName and click
properties. In the Forwarders tab, your ISP DNS server IP should be
inputted there.

On workstation inside your SBS local subnet

IP: Assigned by DHCP on SBS
Gateway: SBS internal NIC IP
DNS: SBS INTERNAL NIC IP as the only entry

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA 2004 cisco SSL vpn client
| thread-index: Acah1DThcMjMJc4CSB26JOX07pqjLA==
| X-WBNR-Posting-Host: 208.33.47.68
| From: =?Utf-8?B?T3N3YWxkbw==?= <Oswaldo(a)discussions.microsoft.com>
| References: <u$97GScfGHA.4852(a)TK2MSFTNGP05.phx.gbl>
<W3yb27NoGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
<CE543673-D801-4FD2-9BFC-F36FC1422480(a)microsoft.com>
<SDZNvqaoGHA.6028(a)TK2MSFTNGXA01.phx.gbl>
| Subject: RE: ISA 2004 cisco SSL vpn client
| Date: Fri, 7 Jul 2006 07:47:01 -0700
| Lines: 214
| Message-ID: <25D6F0EA-6F60-4CB4-BDEF-604E7E6F6D1C(a)microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:279789
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Crina,
| Other question, what should I put on the prefered and alternate DNS
server
| on the properties of the LAN connection? Should I put the Internal IP of
the
| ISA server or the DNS from my ISP?
| Thanks a lot
| Oswaldo
| --
| Oswaldo Cortes
|
|
| ""Crina Li"" wrote:
|
| > Hi Oswaldo,
| >
| > Thanks for your updates.
| >
| > SecureNAT means you need to configure the internal IP of the ISA server
as
| > client's default gateway. For your issue, I also recommend you to
involve
| > the Cisco support. Some settings on the VPN client or the server could
also
| > affect the VPN connection through a firewall.
| >
| > Thanks for your time and I look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------
From: Oswaldo on
Hi Crina,
I followed you instructions to add the default gateway and checked all the
settings on the Server and Client computers and they are correct, but I can't
make it work yet. When I disable the Firewall Client and clear the proxy
setting on IE, I can't connect to any website. I always get
Error Code: 403 Forbidden. The ISA Server denied the specified Uniform
Resource Locator (URL). (1220)
If I put the proxy information I can see the websites but I get the same
error on the VPN.
I think that my problem is that I have to create some access rules to allow
the access to the External Network but I already created a rule to allow the
protocols IKE Client port 500, IPsec port 4500 and Port 10000 from Internal
to External but it's not working do you have any ideas?
I contacted the IT deparment of the company that I am trying to connect with
the VPN and told me that they don't know much about ISA and that this:
We are setup for NAT-T, we are setup for Remote Access on the tunnel type.
I don't have a option for Transparent unless I'm doing a Lan-to-Lan tunnel.
This isn't a Lan-to-Lan.
So they aren't helping that much.
Thanks a lot for your help and I will be waiting for your comments.
Regards,

--
Oswaldo Cortes


""Crina Li"" wrote:

> Hi Oswaldo,
>
> Thanks for your update.
>
> You do not need to stop using DHCP and assign a static IP to the machine.
> You can configure as following:
>
> 1. Right click My Network Places and select Properties.
> 2. Right click Local Area Connection and select Properties.
> 3. High light TCP/IP and click Properties.
> 4. On General tab click Advanced button.
> 5. Add the internal NIC of ISA in Default gateways column in IP Settings
> tab.
>
> You also do not need to uninstall Firewall Client and can only stop it.
>
> I also recommend you to involve the Cisco support. Some settings on the VPN
> client or the server could also affect the VPN connection through a
> firewall. And you may need to know which protocols and ports needed to be
> used.
>
> For another issue, for 2 NICs on SBS, you may need to configure your SBS
> and client computer as following:
>
> On SBS server:
>
> External NIC:
> IP: assigned by your ISP or your hardware router
> Gateway: your ISP or your Hardware router IP
> DNS: SBS INTERNAL NIC IP as the only entry
>
> Internal NIC:
> IP: Fixed IP
> Gateway: None
> DNS: SBS INTERNAL NIC IP as the only entry
>
> In the DNS console (dnsmgmt.msc), right click your ServerName and click
> properties. In the Forwarders tab, your ISP DNS server IP should be
> inputted there.
>
> On workstation inside your SBS local subnet
>
> IP: Assigned by DHCP on SBS
> Gateway: SBS internal NIC IP
> DNS: SBS INTERNAL NIC IP as the only entry
>
> I appreciate your time and look forward to hearing from you.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
> --------------------
> | Thread-Topic: ISA 2004 cisco SSL vpn client
> | thread-index: Acah1DThcMjMJc4CSB26JOX07pqjLA==
> | X-WBNR-Posting-Host: 208.33.47.68
> | From: =?Utf-8?B?T3N3YWxkbw==?= <Oswaldo(a)discussions.microsoft.com>
> | References: <u$97GScfGHA.4852(a)TK2MSFTNGP05.phx.gbl>
> <W3yb27NoGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
> <CE543673-D801-4FD2-9BFC-F36FC1422480(a)microsoft.com>
> <SDZNvqaoGHA.6028(a)TK2MSFTNGXA01.phx.gbl>
> | Subject: RE: ISA 2004 cisco SSL vpn client
> | Date: Fri, 7 Jul 2006 07:47:01 -0700
> | Lines: 214
> | Message-ID: <25D6F0EA-6F60-4CB4-BDEF-604E7E6F6D1C(a)microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> | Newsgroups: microsoft.public.windows.server.sbs
> | Path: TK2MSFTNGXA01.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:279789
> | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Crina,
> | Other question, what should I put on the prefered and alternate DNS
> server
> | on the properties of the LAN connection? Should I put the Internal IP of
> the
> | ISA server or the DNS from my ISP?
> | Thanks a lot
> | Oswaldo
> | --
> | Oswaldo Cortes
> |
> |
> | ""Crina Li"" wrote:
> |
> | > Hi Oswaldo,
> | >
> | > Thanks for your updates.
> | >
> | > SecureNAT means you need to configure the internal IP of the ISA server
> as
> | > client's default gateway. For your issue, I also recommend you to
> involve
> | > the Cisco support. Some settings on the VPN client or the server could
> also
> | > affect the VPN connection through a firewall.
> | >
> | > Thanks for your time and I look forward to hearing from you.
> | >
> | > Best regards,
> | >
> | > Crina Li (MSFT)
> | >
>
From: "Jenny wu [MSFT]" on
Hi Oswaldo,

Thanks for your update! I am jenny and I am backup of Brandy for she is now
taking sick leave. I will continue work with you till she come back. I am
really sorry for the inconvenience that brings to you.

Based on my experience, the problem may occur if authentication is required
in the access rule which allows traffic from Local Host to External.
Basically it's recommended that we enable proxy on not only the internal
clients but also the ISA firewall itself. It is for both performance and
flexibility consideration. If you don't want to enable proxy on the ISA
server itself, I suggest you try the following steps to solve the issue:

1. Please open the ISA management console, navigate to Firewall Policy,
right click "Firewall Policy" and click New->Access Rule, then create a new
access rule as following:

Rule name: Allow Local Host access Internet
Rule Action: Allow
Protocols: All Outbound Traffic
Sources: Local Host (The built-in network object)
Destination: External
User Sets: All Users

Then move this rule to the top and click Apply to save all the settings.

2. Then please open the ISA2004 Management Console, in the left panel,
expand to Configuration->Networks. Under "Networks panel", double click
"Internal". Switch to "Web Proxy" panel, click "Authentication" and then
uncheck the "Require all users to authenticate" option. Then click the
Apply button to save the changes.

After performing the above steps, please test the issue again, what is the
result?

Thanks for your time and cooperation. Please let me know if you have any
questions or concerns.

Have a nice day!

Sincerely,

Jenny Wu
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Thread-Topic: ISA 2004 cisco SSL vpn client
>thread-index: AcakNAkPSf2E3xJiRe6B5eU2KpJSLQ==
>X-WBNR-Posting-Host: 208.33.47.68
>From: =?Utf-8?B?T3N3YWxkbw==?= <Oswaldo(a)discussions.microsoft.com>
>References: <u$97GScfGHA.4852(a)TK2MSFTNGP05.phx.gbl>
<W3yb27NoGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
<CE543673-D801-4FD2-9BFC-F36FC1422480(a)microsoft.com>
<SDZNvqaoGHA.6028(a)TK2MSFTNGXA01.phx.gbl>
<25D6F0EA-6F60-4CB4-BDEF-604E7E6F6D1C(a)microsoft.com>
<pGsSPA$oGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
>Subject: RE: ISA 2004 cisco SSL vpn client
>Date: Mon, 10 Jul 2006 08:18:02 -0700
>Lines: 328
>Message-ID: <441134E9-62C9-4323-B15B-BC8DA888F4DE(a)microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
>Newsgroups: microsoft.public.windows.server.sbs
>Path: TK2MSFTNGXA01.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:280256
>NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Crina,
>I followed you instructions to add the default gateway and checked all the
>settings on the Server and Client computers and they are correct, but I
can't
>make it work yet. When I disable the Firewall Client and clear the proxy
>setting on IE, I can't connect to any website. I always get
>Error Code: 403 Forbidden. The ISA Server denied the specified Uniform
>Resource Locator (URL). (1220)
>If I put the proxy information I can see the websites but I get the same
>error on the VPN.
>I think that my problem is that I have to create some access rules to
allow
>the access to the External Network but I already created a rule to allow
the
>protocols IKE Client port 500, IPsec port 4500 and Port 10000 from
Internal
>to External but it's not working do you have any ideas?
>I contacted the IT deparment of the company that I am trying to connect
with
>the VPN and told me that they don't know much about ISA and that this:
>We are setup for NAT-T, we are setup for Remote Access on the tunnel type.

>I don't have a option for Transparent unless I'm doing a Lan-to-Lan
tunnel.
>This isn't a Lan-to-Lan.
>So they aren't helping that much.
>Thanks a lot for your help and I will be waiting for your comments.
>Regards,
>
>--
>Oswaldo Cortes
>
>
>""Crina Li"" wrote:
>
>> Hi Oswaldo,
>>
>> Thanks for your update.
>>
>> You do not need to stop using DHCP and assign a static IP to the
machine.
>> You can configure as following:
>>
>> 1. Right click My Network Places and select Properties.
>> 2. Right click Local Area Connection and select Properties.
>> 3. High light TCP/IP and click Properties.
>> 4. On General tab click Advanced button.
>> 5. Add the internal NIC of ISA in Default gateways column in IP Settings
>> tab.
>>
>> You also do not need to uninstall Firewall Client and can only stop it.
>>
>> I also recommend you to involve the Cisco support. Some settings on the
VPN
>> client or the server could also affect the VPN connection through a
>> firewall. And you may need to know which protocols and ports needed to
be
>> use
From: Oswaldo on
Hi Jenny,
After we tried all the suggestions that you gave us, the company that is
providing the VPN contacted Cisco and they told them that if we are using ISA
server on Proxy mode the SSL probably won?t work. So they send me the client
software and I am making a direct connection to their system and seems to be
working fine.
Thank you very much for all your help.
Regards,

--
Oswaldo Cortes


""Jenny wu [MSFT]"" wrote:

> Hi Oswaldo,
>
> Thanks for your update! I am jenny and I am backup of Brandy for she is now
> taking sick leave. I will continue work with you till she come back. I am
> really sorry for the inconvenience that brings to you.
>
> Based on my experience, the problem may occur if authentication is required
> in the access rule which allows traffic from Local Host to External.
> Basically it's recommended that we enable proxy on not only the internal
> clients but also the ISA firewall itself. It is for both performance and
> flexibility consideration. If you don't want to enable proxy on the ISA
> server itself, I suggest you try the following steps to solve the issue:
>
> 1. Please open the ISA management console, navigate to Firewall Policy,
> right click "Firewall Policy" and click New->Access Rule, then create a new
> access rule as following:
>
> Rule name: Allow Local Host access Internet
> Rule Action: Allow
> Protocols: All Outbound Traffic
> Sources: Local Host (The built-in network object)
> Destination: External
> User Sets: All Users
>
> Then move this rule to the top and click Apply to save all the settings.
>
> 2. Then please open the ISA2004 Management Console, in the left panel,
> expand to Configuration->Networks. Under "Networks panel", double click
> "Internal". Switch to "Web Proxy" panel, click "Authentication" and then
> uncheck the "Require all users to authenticate" option. Then click the
> Apply button to save the changes.
>
> After performing the above steps, please test the issue again, what is the
> result?
>
> Thanks for your time and cooperation. Please let me know if you have any
> questions or concerns.
>
> Have a nice day!
>
> Sincerely,
>
> Jenny Wu
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> >Thread-Topic: ISA 2004 cisco SSL vpn client
> >thread-index: AcakNAkPSf2E3xJiRe6B5eU2KpJSLQ==
> >X-WBNR-Posting-Host: 208.33.47.68
> >From: =?Utf-8?B?T3N3YWxkbw==?= <Oswaldo(a)discussions.microsoft.com>
> >References: <u$97GScfGHA.4852(a)TK2MSFTNGP05.phx.gbl>
> <W3yb27NoGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
> <CE543673-D801-4FD2-9BFC-F36FC1422480(a)microsoft.com>
> <SDZNvqaoGHA.6028(a)TK2MSFTNGXA01.phx.gbl>
> <25D6F0EA-6F60-4CB4-BDEF-604E7E6F6D1C(a)microsoft.com>
> <pGsSPA$oGHA.2028(a)TK2MSFTNGXA01.phx.gbl>
> >Subject: RE: ISA 2004 cisco SSL vpn client
> >Date: Mon, 10 Jul 2006 08:18:02 -0700
> >Lines: 328
> >Message-ID: <441134E9-62C9-4323-B15B-BC8DA888F4DE(a)microsoft.com>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
> >Newsgroups: microsoft.public.windows.server.sbs
> >Path: TK2MSFTNGXA01.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:280256
> >NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >Hi Crina,
> >I followed you instructions to add the default gateway and checked all the
> >settings on the Server and Client computers and they are correct, but I
> can't
> >make it work yet. When I disable the Firewall Client and clear the proxy
> >setting on IE, I can't connect to any website. I always get
> >Error Code: 403 Forbidden. The ISA Server denied the specified Uniform
> >Resource Locator (URL). (1220)
> >If I put the proxy information I can see the websites but I get the same
> >error on the VPN.
> >I think that my problem is that I have to create some access rules to
> allow
> >the access to the External Network but I already created a rule to allow
> the
> >protocols IKE Client port 500, IPsec port 4500 and Port 10000 from
> Internal
> >to External but it's not working do you have any ideas?
> >I contacted the IT deparment of the company that I am trying to connect
> with
> >the VPN and told me that they don't know much about ISA and that this:
> >We are setup for NAT-T, we are setup for Remote Access on the tunnel type.
>
> >I don't have a option for Transparent unless I'm doing a Lan-to-Lan
> tunnel.
> >This isn't a Lan-to-Lan.
> >So they aren't helping that much.
> >Thanks a lot for your help and I will be waiting for your comments.
> >Regards,
> >
> >--
> >Oswaldo Cortes
> >
> >
> >""Crina Li"" wrote:
> >
> >> Hi Oswaldo,
> >>
> >> Thanks for your update.
> >>
> >> You do not need to stop usin
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: DCOM error
Next: Sender ID Filtering vs. SBS Fax Server