Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter > Forefront Forums > Read Only - Forefront Edge Security Virtual Private Networks > Site-to-site VPN between two ISA 2006 acting strangely

Locked Site-to-site VPN between two ISA 2006 acting strangely

    •  
      Thursday, May 13, 2010 8:51 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote

      Hi All,

      I have two ISA 2006 servers running in different sites.  The sites are connected via IPSEC site-to-site VPN.  It works well and has been working well for almost a year now.  AD servers at the different sites can sync, I can ping from site to site, I can RDP from site to site, etc... What I cannot seem to do is web browse from our NJ site, to our TX site.  But from TX to NJ, web browsing works just fine.

      I've compared the IIS server settings of both sites as well as the ISA settings of both sites.  Pretty much identical, nothing stands out.  And I've added specific rules allowing port 80 without using http filtering which didn't help.

      The browser errors range from Error Code 10060: Connection timeout , to proxy chaining errors or looping errors.

      But again, I can ping, RDP, and if I publish to another port like 8008 for instance, it works.  Just not port 80, in one direction.  The other direction is fine.  Strange.

      Any insights or suggestions?

      Thanks!

         

      All Replies

      • Friday, May 14, 2010 4:01 AM
         
         Proposed Answer
        Sign In to Vote
        0
        Sign In to Vote

        Hi,

        try to use a new protocol definition called "HTTP without Webproxyfilter" or something else for port 80, without binding the webproxyfilter to this protocol definition. Use this protocol definition in your firewall rule for the site-to-site VPN instead of the builtin HTTP protocol.

         

        regards Marc - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
           
        • Friday, May 14, 2010 3:23 PM
           
           
          Sign In to Vote
          0
          Sign In to Vote

          Hi Marc,

          Thanks for your reply.  I actually had created an "HTTP no proxy" custom protocol to try just what you suggest.  However this rule was still followed by my "All traffic" rule between the sites.

          Ah, but if I disable the "All traffic" rule, so that the only site-to-site rule is the "HTTP no proxy" then port 80 works!  But I cannot leave it that way. 

          Seems like I'm going to have to carve out rules for every network service individually.  Is there a better wayto have the best of both worlds here?

          Thanks!

          Jim

             
          • Friday, May 14, 2010 3:25 PM
             
             
            Sign In to Vote
            0
            Sign In to Vote
            And, why would I only have problems in one direction? 
               
            • Thursday, May 20, 2010 5:13 AM
              Moderator
               
               
              Sign In to Vote
              0
              Sign In to Vote

              Hi Jim,

               

              Thank you for the post.

               

              Before going any further, I’d like to know the sequence of the access rule that you have created. Please make sure “HTTP no proxy” rule on the top of “All traffic”rule.

               

              Regards,

              Nick Gu - MSFT
                 
              • Saturday, June 19, 2010 4:31 PM
                 
                 
                Sign In to Vote
                0
                Sign In to Vote

                Hi jkuo,

                Web Proxy filter NATs the traffic for HTTP which s against IPSEC principles. So, the rule that you created for HTTP with no proxy, just keep that on the top. Should work.

                Regards, Amit Saxena