5 Replies Latest reply on Jun 21, 2012 10:20 AM by readysetgo

    Trying to figure out how VPN traffic is passed through our Sidewinders

      An admin before me setup a Cisco VPN appliance that currently works as such:

       

      Public Internet > SSL VPN appliance - WAN port > SSL VPN appliance - LAN port > Sidewinder firewall > ISA server in our DMZ > RSA server in our internal network for authentication > Once authenticated, the VPN users then have access to our corp subnet

       

       

      The ISA server is being decommissioned and I want the SSL VPN appliance to bypass the ISA server and authenticate directly against the Radius server without having to pass through the ISA server (which is just acting as an additional firewall anyways). However, I can't seem to find anything in the firewall that passes authentication to the ISA server in our DMZ.

       

      I'm able to find a rule that allows traffic to pass from the ISA server (DMZ) to the RSA server (Internal), however, I can't find where it is redirected to the ISA server.

       

       

      In the VPN appliance, it has the IP for the RSA server listed (which is in our internal network) and says nothing about the ISA server in the DMZ, so there must be something in the DMZ directing it there.

       

       

       

      Does anybody have any ideas?

        • 1. Re: Trying to figure out how VPN traffic is passed through our Sidewinders
          sliedl

          Make a rule that redirects traffic TO the ISA server IP to instead redirect to the RSA server.  I don't believe you can just do this and this will work though, as I expect the ISA plays some important role wherein you cannot just remove it.  Who knows for sure though, maybe a redirect will just work.

           

          What you really want to do is edit the SSL VPN settings to point to the MFE instead of the ISA for these clients.  Then this unencrypted traffic (since it's coming out of the SSL VPN device unencrypted) will go to the MFE and then you make rules with authentication in them and the firewall will ask your RSA server (via RADIUS) for authentication for that service (and you can make a Passport then for this user's IP from the SSL VPN device and they only have to auth. once).

          1 of 1 people found this helpful
          • 2. Re: Trying to figure out how VPN traffic is passed through our Sidewinders

            sliedl wrote:

             

            Make a rule that redirects traffic TO the ISA server IP to instead redirect to the RSA server.  I don't believe you can just do this and this will work though, as I expect the ISA plays some important role wherein you cannot just remove it.  Who knows for sure though, maybe a redirect will just work.

             

            That's just it though. I can't seem to locate a rule that redirects the traffic to the ISA server. Obviously it has to be redirected there somewhere, but I can't find the rule that does that. All I can find are rules that direct traffic from the ISA server to the RSA server. None that direct traffic from the SSL VPN to the ISA server.

             

             

            Within the SSL VPN, it shows the IP for the RSA server and nothing ever points to the ISA server, so I'm fairly certain that isn't the problem.

             

             

             

            If I authenticate via a user built into the SSL VPN, I can still connect to the VPN even with the ISA server shutdown, so it seems the only function the ISA server serves is to pass through the authentication, everything else for the VPN is controlled on the firewalls.

             

             

            Thanks for your assistance.

            • 3. Re: Trying to figure out how VPN traffic is passed through our Sidewinders

              This can go ahead and be closed. The reason I couldn't find a rule that redirected to that server was because it didn't redirect to that server.

               

              I went through all the rules that were supposedly in use on the ISA server one by one and compared them with the rules in our MFEs. It appears that the server was taken out of production by a predecessor who never bothered to document that, bring the server down, etc. Not sure if he still thought it was doing other things because he was only changing things one rule at a time or not.

               

               

              In any case, it seems that server was a red herring and can be ignored.

               

               

              Thanks for your attempted assistance!