Re: VPN from workstation behind ISA 2006

Ok, give me a little time to chew on this, I have a few things going on
around here. Of course if anyone has any ideas they are welcomed to jump-in
in the meantime.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:%23VnoBRK8HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
How many subnets are part of the LAN and what are they specifically (ID &
Mask)?

The server itself is 10.0.100.x. I have added 10.0.0.x to the Internal
range, but that was an attempt to fix the problem. The problem exists
whether this subnet is in the Internal range or not. So I think the answer
to your question is zero subnets, 10.0.100.z/255.255.255.0.

What are the IP Ranges listed in the properties of the Internal Network
Definition?

10.0.100.0-10.0.100.255
10.0.0.0-10.255.255.255
10.255.255.255-10.255.255.255

If you have multiple LAN subnets, what is acting as the LAN Router and
what is the routing scheme (what uses what for gateways, ect)? If there
is no LAN Router is the ISA acting as the LAN Router?

The ISA is acting at the LAN Router.

Although it looks like you are trying to have individual users make their
own independent outbound VPN connection, is the ISA itself also being
used for a VPN Server?

The ISA itself is a VPN server (I can VPN into it from home).

If yes,..is it a Site-to-Site VPN or a Remote Access VPN?

Remote Access.

What are the TCP/IP specs of the ISA machine?

I'm not sure what you're asking. The External NIC is set at
192.168.254.50, 255.255.255.0; Gateway is the hardware Router
(192.168.254.254). Static IP.

--

GaryK


"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:uf$b4fI8HHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Ok, we'll have to gather some details about the over-all network and the
ISA,...the "big picture" that is.

How many subnets are part of the LAN and what are they specifically (ID &
Mask)?

What are the IP Ranges listed in the properties of the Internal Network
Definition?

If you have multiple LAN subnets, what is acting as the LAN Router and
what is the routing scheme (what uses what for gateways, ect)? If there
is no LAN Router is the ISA acting as the LAN Router?

Although it looks like you are trying to have individual users make their
own independent outbound VPN connection, is the ISA itself also being
used for a VPN Server?

If yes,..is it a Site-to-Site VPN or a Remote Access VPN?

What are the TCP/IP specs of the ISA machine?


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------

"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:uFh2UWB8HHA.5316@xxxxxxxxxxxxxxxxxxxxxxx
I found this under Alerts:

"The routing table for the network adapter External includes IP address
ranges that are not defined in the array-level network External, to
which it is bound. As a result, packets arriving at the network adapter
from the IP address ranges listed below or sent to these IP address
ranges via this network adapter will be dropped as spoofed. To resolve
this issue, add the missing IP address ranges to the array network.

The following IP address ranges will be dropped as spoofed:
Internal: 10.0.0.0-10.0.0.99.255, 10.0.101.0-10.255.255.254"

Certainly the machine that can't get the VPN out (IP+10.0.100.61) is
included in the above problem range, but I can't find anywhere in ISA
Manager to edit the table referenced. The only External network I can
find mentioned is the External network object, and it's not editable. I
can't find anything called "array-level network."

--

GaryK


"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:OVWIr3$7HHA.1444@xxxxxxxxxxxxxxxxxxxxxxx
"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:eTxvFu97HHA.2476@xxxxxxxxxxxxxxxxxxxxxxx
You should be fine if they are doing it with the VPN abilities of the
Windows Dialup Networking. If you are running a third-party client,
then you may be screwed.

When initiated, the VPN connectoid immediately fails with a "can't
reach the server error" (769).

Go to the live Monitoring Log, set the Filter to show only traffic from
the "Client IP" of the workstation you are testing from. Let it run and
see what it shows during an attempt. Even if the Client is using DHCP
the IP should stay the same long enough for the testing, in fact they
rarely actually change.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft, or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server
2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------










.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Access to External Site
    ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)
  • ISA frequently drop VPN client with event id:14147
    ... Intenal (is config correct on ISA range ... Ethernet adapter Local Area Connection: ... ISA Server detected routes through the network adapter Local Area ... IP address ranges included in each array-level network must include ...
    (microsoft.public.isa)