Re: ISA2004 kills VPN outbound
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Sun, 11 Sep 2005 21:18:31 -0700
Thank you, Edward.
> How to permit PPTP clients to access the external network through ISA
> Server 2004
> http://support.microsoft.com/?id=838245
>
> (You can follow this article when running the CEICW Wizard:
> 825763 How to configure Internet access in Windows Small Business Server
> 2003
> http://support.microsoft.com/?id=825763 )
Such a rule already exists.
> Then, establish the VPN connection again, does it work this time?
I recreated the rule after rerunning the CEICW. Problem persists.
> If the problem persists, we may need to make a further analysis. Please
> help me gather the following information in order to narrow down this
> issue:
>
> 1. Do you have firewall client installed? If so, please try disabling the
> FW client and configure the client as a SecureNAT client. When we make a
> PPTP-based connection from an internal client to the internet VPN server,
> we cannot have the firewall client installed because the ISA Server
> Firewall Client program does not support a PPTP-based VPN connection. You
> can refer to this article for more information:
Same problem regardless of firewall-client status.
> When you use the ISA 2004 Firewall Client program, you cannot make a
> PPTP-based VPN connection
> http://support.microsoft.com/?id=887006
> 2. Are you using a Linksys BEFSR41 router? The error 628 may occur if your
> VPN server is located behind a Linksys BEFSR41 router.
No. It's a Netgear FVM318. By the way, this all works fine under ISA2000.
> Remote VPN Clients Cannot Log On to Network
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
>
> 3. If the client directly connects to the Internet, can the PPTP
> connection
> to the same VPN server work? This can verify if the remote VPN server is
> configured well.
I have the same problem connecting from the server. I can connect to the VPN
server from clients not behind ISA 2004.
> If this works, would you please tell me if this problem occurs on all the
> internal clients?
Yes.
> 4. Please help to gather the ISA Info:
>
> 1) Download the file from the following URL:
> http://www.isatools.org/isainfo/ISAInfo.zip
I will not be able to get to this until next week.
> 2) Extract all files to a folder on ISA server.
> 3) Double click Isainfo.js. This will generate 2 files
> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
> current folder.
> 4) Please send these files to me.
>
> 5. Please also help to gather the ISA logs:
>
> 1) Schedule a down time.
>
> 2) Open ISA 2004 management console.
>
> 3) Expand the server node and highlight 'Monitoring'.
>
> 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
> Pane' is showed there.
>
> 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
> Tasks', and then switch the 'log storage format' from 'MSDE database'
> (default) to 'File'.
>
> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>
> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
> Tasks', and then switch the 'log storage format' from 'MSDE database'
> (default) to 'File'.
>
> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>
> 9) Click 'Apply' to save changes and update the configuration.
>
> 10) Temporarily disable the Firewall service. To do that, please click
> Monitoring | Services tab, and then right click 'Microsoft Firewall' to
> choose 'Stop'.
>
> 11) Clear the current existing W3C logs. To do that, go to the log saving
> directory and clean any existing .W3C logs. By default, the logs will be
> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
> not
> be able to deleted, that's normal.) You may backup them first and then
> delete them.
>
> 12) Go back to the ISA 2004 management console, and then Start the stopped
> 'Microsoft Firewall' service.
>
> 13) Reproduce the problem, stop the service, and then gather the resulting
> W3C files to me for analysis.
>
> Note: Please also let me know the IP address of the testing client/server
> and the remote VPN server so that I can filter the data.
>
> I appreciate you taking time to perform the above steps and gather the
> information. Please feel free to let me know if you have any questions or
> concerns.
>
> I look forward to hearing from you.
> Have a nice day, Gary! :)
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | Subject: ISA2004 kills VPN outbound
> | Date: Sat, 10 Sep 2005 23:56:37 -0700
> | Lines: 9
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 216.115.232.13
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152337
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Hi,
> |
> | Since upgrading from ISA2000 to ISA2004, neither the server nor clients
> | behind ISA can VPN out. Server gets error 619, clients get error 628.
> This
> | worked under ISA2000. Is there an access rule I need to set up?
> |
> | GaryK
> |
> |
> |
>
.
- Follow-Ups:
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- ISA2004 kills VPN outbound
- Prev by Date: RE: Exchange server time Stamp
- Next by Date: Remote web Workplace
- Previous by thread: RE: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
