locked
VPN Server behind TMG, With TMG running VPN aswell

    Question

  • Hi,

    Hopefully someone can help.

     

    I have TMG MBE which is sat on a range of public addresses. This is running PPTP & L2TP/IPSec and this is working fine.

    There is another vpn server sat behind TMG which serves IPSec, i have added a rule to the firewall publishing this server on one of the public addresses and the correct ports. But when looking at the logs the TMG is matching the traffic to the system rule and not mine, thus the VPN clients won't authenticate as they are connecting to the wrong server.

    Is there anyway of omitting the one public IP from the system rule (i have tried editing it but it seems read only)?

     

    thanks

    Monday, August 09, 2010 2:29 PM

Answers

  • 1. It's not a flaw in the software.  It is a design choice.
     
    2. MS follows industry standards in the ISA's design,..in fact they follow standards more closely than anyone else,...that is why ISA is so "picky".  CERN Compliant Web Proxy Services and Windsock Proxy Service are only supposed to do TCP and UDP so it is not possible for them to cover VPN.  The SecureNAT Service might do what you want under the proper conditions with the proper correct desired functionality,...but it is a pointless exercise since the VPN Router you have should already be design to function as I described,...and it would be the more "correct" approach to begin with than what you were attempting.  The whole VPN thing is fading away anyway in the advancement of various Application Virtualization technologies.  It won't replace VPN entirely, but will probably cut the use in half and eliminate VPN in many places.
     
    3. There is no such thing as Port Forwarding.  That is "home-user" terminology that some Marketing Department made popular to sell cheap retail NAT firewalls to "home users".  I believe Linksys started it,..along with butchering other terms as well such as DMZ.   They use the term to mean Reverse NAT (aka Static NAT) which are the real terms for what is really happening.  Reverse NAT is performed by ISA (Server Publishing) but only does half of what you are wanting because it only covers the inbound side.  The oubound initiated must be done with Access Rules with the VPN Device acting as a SecureNAT Client.  It isn't worth all the trouble to make an overly (and needlessly) complicated solution work.  Just put them side-by-side.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "JmieR" <=?utf-8?B?Sm1pZVI=?=> wrote in message news:03bff99c-d23e-496a-b6b3-40394bfb554c...

    Hi Phillip,

     

    Thanks for that, that was my contingency if it was not achievable by TMG.

    In my view that is a major flaw in this software, what is the point of having TMG protecting your network when you can't do something as simple as port forwarding on a particular IP!

     

    thanks

    Tuesday, August 10, 2010 2:50 PM

All replies

  • The other VPN Server must be beside the ISA so that they run independent of each other.
     
    Use this diagram as an example.  The "other firewall" in the diagram would be your VPN Device.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "JmieR" <=?utf-8?B?Sm1pZVI=?=> wrote in message news:a45d632c-c957-4fce-be39-0336b51e98bb...

    Hi,

    Hopefully someone can help.

     

    I have TMG MBE which is sat on a range of public addresses. This is running PPTP & L2TP/IPSec and this is working fine.

    There is another vpn server sat behind TMG which serves IPSec, i have added a rule to the firewall publishing this server on one of the public addresses and the correct ports. But when looking at the logs the TMG is matching the traffic to the system rule and not mine, thus the VPN clients won't authenticate as they are connecting to the wrong server.

    Is there anyway of omitting the one public IP from the system rule (i have tried editing it but it seems read only)?

     

    thanks

    Monday, August 09, 2010 3:56 PM
  • Hi Phillip,

     

    Thanks for that, that was my contingency if it was not achievable by TMG.

    In my view that is a major flaw in this software, what is the point of having TMG protecting your network when you can't do something as simple as port forwarding on a particular IP!

     

    thanks

    Monday, August 09, 2010 4:41 PM
  • In my view that is a major flaw in this software, what is the point of having TMG protecting your network when you can't do something as simple as port forwarding on a particular IP!


    Hi,

    Please explain the port forwarding that you are trying to do.

    Regards


    Shijaz Abdulla | Microsoft Qatar | http://www.microsoftnow.com
    Tuesday, August 10, 2010 12:18 PM
  • 1. It's not a flaw in the software.  It is a design choice.
     
    2. MS follows industry standards in the ISA's design,..in fact they follow standards more closely than anyone else,...that is why ISA is so "picky".  CERN Compliant Web Proxy Services and Windsock Proxy Service are only supposed to do TCP and UDP so it is not possible for them to cover VPN.  The SecureNAT Service might do what you want under the proper conditions with the proper correct desired functionality,...but it is a pointless exercise since the VPN Router you have should already be design to function as I described,...and it would be the more "correct" approach to begin with than what you were attempting.  The whole VPN thing is fading away anyway in the advancement of various Application Virtualization technologies.  It won't replace VPN entirely, but will probably cut the use in half and eliminate VPN in many places.
     
    3. There is no such thing as Port Forwarding.  That is "home-user" terminology that some Marketing Department made popular to sell cheap retail NAT firewalls to "home users".  I believe Linksys started it,..along with butchering other terms as well such as DMZ.   They use the term to mean Reverse NAT (aka Static NAT) which are the real terms for what is really happening.  Reverse NAT is performed by ISA (Server Publishing) but only does half of what you are wanting because it only covers the inbound side.  The oubound initiated must be done with Access Rules with the VPN Device acting as a SecureNAT Client.  It isn't worth all the trouble to make an overly (and needlessly) complicated solution work.  Just put them side-by-side.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "JmieR" <=?utf-8?B?Sm1pZVI=?=> wrote in message news:03bff99c-d23e-496a-b6b3-40394bfb554c...

    Hi Phillip,

     

    Thanks for that, that was my contingency if it was not achievable by TMG.

    In my view that is a major flaw in this software, what is the point of having TMG protecting your network when you can't do something as simple as port forwarding on a particular IP!

     

    thanks

    Tuesday, August 10, 2010 2:50 PM