2 NICs + Site-to-Site VPN + Http proxy = problem

Discussion in 'Windows Networking' started by Guillaume Tamisier, Jul 29, 2004.

  1. Hi,

    I have a strange problem on one of the computers of my company. It is a
    Windows Server 2003 Domain Controler with 2 network cards (one public, which
    does NAT, and a private one). The network requires a proxy to access the
    web. This proxy is behind the public network interface. When I launch
    Internet Explorer, it asks for the login/password for the proxy and I can
    access the web without any problem.

    Yesterday, I configured a Site-to-Site VPN connection between this computer
    and another computer on the internet. When the VPN connection is connected,
    IE no more uses the proxy and the computer have no access to the web !!! I
    used a sniffer to understand where is the problem, and I noticed that when
    the VPN is connected, IE no more forwards Http requests to the proxy, but
    directly to the gateway of the public network card. If I disconnect the VPN
    connection, everything works fine again.

    I checked the routing table of the computer when the VPN connection is on,
    and the table is good. The gateway is still the gateway of the public
    network card, so it's not a route problem. I just don't understand why IE
    suddenly no more forwards Http requests to the proxy.

    Any idea about this problem ?
     
    Guillaume Tamisier, Jul 29, 2004
    #1
    1. Advertisements

  2. The Proxy's LAT must contain the address range of the remote network LAN
    that is at the other end of the VPN just as it contains the address range of
    your local LAN.

    You indicated this server runs NAT,...in this case the NAT service would
    also have a LAT of some form somewhere and you need to include the remote
    address range in it the same way as the proxy.
     
    Phillip Windell, Jul 29, 2004
    #2
    1. Advertisements

  3. Hi,

    Why does the proxy's LAT must contain the address range of the remote
    network ? When I launch IE, it should use the configured proxy, whether or
    not there is a VPN connection ! I don't undestand why IE stops using the
    proxy because a VPN connection is on.
     
    Guillaume Tamisier, Jul 30, 2004
    #3
  4. I've just made some tests on another computer and undestood something. When
    a VPN connection is on, the proxy settings configured for IE are just
    ignored !!! How can I configure IE to ALWAYS use the proxy, whether or not a
    VPN connection is on ??
     
    Guillaume Tamisier, Jul 30, 2004
    #4
  5. Sorry for this third message, but I did some additional tests, and my
    conclusion is that the problem comes from IE, because other programs well
    use the proxy server even when the VPN connection is on. For example, MSN
    Messenger works without any problems (the proxy server is configured in the
    MSN settings).

    I hope somebody will have an idea about this odd and frustating problem !
     
    Guillaume Tamisier, Jul 30, 2004
    #5
  6. Hi Guillaume,

    Thanks for your posting here.

    As for site to site VPN connection, it should be created by the ISA server
    not clients. So the network settings on clients will not be changed after
    VPN connection.

    Do you mean that the default gateway of client is the public network card
    of ISA? Please set it to pointing to the Internal Public card and try again.

    What is the result?

    Regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Jul 30, 2004
    #6
  7. Yes, the network settings on the client do not change after the VPN
    connection is established. However, IE no more use the proxy server when the
    VPN connection is on. Why ???

    The default gateway of the client points to the internal public card (the
    VPN connection is not used for the gateway). So the problem seems to come
    from IE !!
     
    Guillaume Tamisier, Jul 30, 2004
    #7
  8. Because the remote networks connected by VPN are "logically" local to your
    system,...they are no different than having another subnet on your LAN in
    the same building. If the LAT doesn't contain their address range both the
    ISA and your Firewall will interferre with the VPN.

    As far as the proxy settings being ignored, they probably are not ignored.
    But your VPN implementation may cause the proxy to not be found if it isn't
    on the same subnet as the client that uses it. You haven't given enough
    information about the topology to determine that. At this point all I really
    know is that you implemented VPN, have ISA, and have a firewall, but I know
    absolutely about how all of it is actually configured and what you topology
    design is like.

    If anything at all, you should double check the way that you configured the
    S2S VPN, and the LAT on both the Firewall and the ISA must be as I said.

    Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
    VPNs
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx
     
    Phillip Windell, Jul 30, 2004
    #8
  9. Guillaume Tamisier

    Bill Grant Guest

    Also remember that in a W2k/XP client, the proxy settings are connection
    specific. To see the proxy from the client over the VPN connection, you must
    specify the proxy settings for that connection. From IE or Internet Options
    in Control Panel, go to the connections tab and select your VPN connection.
    Click settings and enter the proxy settings for the connection.
     
    Bill Grant, Jul 31, 2004
    #9
  10. Guillaume Tamisier

    Bill Grant Guest

    Of course this doesn't relate to the site-to-site case. With a routed
    site-to-site link the clients are using the LAN NIC and normal proxy
    settings apply. Both sites are effectively "inside" the proxy, and both
    subnets must be in the proxy's LAT, as Phillip pointed out.

    But for a client-server "dialup" type connection, the proxy settings
    must be set in the properties of the "dialup" connection (RAS or VPN). There
    is a separate box to enter the proxy settings for the LAN NIC (if you have a
    local proxy server).
     
    Bill Grant, Aug 2, 2004
    #10
  11. Hi Guillaume,

    What is the result that if you point the default gateway of the clients to
    the Internal network card of ISA?

    Best regards,
    Bob Qin
    Product Support Services
    Microsoft Corporation

    Get Secure! - www.microsoft.com/security

    ====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Bob Qin [MSFT], Aug 2, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.