View Full Version : How to allow outbound SecureClient connections thru ISA 2004

2006-05-26, 11:59
We are having the problems allowing outbound SecureClient connections thru ISA 2004, I have been working on it for a few day but to no avail.

Previously we were in a workgroup environment and the firewall was ISA 2000 , during that time SecuRemote worked absolutely fine

recently we moved to Small Business Server ,a domain environment and ISA 2004 after which we are unable to connect to the VPN server thru Secureremote / SecureClient connections

I have opened the specific ports

18234 TCP (Outbound )
264 TCP (Outbound )
259 UDP (Send Receive)
2746 UDP (Send Receive)
1213 UDP (Send Receive)
2746 TCP (Outbound )
500 UDP (IKE Client Send Receive)

Do i need to open any other ports, or any thing else that needs to done

Would this domain environment impact secure client in any way

I would really apperciate any help in resolving this matter.

Thanks in advance

2006-05-27, 16:27
Can you use visitor mode? If you can all you'll need is port 443.

2006-05-28, 06:04
Attached is an extract from the VPN documentation explaining the ports required to be opened on the ISA server.

When you upgrade to ISA2004, you might have changed the NATing environment or firewall rules.

The way to trouble shoot is to look at the log at the VPN-1 gateway end and compare the log with the Secure Client log.

Send me an email offline and I am happy to do some trouble shooting with you. I have worked on fixing these sort of problem for many years.

2006-05-28, 06:10
Sorry. The attachment was too large. If you search for the topic "How to work with non-Check Point Firewalls" in the VPN.pdf in the NG VPN-1 doc set, you will find the information.

2006-05-30, 09:33
Hi Aussie,

Thanks for your response

As mentioned by you i have opened the ports mentioned in the secureclient doc , but no luck

I had disabled IP Packet filtering in ISA 2000 on which the secureclient works fine , In ISA 2004, I am able to create a site , however while connecting back in connet mode it fails

I even allowed access to all outbound traffic to the remote vpn site , still no luck

Just another thought , the local network range is 192.168.0.x where the ISA 2000 is located & local network range is 192.168.2.x where isa 2004 is located , would this network range have any thing to do with the issue

or is the network range 192.168.2.x clashing with network at the remote VPN site , if it is how do we find out

Tracert, Ping works fine , the error message when i try to connect thru secure client is "Gateway not responding , Connection failed ,
The Secure client diagnostics mentions See IKE Negotiation failure

Access to logs at the VPN-1 gateway might not be possible immediately .

Any help in this regard would be of great help

Thanks in advance


2006-05-30, 09:37
Try IKE orver TCP, that should help.

2006-05-31, 00:48
I tried that too , but to no avail

2006-06-01, 09:43
Go with visitor mode (IPSec over HTTP).

2006-06-02, 12:18
i have the same problem but also no luck i have ng fp3 and i didn't find this visitor mode is it in these version ng fp3
thanks david

2006-06-07, 04:47
Go with visitor mode (IPSec over HTTP).

my option is not hilighted.

2006-08-07, 11:46
Did anyone solve this issue....

I can succesfully make the connection when the PC is behind a small soho router....but not when behind the ISA (2004 SP2)

Checking the log files on the ISA server I can see that after the outbound IKE (500 UDP) and 2746 UDP i start getting UDP packets from the VPN server that are denied as unidentified IP traffic (the port they are received on various over time).
I have tried to add 2nd protocols (UDP Port 1024-6000 Receive) to both the 500 and the 2746 rule, but packets still gets discarded.

Microsoft has a kb entry related to lost UDP Packets, can this be related? http://support.microsoft.com/?kbid=915461