Monday 8 February 2010

Routing issues on IAG

I was asked this evening by a friend and customer why he was unable to remotely access a Celestix WSA appliance via a VPN, but able to access via an RDP session from one of the servers on the LAN.

There is a site to site IPSEC VPN between the two sites and the remote site subnet had been added into the Remote Management trusted subnets.

The issue lies with the Microsoft ISA 2006 component within the Celestix WSA appliance, that is used to protect Microsoft IAG.

First of all I would create a static route on the appliance. This can be done either by using the command line and adding a persistent route, using the jog dial on the front of the Celestix WSA appliance or using the Celestix Web UI (:10000) select "Network", then "Routing" and then "Static Routes", where you can create a new static route.

Once this is done, I would start up Microsoft ISA Server on the appliance, expand "Configuration", select "Networks", go to the "Networks" tab, right click for "Properties" of the internal network, select the "Addresses" tab, click the "Add Adapter" button, and select the "LAN" tickbox.
This will apply the all the routes that the LAN card can see, including the new static route(s). Once trusted, you will be able to access resources within the defined subnets, and ISA will be able to allow the traffic defined from the site to site VPN.

- Posted using BlogPress from my iPhone

No comments:

Post a Comment