Re: Outgoing VPN Error 619

Inbound VPN problem:
You cannot use the same subnet as the LAT.
You MUST use a separate subnet.
There is no option.

Outbound VPN problem:
Q1 - is the test client configured as SecureNET? In other words, is the ISA
a hop on the path to the Internet? If no, outbound VPN will fail.
Q2 - what do you find in the ISA logs for your tests?
Q3 - have you tried gathering a network capture of the failing process?

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:%23V0afBHpIHA.2292@xxxxxxxxxxxxxxxxxxxxxxx
Just a follow up on what I have tried with getting inbound VPN's working.

1. DHCP assigned (not working, comes up as spoofs)
2. Static assigned on a different subnet I.E. 10.1.255.255 (not working)
3. Static assigned on the same subnet I.E. 10.2.3.255 with the LAT table
edited to only cover 10.2.2.255 (not working, throws misconfiguration alerts
in ISA management)

I've checked in local network rules and I do have a rule called VPN clients
to Internal Network which is a Route of Quarantined and VPN clients to the
Internal network.

Any ideas on this, plus my outgoing PPTP VPN problem I'm getting desperate?

Cheers

Damon


"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:ON6Rh%23BpIHA.3804@xxxxxxxxxxxxxxxxxxxxxxx

With the outgoing PPTP VPN's I have that allow all rule but they are still
not working, any ideas on this?

With the incoming VPN's yes I do have the user address be allocated from
the same DHCP that serves the internal network.

If I'm doing a static assignment will these need to be IP addresses which
are within the range allocated via the LAT table or will they need to be
outside of that.

Currently the internal network is 10.2.255.255

Cheers

Damon


"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23e0uvLApIHA.3556@xxxxxxxxxxxxxxxxxxxxxxx
You can do outbound PPTP, but as Phil stated, this is only possible if
the
PPTP clients are configured to use ISA as a hop to the Internet
(SecureNET
clients). Neither a web (CERN) proxy client nor a Firewall client host
can
send the GRE traffic that is critical to PPTP functionality through ISA.

Since the VPN client is also a SecureNET client, the rule allowing
outbound
PPTP must be anonymous because SecureNET traffic is by nature, anonymous.
Your first "allow everything for all users" is sufficient for this task,
but
it's dangerously wide. Limit this to "PPTP" and you'll have the
necessary
rule. Make sure you don't also include "all authenticated users" in the
same rule - this will force authentication and cause the PPTP request to
fail.

Regarding the incoming VPN users, the "IP spoofing" error is most often
related to assin=ging VPN users addresses from the same DHCP server that
serves the internal network. You cannot satisfy the ISA requirement for
separate subnets on each network by doing this. Try using static
assignments instead.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:eG5USd$oIHA.2188@xxxxxxxxxxxxxxxxxxxxxxx

Hi Guys,

I have a development team which I need some members to be able to connect
customers sites to do development. If we are were not to do outbound PPTP
VPN's for them what other option would be better?

You mention that the clients need to be SecureNat. I have the gateways on
all of the machines on the network set to use the ISA server internal
NIC.
Isn't that what makes them a SecureNat client?

If by annonymous you mean 'All Users' then use my first rule allows
everything outbound and the rule applies to the user set 'All Users'.

Any ideas how I can get this working?

On a side note I've now discovered that my inbound VPN's now do not work.
If
I connect external in to ISA my VPN will connect but I cannot ping any
resources. If I have a look in the ISA logs I see IP Spoofing alerts.

Cheers

Damon

"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:eqpHmJ%23oIHA.3556@xxxxxxxxxxxxxxxxxxxxxxx
"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:FF998E9E-3AB4-4CA5-B61D-5A706B1D2E13@xxxxxxxxxxxxxxxx
"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23xC3H17oIHA.4912@xxxxxxxxxxxxxxxxxxxxxxx
1. Outbound VPN is not "supposed" to ever be allowed.

Jim - This is a business case decision. Some folks do and some don't.
This
is not an "always" or "never" decision.

I may over emphize sometimes,..but Tom makes almost as strong a
statements
about the same thing in some of the stuff he wrote. Yes, I know it is a
business decision, but are you saying that the developement team never
encourages or discourages certain usages by how they design the
product?.
Considering the difficulaty of balancing out the useage of this with
SecureNAT Clients while still trying to have Web and Firewall Client
functionality at the same time,...maybe it should be listed as one of
the
many "unsupported configurations" (if it isn't already). The "ISA on a
DC" didn't get added to the list till later, this could be the same way.
Although I suppose with TMG, the ISA2006 is probably already a fading
priority.

2. The Web Proxy and Winsock Proxying services only "proxy" TCP or UDP
based
traffic. They will not, and will never do, GRE/PPTP

Jim - there is no such thing as a "winsock proxy" or "web proxy"
services
in
ISA 2006. There is one service; the firewall service. There were
firewall
and web proxy services in ISA 2000, but there has not been a "winsock
proxy"
service since Proxy 2. That said, the firewall logs and possibly a
network
capture will help determine the problems that may be occuring with
outbound
PPTP.

Now Jim, when I was out there after ISA2000 came out there was
discussion
about how the Winsock Proxy Service of Proxy2 was "renamed" for
marketing
reasons because they felt they weren't able to market Proxy2
successfully
as a "firewall". But under the new name it was still the same old
Winsock
based proxying service with maybe some internal improvements. Even the
Firewall Client Software was, to a certain extent, compatible between
the
different versions. Now I'm certainly not as close to the product as
you
are (no one is) but no one has ever told me that the "Firewall Service"
of
ISA2006 has been that drastically reworked to be operating by a
completely
differenet technology and standard than the earlier versions.

Personally, I think renaming it to "firewall service" was not a good
idea
and caused more confusion that anything else. I see the entire product
as
a firewall product, not just one component of it. I agree with Tom when
he
often refers to it in his material as the "ISA Firewall", implying that
the whole product is a firewall product.

3. Only the SecureNAT Service and do GRE/PPTP.
a. So the Clients have to be SecureNAT Clients.
b. The Access Rules for them must be "anonymous"
c. In some cases the Private IP# Range of the remote network being
contacted may have to be added to the Internal Network Definition

Jim - 2/3 correct. item (c) is not true. Only those subnets which are
actually reachable in the network structure associated with that
network
should be listed there. Also, you have to ensure that any anonymous
rules
are listed before any authenticating rules, or they cannot be processed
as
you expect.
http://www.microsoft.com/technet/isa/2006/BP_Firewall_Policy/default.mspx
refers.

Yes, sorry, I got ahead of my self. That would only be true if the VPN
Device was some other device separate from ISA. But I did say "in some
cases",..whowever, you're right, I should have stopped with a & b.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------







.

Relevant Pages

  • RE: VPN timeouts
    ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
    (microsoft.public.windows.server.sbs)
  • RE: Slow VPN logon and Spuratic folder visibility
    ... I understand that the remote VPN client ... network configuration. ... the VPN client can access SBS fine? ... Slow VPN logon and Spuratic folder visibility ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA2004 kills VPN outbound
    ... I understand that after you upgraded ISA 2000 to ISA ... 825763 How to configure Internet access in Windows Small Business Server ... Then, establish the VPN connection again, does it work this time? ... FW client and configure the client as a SecureNAT client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)