ISA VPN Server behide Wingate Server

[hanhnguyen]

Dear Wingate System,
I have a project to understand Firewall Wingate and ISA. I let ISA VPN Server which is protected behide Wingate Server. Clients in Perimeter Network can login to VPN Server. But Outside Wingate couldnot login to VPN Server.
Exam Figure: Internet <--> Wingate Server <--> Perimeter <--> ISA Server (VPN Server) <-> Local Network.
I had configured Wingate forward port 1723(PPTP) and 47 (GRE) to ISA VPN Server, but it's not work well!
What need can i do next? Pls help me to solve this problem???
Thanks much!

[adrien]

Hi

GRE is IP protocol 47, rather than UDP or TCP port 47.

However, if you forward port 1723, WinGate will also forward GRE to the same host. So PPTP should work just by forwarding (in Extended Networking) port 1723.

Do you know even if the redirect is working OK? Do you have "don't translate source IP" selected or unselected?

Also, is the WinGate computer the default gateway for the ISA computer? If not, you need to have "don't translate source IP" unselected.

Regards

Adrien

[hanhnguyen]

I understand it, thank you very much!
Yes, I setuped ISA Server run VPN after Wingate Server. Wingate is default gateway of ISA. When wingate server forward TCP port 1723 in ENS to ISA server with "Don't translate IP soure" checked, connection PPTP from outside to ISA via Wingate Server is successfull, working well!
Thanks Mr.Adrien much!

[hanhnguyen]

Continueing practical, i had upgraded ISA VPN Server for L2TP/IPSEC connection. Perimeter Network can login VPN to ISA VPN Server. But out side Wingate couldnot connect VPN into ISA Server.
Interhit your instruction above, I had configure Wingate Server forward UDP port 500, port 4500 and TCP/UPD port 1701 with "Don't Translate Source IP" selected as PPTP connection which is successful to ISA VPN Server.
Connection VPN with L2TP/IPSEC is not successful!
Please tell me know how to do next? Thanks Mr.Adrien!

[adrien]

Hi

L2TP and IPSEC are quite different to PPTP. In fact normal IPSEC doesn't allow address translation, as parts of the IP header are used in the checksum for encryption, so if addresses are re-written (as happens in NAT) then it breaks the packet.

For this reason, NAT-T was invented, which just uses UDP. I believe it requires configuration in the clients etc to get them to use it. There may be some setting in the VPN server you can adjust.

Adrien

[hanhnguyen]

Thanks Adrien,
Let i try to explore Wingate with all functions to passthough transmition, VPN Server and Client's setting option about re-pack ip header. May be configure Modem and Wingate to use NAT-Traversal.
Thanks again!
Hanh Nguyen