RE: need to allow a VPN connection from inside SBS environment

Hello Jon,

Thank you for posting to the SBS Newsgroup.

I understand that you want to know how to configure a laptop in the SBS 2K3
domain to VPN to a remote office. If I have misunderstood your concern,
please let me know.

Due to lack of detail information, I need your help to gather the following
information for research:

1. You mentioned "laptop uses fiberlink and nortel software to create the
vpn connection". I need to what Application does the remote office use for
VPN connection, Fiberlink, Nortel?

2. You mentioned "When trying to connect, it errors out". Did you get any
error message when the connection failed? If yes, please copy and paste the
full content of the full content of the error message to the Newsgroup.

3. Do you have ISA server installed? If yes, what is the version of the ISA
server, ISA 2K or ISA 2K4? What is your Network Topology? For example:

{Remote Office} {Router} {ISA} {NIC1} {SBS 2K3} {NIC2} {Internal Clients}

For your additional information:

You can pass the Nortel Extranet Access Client software through ISA server
if the Nortel Contivity switch is running with one of the newest firmware
version 04_05.024 or later and you use the newest client software version
4.65 or later. This is what you need to do at the Contivity Switch:

a. On the configuration page's left side, click on "Services", then
"IPSEC". Toward the middle of page is the setting "NAT Traversal". Check to
have it enabled and set it on UDP port 4500 (strongly recommended).

b. Once the above step is done, go to "Profiles", then "Groups". Under a
designated group where you want NAT Traversal enabled, click on "Edit."
Under the section "IPSEC", click on "Configure." At the very bottom of the
page, make sure "Auto-Detect NAT" is selected and keep the "NAT Keepalive"
setting at 18 seconds.

If the VPN administrator have set the NAT Traversal port on something else
than UDP port 4500 (i.e. UDP port 10001), you need to adopt the IPSec NAT-T
protocol definition accordingly or create a new one and add it to the IPSec
Passthrough protocol rule.

In addition, if the internal VPN client software (behind ISA) and the
remote VPN server BOTH support NAT-T, then you need to apply Q818043,
create the following protocol definitions, and then enable the
corresponding protocol rules for outbound traffic to allow the outbound
l2TP/IPSEC outbound VPN connection:

IPSec IKE
UDP 500
Send Receive

IPSec NAT-T protocol
UDP 4500 Send Receive

IPSec NAT-T
UDP 10001
Send Receive

818043 L2TP/IPSec NAT-T Update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043

For more detail information, please see:

How to pass IPSec traffic through ISA Server
http://www.isaserver.org/articles/IPSec_Passthrough.html

NOTE: This response contains a reference to a third party World Wide Web
site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or
information found on these sites; therefore, Microsoft cannot make any
representations regarding the quality, safety, or suitability of any
software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make
sure that you completely understand the risk before retrieving any software
from the Internet.

I am appreciated your time, and am looking forward to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: live2wheel@xxxxxxxxxxx
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: need to allow a VPN connection from inside SBS environment
>Date: 6 Sep 2005 16:17:55 -0700
>Organization: http://groups.google.com
>Lines: 25
>Message-ID: <1126048675.000829.320820@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>NNTP-Posting-Host: 24.23.37.169
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>X-Trace: posting.google.com 1126048682 27705 127.0.0.1 (6 Sep 2005
23:18:02 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx
>NNTP-Posting-Date: Tue, 6 Sep 2005 23:18:02 +0000 (UTC)
>User-Agent: G2/0.2
>X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
Media Center PC 3.0; .NET CLR 1.0.3705),gzip(gfe),gzip(gfe)
>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: g14g2000cwa.googlegroups.com; posting-host=24.23.37.169;
> posting-account=W7slig0AAADqhUvILxfdsNdBelXj1cps
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!g14g2000cwa.googlegroups.com!not-fo
r-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:151280
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hello,
>
>I am new to the server platform and am having a challenge. I have
>recently installed a SBS for my growing business. My wife has a laptop
>that she uses for her unrelated business. She has a need to establish
>a VPN connection to her main ofice. Her laptop is not part of the SBS
>domain.
>
>When I put her laptop in my office and plug it in the sbs gives it an
>appropriate ip and allows the laptop access to the internet. The
>laptop uses fiberlink and nortel software to create the vpn connection.
> When trying to connect, it errors out. As soon as i bypass my sbs it
>works fine.
>
>Cable modem
>SBS server external nic
>SBS server internal nic
> wirless router inside network dhcp off
> VOIP router inside network dhcp off
> 4 client compters
> 2 media center, 1 xp pro, 1 pda
>Thanks,
>
>jon
>
>

.

Relevant Pages