Re: ISA/VPN difficulty

• Previous message: Sharoon Shetty K [MSFT]: "Re: VPN Client can't access internal network -- Help?!?!"
• In reply to: Manjari Bonam [MSFT]: "Re: ISA/VPN difficulty"
• Next in thread: Mitch James: "Re: ISA/VPN difficulty"
• Reply: Mitch James: "Re: ISA/VPN difficulty"
• Messages sorted by: [ date ] [ thread ]

Date: Tue, 6 Apr 2004 09:07:01 -0400

Good morning,

We appreciate the reply. Eric & I are working on the same issue. I've an
earlier message in this forum also, on March 17th.

Essentially what we're doing is this: We're swapping out an existing
W2K/ISA/VPN server and replacing it.

The current one (production) works fine in terms of ISA and VPN
functionality. Traffic flows properly and VPN is fully functional. Note
that for us full VPN functionality simply means that the client (almost all
W2K) connects, authenticates, and successfully registers on the LAN. At
that point they may map drives and/or run pcAnywhere or VNC or whatever, to
connect to a specific workstation.

The new machine (test) does everything fine EXCEPT allow clients to do
anything at all once they're authenticated and registered. They cannot
access - by any route - any of our internal LAN resources. They can "ping"
the internal NIC on the test machine, but can't "ping" past it. They can't
map a drive or connect to their workstation by either pcAnywhere or VNC.

As far as we can tell, we've configured BOTH machines the same. Eric and I
have sat side by side and compared ISA & RRAS settings. We've done the same
thing with every registry setting we can think of. Everything appears to be
the same. We've created a "Web Users" group on both boxes that includes the
same group of NT Domain users, all of whom were granted dial-in access.

We've updated both machines to the same level, i.e., W2K Server is as SP3
with all applicable updates and ISA Server 2000 is at SP1 with all
applicable updates.

The only message in the event logs is the standard Warning about L2TP
missing the certificate server; we're not trying to use L2TP (at this
point) so that should be a non-event! And, we get it on both machines
anyway.

As far as we can tell the routing tables look correct on all the machines.
By that I mean "route print" looks correct for the server & client on both
the production and test box. The routes also look correct when the
production and test box routing tables are compared.

We don't use DHCP but instead have assigned a range of IP addresses to be
used by VPN clients. The full range of address is valid on our internal
network, but we've assigned two, non-overlapping sub-ranges, one to the
production box and the other to the test box - just in case.

We're lost! To us it MUST be something that's just so obvious we can't see
it - that's what prompted the question about multiple servers!! ;-)

Please, please, please ... tell us where to look - and thanks.

Larry

"Manjari Bonam [MSFT]" <manjarib@online.microsoft.com> wrote in message
news:OuYBkA9GEHA.4044@TK2MSFTNGP10.phx.gbl...
> There should not be any limitation as such. Let us know what is the error
> you are seeing when you try to conenct.
> Any event logs will be helpfull too.
>
> --
> - Manjari
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Larry" <lmcaulif@scsiweb.com> wrote in message
> news:518137d4.0404050812.3491ee8f@posting.google.com...
> > Hello,
> >
> > In a Windows NT 4.0 domain (no AD)how many Windows 2000 ISA/VPN
> > (stand-alone) servers are allowed to be active at the same time.
> >
> > Our production machine works, but the test machine fails. All
> > settings appear to be identical but test machine will not allow
> > clients to see the LAN.
> >
> > TIA
> > Larry
>
>

• Previous message: Sharoon Shetty K [MSFT]: "Re: VPN Client can't access internal network -- Help?!?!"
• In reply to: Manjari Bonam [MSFT]: "Re: ISA/VPN difficulty"
• Next in thread: Mitch James: "Re: ISA/VPN difficulty"
• Reply: Mitch James: "Re: ISA/VPN difficulty"
• Messages sorted by: [ date ] [ thread ]