Should I Blame Vista or the ISA/TMG Firewall?

If you’re a desktop admin, you know the drill “ever since we got Vista nothing works!”. If you’re the firewall admin, you know your drill “ever since you put in that ISA firewall, nothing works!”.

But what if a problem comes up and you have both Vista clients and an ISA firewall? And what happens when the desktop admin and the ISA firewall admin are in the same room?image

Desktop admin “it’s your ISA firewall that broke things!”, while the ISA firewall admin points a crooked finger at the desktop admins and says “it’s your fault for putting Windows ME R2 (Vista) on our network!”

I’m not say that either the desktop admin or the ISA/TMG firewall admin is right here. While finger pointing makes for good finger exercises and keeps them loose and limber, it does nothing to solve the problem.

Case in point: Vista client is trying to connect to an ISA or TMG firewall remote access VPN server. Its been working fine until a Vista client tries to connect. Who’s fault is it? The Vista client or the ISA/TMG remote access VPN server?

If you made a guess, then stop here! Leave guessing and finger point to the hardware firewall sales guys. Your job is to gather evidence and solve the problem.

For example, suppose the problem is a Vista VPN client connecting to an ISA firewall. The client is able to connect fine, authenticate and is assigned a valid IP address on the network. So far, so good. But then the client isn’t able to connect to any resources by name. With these facts, what would you surmise the problem to be?

If you guessed a name resolution problem, you’d be right. First, you’d test this hypothesis by seeing if you can ping an internal resource by IP address (assuming that there is an Access Rule that allows VPN clients ping access to resources on the default Internal Network). If that works, you have the problem defined: name resolution.

But what’s different about name resolution in this scenario? It works for your XP clients, what’s up with your Vista clients? As Yuri Diogenes points out in his blog post at http://blogs.technet.com/yuridiogenes/archive/2009/04/01/unable-to-access-network-resources-from-windows-vista-through-vpn-using-isa-server-2006-as-vpn-server.aspx the problem is most likely related to the fact that IPv6 is enabled by default on the Vista clients.

A fix can be found here:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;929853

Moral of the story: get the facts, define the problem, and test hypotheses. If that doesn’t work, then start pointing fingers – it won’t solve the problem, but will make you feel better 🙂

HTH,

Tom

Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer

image
Prowess Consulting www.prowessconsulting.com

PROWESS CONSULTING | Microsoft Forefront Security Specialist
Email: [email protected]
MVP — Forefront Edge Security (ISA/TMG/IAG)

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top