RE: VPN Problem with a domain account versus local computer accoun
- From: Daniel <Daniel@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 25 Aug 2005 22:39:02 -0700
Thank you very much, It was the IP fragments on ISA 2004 as per your
suggestion:
"2. Please also make sure that you disable the ip fragement on ISA 2004, it
might block some logon information or group policy. You can check it follow
the steps below:
On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server may
experience long logon time or even fail to logon to the domain, in some
cases, ISA will fail to the do the authentication for defined rules."
I must've spent couple of days troubleshooting this problem, and finally
problem solved.
Thanks again,
Daniel
""Charles Yang [MSFT]"" wrote:
> Hi Daniel,
>
> Thanks for using SBS newsgroup.
>
> Issue description:
> ===========
>
> I understand that you encountered some problem if you use dial in option to
> logon domain remotely.
>
> Analyzing and suggestions:
> ============
>
> Generally speaking, this should be a performance issue, as I know if you
> use dial in option to logon SBS domain remotely, the remote computer will
> deliver a lot of information such as AD to the SBS over network, it might
> be cause some delay as you refer you even encountered some problem when
> browsing \\servername . As my experience, it might be some incorrect design
> of ISA firewall.
>
> So I suggest you make sure that you have configure ISA 2004 correctly, for
> your convenience, I would like to give you an example to show how to
> configure ISA 2004 to allow external dial in connection:
>
> The following is a verbal description of a physical network configuration
> that describes bidirectional VPN traffic between two locations that are
> separated by the Internet.
>
> Location 1 = [local area network] + [domain controller] + [ISA Server
> 1] -- Internet -- [remote client computer] = location 2
>
> In this method, there is one ISA Server computer that is configured to
> allow VPN client access, and there is a client computer that is configured
> to use a VPN connection to access the network through an Internet
> connection.
>
> Enable VPN client access on the ISA server
>
> To enable VPN client access on the ISA server, follow these steps:
>
> 1. Click "Start", point to "All Programs", point to "Microsoft ISA Server",
> and then click "ISA Server Management".
> 2. Expand <YourServerName>, and then click "Virtual Private Networks (VPN)".
> 3. In the right pane, click "Enable VPN Client Access".
>
>
> Enable remote access on domain user accounts
>
> When you use a VPN connection to join a domain, you must first allow
> remote access permission in the Active Directory of the domain controller
> for each user account that requires VPN access. To enable remote access on
> domain user accounts, follow these steps:
>
> 1. Click "Start", point to "Administrative Tools", and then click "Active
> Directory Users and Computers".
> 2. Expand <YourServerName>, and then click "Users".
> 3. In the right pane, right-click the user account that you want to enable
> remote access on, and then click "Properties".
> 4. Click the "Dial-in" tab.
> 5. Click to select the "Allow access" check box, and then click "OK".
> 6. Repeat steps 3 through 5 for any additional user accounts that you want
> enable remote access on.
>
> If the problem still exists, please help gather more information:
>
> 1. Does it occur on all the remote location if you connect the computer to
> the external NIC of the ISA 2004 does the issue still exist when you use
> dial-in option to logon.
> 2. Please also make sure that you disable the ip fragement on ISA 2004, it
> might block some logon information or group policy. You can check it follow
> the steps below:
>
> On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
> Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server may
> experience long logon time or even fail to logon to the domain, in some
> cases, ISA will fail to the do the authentication for defined rules.
>
> 3. Please also follow the steps below to collect ISAinfo then send to me,
> it might be helpful to isolate the problem.
>
> Use the ISAinfo utility to capture the server configurations:
> a. Download the file from the following URL:
> http://www.isatools.org/isainfo/ISAInfo.zip
>
> b. Extract all files to a folder on ISA server
>
> c. Double click Isainfo.js. This will generate 2 files
> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
> current folder.
> My email address is v-chayan@xxxxxxxxxxxxx
>
> 4. Please also make sure that router is configure correct to allow such
> packet to travel through internet.
>
> More info:
> ===========
> 867483 How to configure networks in ISA Server 2004
> http://support.microsoft.com/?id=867483
>
> Please feel free to let me know, if you have any further concerns. I will
> be here waiting for your updates.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | Thread-Topic: VPN Problem with a domain account versus local computer
> account
> | thread-index: AcWo6Vh6N8OcpLzYS0GFdliNYnPQEQ==
> | X-WBNR-Posting-Host: 24.83.96.244
> | From: =?Utf-8?B?RGFuaWVs?= <Daniel@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | Subject: VPN Problem with a domain account versus local computer account
> | Date: Wed, 24 Aug 2005 13:21:01 -0700
> | Lines: 21
> | Message-ID: <5313D719-6B64-4A62-B536-69F3A22534A0@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147484
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hello,
> |
> | On an SBS2k3 SP1 / ISA2k4 network, I joined a laptop to work remotely via
> | VPN. In the office connected directly to LAN it works fine no problems (
> this
> | was done for the setup), but in WAN using VPN with dial in option at
> logon it
> | take 15 min to log on, it doesn't run the login script, and another 15 to
> see
> | \\servername then it asks for a password. The internet works fine and the
> | server responds to pings. Same scenario happens when I connect without
> | checking the dial in box for VPN, so I'm off line then establish a VPN
> | connection. The weird part is that if I log on to the local computer
> account
> | and use VPN it works fine, fast, I can see network resources and would
> have
> | to run the script manually. I got same results off a test system.
> | We have used the same settings for other companies with same network and
> it
> | works fine. I just connected the test system to another SBS2k3 sp1 via
> VPN
> | and it works fine (same settings were used). I checked the two SBS
> servers,
> | line by line in ISA2004 and remote access, they are the same. I noticed
> that
> | this happened to a few SBS2k3 networks only after you upgrade to SP1. Is
> | there a fix or a solution for this problem?
> | Your input is much appreciated.
> | Daniel
> |
> |
>
>
.
- Follow-Ups:
- RE: VPN Problem with a domain account versus local computer accoun
- From: "Charles Yang [MSFT]"
- RE: VPN Problem with a domain account versus local computer accoun
- References:
- VPN Problem with a domain account versus local computer account
- From: Daniel
- RE: VPN Problem with a domain account versus local computer account
- From: "Charles Yang [MSFT]"
- VPN Problem with a domain account versus local computer account
- Prev by Date: Can WSS be installed after setup is complete, including ISA?
- Next by Date: Late Exchange install, now add mailboxes?
- Previous by thread: RE: VPN Problem with a domain account versus local computer account
- Next by thread: RE: VPN Problem with a domain account versus local computer accoun
- Index(es):
Relevant Pages
|
