RE: VPN Problem with a domain account versus local computer accoun
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Fri, 26 Aug 2005 07:34:18 GMT
HI Daniel,,
Thanks for letting us know that my solutions works great for you. Have a
nice day and hope you have a good sharing in this newsgroup.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: VPN Problem with a domain account versus local computer
accoun
| thread-index: AcWqAHb8AnMr7G88SV+Yrxf+Bzx4uw==
| X-WBNR-Posting-Host: 70.68.180.215
| From: =?Utf-8?B?RGFuaWVs?= <Daniel@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <5313D719-6B64-4A62-B536-69F3A22534A0@xxxxxxxxxxxxx>
<7QblN0TqFHA.3148@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: VPN Problem with a domain account versus local computer
accoun
| Date: Thu, 25 Aug 2005 22:39:02 -0700
| Lines: 224
| Message-ID: <5BC8BDA9-4FE5-4D4B-A7FE-6826E1AC37C4@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147983
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you very much, It was the IP fragments on ISA 2004 as per your
| suggestion:
|
| "2. Please also make sure that you disable the ip fragement on ISA 2004,
it
| might block some logon information or group policy. You can check it
follow
| the steps below:
|
| On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
| Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server
may
| experience long logon time or even fail to logon to the domain, in some
| cases, ISA will fail to the do the authentication for defined rules."
|
| I must've spent couple of days troubleshooting this problem, and finally
| problem solved.
|
| Thanks again,
| Daniel
|
|
| ""Charles Yang [MSFT]"" wrote:
|
| > Hi Daniel,
| >
| > Thanks for using SBS newsgroup.
| >
| > Issue description:
| > ===========
| >
| > I understand that you encountered some problem if you use dial in
option to
| > logon domain remotely.
| >
| > Analyzing and suggestions:
| > ============
| >
| > Generally speaking, this should be a performance issue, as I know if
you
| > use dial in option to logon SBS domain remotely, the remote computer
will
| > deliver a lot of information such as AD to the SBS over network, it
might
| > be cause some delay as you refer you even encountered some problem when
| > browsing \\servername . As my experience, it might be some incorrect
design
| > of ISA firewall.
| >
| > So I suggest you make sure that you have configure ISA 2004 correctly,
for
| > your convenience, I would like to give you an example to show how to
| > configure ISA 2004 to allow external dial in connection:
| >
| > The following is a verbal description of a physical network
configuration
| > that describes bidirectional VPN traffic between two locations that are
| > separated by the Internet.
| >
| > Location 1 = [local area network] + [domain controller] + [ISA Server
| > 1] -- Internet -- [remote client computer] = location 2
| >
| > In this method, there is one ISA Server computer that is configured to
| > allow VPN client access, and there is a client computer that is
configured
| > to use a VPN connection to access the network through an Internet
| > connection.
| >
| > Enable VPN client access on the ISA server
| >
| > To enable VPN client access on the ISA server, follow these steps:
| >
| > 1. Click "Start", point to "All Programs", point to "Microsoft ISA
Server",
| > and then click "ISA Server Management".
| > 2. Expand <YourServerName>, and then click "Virtual Private Networks
(VPN)".
| > 3. In the right pane, click "Enable VPN Client Access".
| >
| >
| > Enable remote access on domain user accounts
| >
| > When you use a VPN connection to join a domain, you must first allow
| > remote access permission in the Active Directory of the domain
controller
| > for each user account that requires VPN access. To enable remote access
on
| > domain user accounts, follow these steps:
| >
| > 1. Click "Start", point to "Administrative Tools", and then click
"Active
| > Directory Users and Computers".
| > 2. Expand <YourServerName>, and then click "Users".
| > 3. In the right pane, right-click the user account that you want to
enable
| > remote access on, and then click "Properties".
| > 4. Click the "Dial-in" tab.
| > 5. Click to select the "Allow access" check box, and then click "OK".
| > 6. Repeat steps 3 through 5 for any additional user accounts that you
want
| > enable remote access on.
| >
| > If the problem still exists, please help gather more information:
| >
| > 1. Does it occur on all the remote location if you connect the computer
to
| > the external NIC of the ISA 2004 does the issue still exist when you
use
| > dial-in option to logon.
| > 2. Please also make sure that you disable the ip fragement on ISA 2004,
it
| > might block some logon information or group policy. You can check it
follow
| > the steps below:
| >
| > On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
| > Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server
may
| > experience long logon time or even fail to logon to the domain, in some
| > cases, ISA will fail to the do the authentication for defined rules.
| >
| > 3. Please also follow the steps below to collect ISAinfo then send to
me,
| > it might be helpful to isolate the problem.
| >
| > Use the ISAinfo utility to capture the server configurations:
| > a. Download the file from the following URL:
| > http://www.isatools.org/isainfo/ISAInfo.zip
| >
| > b. Extract all files to a folder on ISA server
| >
| > c. Double click Isainfo.js. This will generate 2 files
| > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the
| > current folder.
| > My email address is v-chayan@xxxxxxxxxxxxx
| >
| > 4. Please also make sure that router is configure correct to allow such
| > packet to travel through internet.
| >
| > More info:
| > ===========
| > 867483 How to configure networks in ISA Server 2004
| > http://support.microsoft.com/?id=867483
| >
| > Please feel free to let me know, if you have any further concerns. I
will
| > be here waiting for your updates.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: VPN Problem with a domain account versus local computer
| > account
| > | thread-index: AcWo6Vh6N8OcpLzYS0GFdliNYnPQEQ==
| > | X-WBNR-Posting-Host: 24.83.96.244
| > | From: =?Utf-8?B?RGFuaWVs?= <Daniel@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: VPN Problem with a domain account versus local computer
account
| > | Date: Wed, 24 Aug 2005 13:21:01 -0700
| > | Lines: 21
| > | Message-ID: <5313D719-6B64-4A62-B536-69F3A22534A0@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147484
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hello,
| > |
| > | On an SBS2k3 SP1 / ISA2k4 network, I joined a laptop to work remotely
via
| > | VPN. In the office connected directly to LAN it works fine no
problems (
| > this
| > | was done for the setup), but in WAN using VPN with dial in option at
| > logon it
| > | take 15 min to log on, it doesn't run the login script, and another
15 to
| > see
| > | \\servername then it asks for a password. The internet works fine and
the
| > | server responds to pings. Same scenario happens when I connect
without
| > | checking the dial in box for VPN, so I'm off line then establish a
VPN
| > | connection. The weird part is that if I log on to the local computer
| > account
| > | and use VPN it works fine, fast, I can see network resources and
would
| > have
| > | to run the script manually. I got same results off a test system.
| > | We have used the same settings for other companies with same network
and
| > it
| > | works fine. I just connected the test system to another SBS2k3 sp1
via
| > VPN
| > | and it works fine (same settings were used). I checked the two SBS
| > servers,
| > | line by line in ISA2004 and remote access, they are the same. I
noticed
| > that
| > | this happened to a few SBS2k3 networks only after you upgrade to SP1.
Is
| > | there a fix or a solution for this problem?
| > | Your input is much appreciated.
| > | Daniel
| > |
| > |
| >
| >
|
.
- References:
- VPN Problem with a domain account versus local computer account
- From: Daniel
- RE: VPN Problem with a domain account versus local computer account
- From: "Charles Yang [MSFT]"
- RE: VPN Problem with a domain account versus local computer accoun
- From: Daniel
- VPN Problem with a domain account versus local computer account
- Prev by Date: RE: Local permissions for roaming profile to work
- Next by Date: RE: OMA: users get error, but admin can use just fine
- Previous by thread: RE: VPN Problem with a domain account versus local computer accoun
- Next by thread: New Client Computer Unable to Access POP email
- Index(es):
Relevant Pages
|
