RRAS and ISA Firewall Configuration

If you’ve worked with the ISA firewall’s remote access VPN server and VPN gateway features, you might have run into issues with how the ISA firewall interacts with the Routing and Remote Access Service (RRAS). Here are some useful facts about ISA/RRAS interactions that will help you work with these issues:

  • ISA firewall settings will overwrite RRAS configuration
  • Demand dial interfaces you configure in the RRAS console will be deleted. Only those created in the ISA firewall console will remain in the configuration
  • ISA firewalls do not support persistent connections and any persistent connections you create in RRAS will be deleted. This means the link will not come up automatically when you start the server. Someone will need to generate a request to the remote site network to initiate the demand dial interface
  • You cannot use the ISA firewall to connect to a particular network using multiple VPN connections using different metrics. This rules out creating a mesh VPN networking configuration
  • You cannot enable or disable specific services or network configuration on a specific demand-dial interface
  • You cannot customize the number of redial attempts used by the demand-dial interface
  • ISA firewalls do not support modem-based demand-dial interfaces
  • The ISA firewall’s remote access policy is on top by default. You can configure an alternate remote access policy to be on top by stopping the ISACTRL service, moving the new remote access policy to the top, and then restarting the ISACRTL service.



Thomas W Shinder, M.D.

Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/

Book: http://tinyurl.com/3xqb7

MVP — ISA Firewalls

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top