2 NICs + Site-to-Site VPN + Http proxy = problem

Hi,

I have a strange problem on one of the computers of my company. It is a
Windows Server 2003 Domain Controler with 2 network cards (one public, which
does NAT, and a private one). The network requires a proxy to access the
web. This proxy is behind the public network interface. When I launch
Internet Explorer, it asks for the login/password for the proxy and I can
access the web without any problem.

Yesterday, I configured a Site-to-Site VPN connection between this computer
and another computer on the internet. When the VPN connection is connected,
IE no more uses the proxy and the computer have no access to the web !!! I
used a sniffer to understand where is the problem, and I noticed that when
the VPN is connected, IE no more forwards Http requests to the proxy, but
directly to the gateway of the public network card. If I disconnect the VPN
connection, everything works fine again.

I checked the routing table of the computer when the VPN connection is on,
and the table is good. The gateway is still the gateway of the public
network card, so it's not a route problem. I just don't understand why IE
suddenly no more forwards Http requests to the proxy.

Any idea about this problem ?

--
Guillaume Tamisier
ALIANTIZ

The Proxy's LAT must contain the address range of the remote network LAN
that is at the other end of the VPN just as it contains the address range of
your local LAN.

You indicated this server runs NAT,...in this case the NAT service would
also have a LAT of some form somewhere and you need to include the remote
address range in it the same way as the proxy.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Guillaume Tamisier" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I have a strange problem on one of the computers of my company. It is a
> Windows Server 2003 Domain Controler with 2 network cards (one public,
which
> does NAT, and a private one). The network requires a proxy to access the
> web. This proxy is behind the public network interface. When I launch
> Internet Explorer, it asks for the login/password for the proxy and I can
> access the web without any problem.
>
> Yesterday, I configured a Site-to-Site VPN connection between this
computer
> and another computer on the internet. When the VPN connection is
connected,
> IE no more uses the proxy and the computer have no access to the web !!! I
> used a sniffer to understand where is the problem, and I noticed that when
> the VPN is connected, IE no more forwards Http requests to the proxy, but
> directly to the gateway of the public network card. If I disconnect the
VPN
> connection, everything works fine again.
>
> I checked the routing table of the computer when the VPN connection is on,
> and the table is good. The gateway is still the gateway of the public
> network card, so it's not a route problem. I just don't understand why IE
> suddenly no more forwards Http requests to the proxy.
>
> Any idea about this problem ?
>
> --
> Guillaume Tamisier
> ALIANTIZ
>
>

Hi,

Why does the proxy's LAT must contain the address range of the remote
network ? When I launch IE, it should use the configured proxy, whether or
not there is a VPN connection ! I don't undestand why IE stops using the
proxy because a VPN connection is on.

--
Guillaume Tamisier
ALIANTIZ

I've just made some tests on another computer and undestood something. When
a VPN connection is on, the proxy settings configured for IE are just
ignored !!! How can I configure IE to ALWAYS use the proxy, whether or not a
VPN connection is on ??

--
Guillaume Tamisier
ALIANTIZ

Sorry for this third message, but I did some additional tests, and my
conclusion is that the problem comes from IE, because other programs well
use the proxy server even when the VPN connection is on. For example, MSN
Messenger works without any problems (the proxy server is configured in the
MSN settings).

I hope somebody will have an idea about this odd and frustating problem !

--
Guillaume Tamisier

Hi Guillaume,

Thanks for your posting here.

As for site to site VPN connection, it should be created by the ISA server
not clients. So the network settings on clients will not be changed after
VPN connection.

Do you mean that the default gateway of client is the public network card
of ISA? Please set it to pointing to the Internal Public card and try again.

What is the result?

Regards,
Bob Qin
Product Support Services
Microsoft Corporation

Get Secure! - www.microsoft.com/security

================================================== ==
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.

Yes, the network settings on the client do not change after the VPN
connection is established. However, IE no more use the proxy server when the
VPN connection is on. Why ???

The default gateway of the client points to the internal public card (the
VPN connection is not used for the gateway). So the problem seems to come
from IE !!

--
Guillaume Tamisier
ALIANTIZ

"Bob Qin [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Guillaume,
>
> Thanks for your posting here.
>
> As for site to site VPN connection, it should be created by the ISA server
> not clients. So the network settings on clients will not be changed after
> VPN connection.
>
> Do you mean that the default gateway of client is the public network card
> of ISA? Please set it to pointing to the Internal Public card and try
again.
>
> What is the result?
>
> Regards,
> Bob Qin
> Product Support Services
> Microsoft Corporation
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ==
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ================================================== ==
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>

"Guillaume Tamisier" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Why does the proxy's LAT must contain the address range of the remote
> network ? When I launch IE, it should use the configured proxy, whether or

Because the remote networks connected by VPN are "logically" local to your
system,...they are no different than having another subnet on your LAN in
the same building. If the LAT doesn't contain their address range both the
ISA and your Firewall will interferre with the VPN.

As far as the proxy settings being ignored, they probably are not ignored.
But your VPN implementation may cause the proxy to not be found if it isn't
on the same subnet as the client that uses it. You haven't given enough
information about the topology to determine that. At this point all I really
know is that you implemented VPN, have ISA, and have a firewall, but I know
absolutely about how all of it is actually configured and what you topology
design is like.

If anything at all, you should double check the way that you configured the
S2S VPN, and the LAT on both the Firewall and the ISA must be as I said.

Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/pro.../vpndpls2.mspx

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Also remember that in a W2k/XP client, the proxy settings are connection
specific. To see the proxy from the client over the VPN connection, you must
specify the proxy settings for that connection. From IE or Internet Options
in Control Panel, go to the connections tab and select your VPN connection.
Click settings and enter the proxy settings for the connection.

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Guillaume Tamisier" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Why does the proxy's LAT must contain the address range of the remote
> > network ? When I launch IE, it should use the configured proxy, whether
or
>
> Because the remote networks connected by VPN are "logically" local to your
> system,...they are no different than having another subnet on your LAN in
> the same building. If the LAT doesn't contain their address range both the
> ISA and your Firewall will interferre with the VPN.
>
> As far as the proxy settings being ignored, they probably are not ignored.
> But your VPN implementation may cause the proxy to not be found if it
isn't
> on the same subnet as the client that uses it. You haven't given enough
> information about the topology to determine that. At this point all I
really
> know is that you implemented VPN, have ISA, and have a firewall, but I
know
> absolutely about how all of it is actually configured and what you
topology
> design is like.
>
> If anything at all, you should double check the way that you configured
the
> S2S VPN, and the LAT on both the Firewall and the ISA must be as I said.
>
> Virtual Private Networking with Windows Server 2003: Deploying
Site-to-Site
> VPNs
>
http://www.microsoft.com/technet/pro.../technologies/
networking/vpndpls2.mspx
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

Of course this doesn't relate to the site-to-site case. With a routed
site-to-site link the clients are using the LAN NIC and normal proxy
settings apply. Both sites are effectively "inside" the proxy, and both
subnets must be in the proxy's LAT, as Phillip pointed out.

But for a client-server "dialup" type connection, the proxy settings
must be set in the properties of the "dialup" connection (RAS or VPN). There
is a separate box to enter the proxy settings for the LAN NIC (if you have a
local proxy server).

"Bill Grant" <not.available@online> wrote in message
news:e5#(E-Mail Removed)...
> Also remember that in a W2k/XP client, the proxy settings are
connection
> specific. To see the proxy from the client over the VPN connection, you
must
> specify the proxy settings for that connection. From IE or Internet
Options
> in Control Panel, go to the connections tab and select your VPN
connection.
> Click settings and enter the proxy settings for the connection.
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
> > "Guillaume Tamisier" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Why does the proxy's LAT must contain the address range of the remote
> > > network ? When I launch IE, it should use the configured proxy,
whether
> or
> >
> > Because the remote networks connected by VPN are "logically" local to
your
> > system,...they are no different than having another subnet on your LAN
in
> > the same building. If the LAT doesn't contain their address range both
the
> > ISA and your Firewall will interferre with the VPN.
> >
> > As far as the proxy settings being ignored, they probably are not
ignored.
> > But your VPN implementation may cause the proxy to not be found if it
> isn't
> > on the same subnet as the client that uses it. You haven't given enough
> > information about the topology to determine that. At this point all I
> really
> > know is that you implemented VPN, have ISA, and have a firewall, but I
> know
> > absolutely about how all of it is actually configured and what you
> topology
> > design is like.
> >
> > If anything at all, you should double check the way that you configured
> the
> > S2S VPN, and the LAT on both the Firewall and the ISA must be as I said.
> >
> > Virtual Private Networking with Windows Server 2003: Deploying
> Site-to-Site
> > VPNs
> >
>
http://www.microsoft.com/technet/pro.../technologies/
> networking/vpndpls2.mspx
> >
> > --
> >
> > Phillip Windell [MCP, MVP, CCNA]
> > www.wandtv.com
> >
> >
>
>