Re: Clients VPN through ISA 2004
From: Tristan Kington [MSFT] (tristank_at_online.microsoft.com)
Date: 10/28/04
- Next message: A P: "H.323 Gatekeeper of ISA2000 as ILS Server?"
- Previous message: Tristan Kington [MSFT]: "Re: Problem with ISA 2004"
- In reply to: Aubrey Rhame: "Re: Clients VPN through ISA 2004"
- Next in thread: Tristan Kington [MSFT]: "Re: Clients VPN through ISA 2004"
- Reply: Tristan Kington [MSFT]: "Re: Clients VPN through ISA 2004"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 28 Oct 2004 10:50:49 +1000
Could you give it a try with the FWC turned off on the client?
And could you also email me your ISAINFO please? (http://isatools.org for
the download).
That's basically the same setup I'm using at home.
-- http://blogs.msdn.com/tristank/ -- This post is provided "AS-IS", and confers no warranty. "Aubrey Rhame" <arhame@satx.rr.com> wrote in message news:3v50o0d4ms6kh0j4djml1fuld154s4isoq@4ax.com... > Still plowing through this: > > Update: > What I've done now, is to completely built another ISA Server to see > if I could resolve this issue. I did a default installation of Windows > 2003 Server on a machine with dual NIC's. I did NOT install DNS nor > DHCP on the box as I would like to utilize our already existing DNS > and DHCP Servers. > > On the external NIC, I configured it with one of our public > IP's/subnet masks, using the the IP address of our router (which it is > connected to) as the Default Gateway. No IP was entered for a DNS > Server. > > On the internal NIC, I configured it with a static IP's that falls in > the realm of our internal IP address range and subnet mask > (192.168.0.20/255.255.255.0). No default gateway was configured and > the DNS Server was configured to our internal DNS Server > (192.168.0.1). Our internal DNS Server and DHCP Server serves up > addresses for the 192.168.0.x range, is active directory integrated, > and uses forwarders that points to our ISP's DNS servers for external > name resolution. Do not use recursion for this domain is checked. > > On any of the workstations, the new firewall client is installed and > is pointing at the isa server. Their default gateways are pointing to > the isa server and the dns server setting is pointing to our internal > dns server. > > On the ISA Server, I have created an access rule that allows all > outbound protocols from Internal to External with All Users selected > as the users. Also, I have created another rule called PPTP outbound > which allows the pptp protocol from Internal to External with users > set to All Users. > > When I turn on monitoring, and attempt to establish a PPTP session > from one of the workstations behind the ISA 2004 server to a remote > ISA 2000 server acting as a VPN server to a remote network, I see 3 > items: > 1. Destination IP of the VPN server I'm trying to conect, Destination > port:1723, Protocol:PPTP, Action:Initiated Connection, Rule:Allow > Access, Client IP:machine IP from which I'm tryint to establish the > VPN, Source Network:Internal, Destination Network:External > 2. Destination IP of the VPN server I'm trying to conect, Destination > port:0, Protocol:PPTP, Action:Initiated Connection, Rule:Allow Access, > Client IP:machine IP from which I'm tryint to establish the VPN, > Source Network:Internal, Destination Network:External > 3. 1. Destination IP of the VPN server I'm trying to conect, > Destination port:1723, Protocol:PPTP, Action:Closed Connection > Connection, Rule:Allow Access, Client IP:machine IP from which I'm > tryint to establish the VPN, Source Network:Internal, Destination > Network:External > > On the client machine, I get an almost immediate "Error 619: A > connection to the remote computer could not be established, so the > port used for this connection was closed." > > On the original box, before the upgrade, we were running Windows 2003 > server and ISA 2000 with no problems. I would really love to stick > with 2004 because every single other aspect of it has been > outstanding.On Wed, 27 Oct 2004 02:53:54 +1000, "Tristan Kington > [MSFT]" <tristank@online.microsoft.com> wrote: > >>Can you email me an ISAINFO export? (strip online. from my newsgroup >>posting >>address). >> >>http://isatools.org/ >> >>I might be able to spot something, but if the information isn't getting >>logged at the server, it sounds as if the traffic might not even be >>hitting >>the server at some point (what's between the client and the ISA box?) >> >>Forgot to mention - the type of VPN is important here - L2TP won't work >>behind a firewall without NAT-T support, I've assumed you're using PPTP? >> >> >>"Chris Roberts" <chris.roberts@robertsc.fsnet.co.uk> wrote in message >>news:clls1l$3i2$1@newsg2.svr.pol.co.uk... >>> Thanks again, >>> >>> I've disabled the firewall client and also set the default gateway. >>> >>> I can surf OK from the workstation, but unfortunately the VPN is still >>> not >>> working, or registering in the in the Log. >>> >>> I've checked the session log and the Workstation is registering as a >>> SercureNat, it's also registering as a Web Proxy (is that correct?) >>> >>> I can create a VPN connection from the server, and I can see it >>> registering the correct protocols in the log, so I'm confient the >>> Firewall >>> Policey is correct. I just need to figure out why the VPN from the >>> workstation is not getting through. >>> >>> You've been a great help, I don't suppose you have any other ideas? >>> >>> Many thanks again >>> >>> Chris >>> >> >
- Next message: A P: "H.323 Gatekeeper of ISA2000 as ILS Server?"
- Previous message: Tristan Kington [MSFT]: "Re: Problem with ISA 2004"
- In reply to: Aubrey Rhame: "Re: Clients VPN through ISA 2004"
- Next in thread: Tristan Kington [MSFT]: "Re: Clients VPN through ISA 2004"
- Reply: Tristan Kington [MSFT]: "Re: Clients VPN through ISA 2004"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
