Re: Bizzare ISA2004 VPN Issues, Please help

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Thomas W Shinder [MVP] (tshinder_at_hotmail.com)
Date: 09/28/04 

Date: Mon, 27 Sep 2004 22:49:36 -0500

Hi Eric,

You could NOT publish a PPTP VPN server with the 2000 ISA firewall.

HTH, 

-- 
Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
""Eric Sun [MSFT]"" <v-ericsu@online.microsoft.com> wrote in message
news:1np9hXDpEHA.1520@cpmsftngxa06.phx.gbl...
: Hi Zane,
:
: Thanks for your reply and information sharing. I am glad you resolved this
issue.
:
: Regarding this issue, it is a by design feature, but not a bug I think.
:
: If you use the Server Publish rule to publish an internal PPTP server to
the internet, a socket on TCP 1723 port of ISA external
: NIC will be created. At this situation, you could still setup PPTP server
on ISA and let it listen on TCP 1723. However, when an
: external request comes, the request can never reach to listening
application because it will be forwarded to internet PPTP server
: by TCP socket on TCP 1723. I think this is the main difference between ISA
2000 and ISA 2004 design. Hope that information
: helps.
:
: Have a good day!
:
: Best Regards,
:
: Eric Sun,
: MCSE2000 / MSCA / MCDBA
: Microsoft Online Partner Support
:
: Get Secure! - www.microsoft.com/security
:
: =====================================================
: When responding to posts, please "Reply to Group" via
: your newsreader so that others may learn and benefit
: from your issue.
: =====================================================
:
: This posting is provided "AS IS" with no warranties, and confers no rights
: --------------------
: | From: "Z D" <nospam@nospam.com>
: | References: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl>
<jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl>
: <#yTToGaoEHA.324@TK2MSFTNGP11.phx.gbl>
<SQWrpGkoEHA.3468@cpmsftngxa06.phx.gbl>
: | Subject: Re: Bizzare ISA2004 VPN Issues, Please help
: | Date: Fri, 24 Sep 2004 11:34:37 -0400
: | Lines: 253
: | X-Priority: 3
: | X-MSMail-Priority: Normal
: | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
: | X-RFC2646: Format=Flowed; Original
: | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
: | Message-ID: <#bf14wkoEHA.2948@TK2MSFTNGP11.phx.gbl>
: | Newsgroups: microsoft.public.isa
: | NNTP-Posting-Host:
cpe0006258c9fd4-cm000039948c5e.cpe.net.cable.rogers.com 69.196.101.145
: | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
.phx.gbl
: | Xref: cpmsftngxa06.phx.gbl microsoft.public.isa:50923
: | X-Tomcat-NG: microsoft.public.isa
: |
: | Hello Eric,
: |
: | I have discovered more info on the topic:
: |
: | - I disabled VPN client access from within ISA2004.
: | - Rebooted the server.
: | - I then manually opened RRAS, configured it to accept PPTP VPN
connections.
: | - This still DID NOT fix the problem, the PPTP ports did not show up.
: |
: | - Then I went back to ISA2004 and remembered that I have a PPTP server
: | publishing rule.  I'm doing this because I have yet another PPTP VPN
server
: | inside my network that I'm publishing.
: | - I disabled this rule and rebooted the server.
: |
: | - After the reboot, I went back into RRAS and configured it again as a
PPTP
: | VPN server (since after the reboot the service was turned off, I'm
assuming
: | ISA did this because it thought it should be disabled).
: |
: | - Now when I configure the PPTP ports manually in RRAS they show up!!!
: |
: | -Now I thought maybe if I can do it manually in RRAS then ISA can also
do
: | it.
: | - So, I disabled RRAS
: | - Rebooted the server
: | - Opened ISA and tried to enable VPN client connections (but I still
have
: | the VPN server publishing rule to the other server disabled)
: | - I rebooted the server
: | - The ports are visible!!!!!!!  VPN Works!!!
: |
: |
: | SO, it seems as though there is a bug where ISA cannot be a PPTP VPN
server
: | and also publish another PPTP VPN server inside the network.
: |
: |
: | What do you think? Are you able to reproduce this problem? Please let me
: | know what you think.
: |
: | Thanks very much - maybe I found a bug!!
: | -ZD
: |
: |
: | ""Eric Sun [MSFT]"" <v-ericsu@online.microsoft.com> wrote in message
: | news:SQWrpGkoEHA.3468@cpmsftngxa06.phx.gbl...
: | >
: | > Thanks for your great information. Below is my research result and
: | > followed by action plan
: | >
: | > 1. From the screenshot of port lists, we can see the PPTP are not
listed
: | > and L2TP is listed as 'Used by' 'RAS/Routing'.
: | > From the screenshot of port properties, we can the PPTP are 'used by'
: | > 'RAS' and L2TP are used by 'None' (which should not be
: | > listed in the port list with 'None' .)
: | >
: | > Action Plan: In the port properties, click PPTP and click configure
: | > button. Check the following two check box.
: | >
: | > 'Remote access connections (inbound only)'
: | > 'Demand-dial routing connections' (inbound and outbound)'
: | >
: | > Click L2TP and click configure button. Then Uncheck the above two
check
: | > box
: | >
: | > Refresh the port list. What's the result now?
: | >
: | > 2. If the problem persists, I think the RRAS service may have crashed.
: | > Please reinstall the RRAS service in the Add/Remove
: | > program. Reconfigure the VPN. What's the result?
: | >
: | > 3. After check your ISA information and configuration, I do not find
: | > evident errors. I suggest you to disable the ISA
: | > service and directly use the RRAS service to serve as VPN. What's the
: | > result? We need to know that the RRAS service is good so
: | > that we can concentrate on the ISA and continue the troubleshooting.
: | >
: | > Thanks for your time and I look forward to your reply.
: | >
: | > Best Regards,
: | >
: | > Eric Sun,
: | > MCSE2000 / MSCA / MCDBA
: | > Microsoft Online Partner Support
: | >
: | > Get Secure! - www.microsoft.com/security
: | >
: | > =====================================================
: | > When responding to posts, please "Reply to Group" via
: | > your newsreader so that others may learn and benefit
: | > from your issue.
: | > =====================================================
: | >
: | > This posting is provided "AS IS" with no warranties, and confers no
rights
: | > --------------------
: | > | From: "Z D" <nospam@nospam.com>
: | > | References: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl>
: | > <jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl>
: | > | Subject: Re: Bizzare ISA2004 VPN Issues, Please help
: | > | Date: Thu, 23 Sep 2004 15:13:42 -0400
: | > | Lines: 130
: | > | X-Priority: 3
: | > | X-MSMail-Priority: Normal
: | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
: | > | X-RFC2646: Format=Flowed; Original
: | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
: | > | Message-ID: <#yTToGaoEHA.324@TK2MSFTNGP11.phx.gbl>
: | > | Newsgroups: microsoft.public.isa
: | > | NNTP-Posting-Host:
: | > cpe0006258c9fd4-cm000039948c5e.cpe.net.cable.rogers.com 69.196.101.145
: | > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
: | > | Xref: cpmsftngxa06.phx.gbl microsoft.public.isa:50906
: | > | X-Tomcat-NG: microsoft.public.isa
: | > |
: | > | Hi Eric,
: | > |
: | > | I've sent you all the info in an email earlier this morning.
Hopefully
: | > you
: | > | will be able to make some sense of what's going on!
: | > |
: | > | thanks
: | > | -ZD
: | > |
: | > |
: | > | ""Eric Sun [MSFT]"" <v-ericsu@online.microsoft.com> wrote in message
: | > | news:jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl...
: | > | > Hi,
: | > | >
: | > | > After testing, I cannot reproduce the problem, if 'Enable VPN
Client'
: | > | > wizard was run, 5 PPTP ports should be created in RRAS
: | > | > automatically.
: | > | >
: | > | > I would suggest the following:
: | > | >
: | > | > I. Disable VPN in ISA console.
: | > | >
: | > | > 1. Open ISA Manament.
: | > | > 2. Click VPN node
: | > | > 3. CLick 'Verify that VPN client is enabled'
: | > | > 4. Uncheck the 'Enable the VPN client access' option
: | > | > 5 CLick OK
: | > | > 6 CLick apply
: | > | >
: | > | > II. Disable RRAS.
: | > | >
: | > | > 1. Open RRAS console
: | > | > 2. Right click Server and click All Task -> Stop
: | > | >
: | > | > III. Enable VPN access with only PPTP.
: | > | >
: | > | > 1. Open ISA Manament.
: | > | > 2. Click VPN node
: | > | > 3. CLick 'Verify that VPN client is enabled'
: | > | > 4. Check the 'Enable the VPN client access' option
: | > | > 5. In the protocol tab, please check PPTP option and uncheck L2TP
: | > option
: | > | > 5 CLick OK
: | > | > 6 CLick apply
: | > | >
: | > | > Are the ports created in RRAS? Could this issue be reproduced?
: | > | >
: | > | > If the problem persists, let's get the application & System event
: | > logs,
: | > | > ISAINFO for ISA 2K4. to me at v-ericsu@microsoft.com
: | > | >
: | > | > 1)         Download the file from the following URL:
: | > | > http://www.isatools.org/isainfo/ISAInfo.zip
: | > | > 2)        Extract all files to a folder on ISA server
: | > | > 3)        Double click Isainfo.js. This will generate 2 files
: | > | > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-
: | > | > name>.xml in the current folder.
: | > | > 4)        Please send these files to me.
: | > | >
: | > | > Hope that helps.
: | > | >
: | > | > Best Regards,
: | > | >
: | > | > Eric Sun,
: | > | > MCSE2000 / MSCA / MCDBA
: | > | > Microsoft Online Partner Support
: | > | >
: | > | > Get Secure! - www.microsoft.com/security
: | > | >
: | > | > =====================================================
: | > | > When responding to posts, please "Reply to Group" via
: | > | > your newsreader so that others may learn and benefit
: | > | > from your issue.
: | > | > =====================================================
: | > | >
: | > | > This posting is provided "AS IS" with no warranties, and confers
no
: | > rights
: | > | > --------------------
: | > | > | From: "Z D" <nospam@nospam.com>
: | > | > | Subject: Bizzare ISA2004 VPN Issues, Please help
: | > | > | Date: Wed, 22 Sep 2004 14:24:19 -0400
: | > | > | Lines: 28
: | > | > | X-Priority: 3
: | > | > | X-MSMail-Priority: Normal
: | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
: | > | > | X-RFC2646: Format=Flowed; Original
: | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
: | > | > | Message-ID: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl>
: | > | > | Newsgroups: microsoft.public.isa,microsoft.public.isa.vpn
: | > | > | NNTP-Posting-Host:
: | > | > cpe0006258c9fd4-cm000039948c5e.cpe.net.cable.rogers.com
69.196.101.145
: | > | > | Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
: | > | > | Xref: cpmsftngxa06.phx.gbl microsoft.public.isa.vpn:5113
: | > | > microsoft.public.isa:50880
: | > | > | X-Tomcat-NG: microsoft.public.isa
: | > | > |
: | > | > | Hello,
: | > | > |
: | > | > | I have some strange VPN behaviour with ISA2004.
: | > | > |
: | > | > | I have configured ISA 2004 to allow 5 VPN connections.  I've
only
: | > | > allowed
: | > | > | PPTP and not L2P/IPSEC.
: | > | > |
: | > | > | I have the necessary secuirty permissions for the client dialing
in.
: | > | > |
: | > | > | When the client tries to VPN in, I get Error 800.  When I view
the
: | > | > ISA2004
: | > | > | realtime logs, it says "Protocol: PPTP, Action: Failed
Connection
: | > | > Attempt,
: | > | > | Rule: Allow VPN Traffic to ISA Server".
: | > | > |
: | > | > | I couldn't figure out what was going on so I manually went into
RRAS
: | > to
: | > | > | double check the settings that ISA2004 should have configured in
it.
: | > | > | I noticed that there are only L2P ports available (WAN Miniport
: | > | > | (L2P)(VPN4-...) )!!!   No PPTP ports are configured!!
: | > | > |
: | > | > | So, I went back to ISA 2004 and I can see for sure that PPTP is
: | > selected
: | > | > and
: | > | > | L2P/IPSEC is NOT selected.  SO, what is going on? Why isn't ISA
: | > putting
: | > | > the
: | > | > | correct info into RRAS?    Is it a bug?
: | > | > |
: | > | > |
: | > | > | please advise, thanks!
: | > | > |
: | > | > | -ZD
: | > | > |
: | > | > |
: | > | > |
: | > | >
: | > | >
: | > |
: | > |
: | > |
: | >
: | >
: |
: |
: |
:
:

Relevant Pages

  • Re: gateway vpn how-to?
    ... After configuring the "Set up Local ISA VPN Server" wizard, ... After that, reboot the server. ... VPN client connections", finish the configuration afterwards. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Issues, Cannot ping network resources
    ... resources through VPN after applied SP1. ... You may then reboot the SBS server to see if the issue will be ... Additionally you can upgrade ISA 2000 to 2004 to fix the issue. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN with SBS Premuim
    ... Windows 2003 SP2 networking issues, and then re-ran the CEICW again this time ... I understand that after installing ISA 2004 on the SBS ... server, VPN does not work. ... if you installed SP2 on the SBS server without ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to make VPN connection to ISA 2006 Standard
    ... Router and the isa server this nat enabled, then the pptp tunnel will fail? ... If i initialize an vpn connection with a windows client, ...
    (microsoft.public.isa.vpn)
  • Re: ISA2004 kills VPN outbound
    ... Extract all files to a folder on ISA server. ... Expand the server node and highlight 'Monitoring'. ... After the VPN connection was established, ... |> Since the branch office workstations can connect to the VPN server, ...
    (microsoft.public.windows.server.sbs)