Re: ISA2004 kills VPN outbound

Dear Gary:
Thanks for your quick response.

Can you please tell me some information about the remote VPN Server? Does
it use a hardware router or a windows-based computer to be its VPN Server?

Comparing with ISA 2000, ISA 2004 increases its security level, the VPN
connection will fail in some cases when a hardware firewall resides in the
remote network. So, please try connecting to another remote VPN server and
see if the problem persists. This will help us confirm whether the problem
resides at the remote side.

I look forward to your update. Thank you for your time and patience.
Have a nice day. :)

Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Gary Karasik" <gkarasik@xxxxxxx>
| References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
<HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: ISA2004 kills VPN outbound
| Date: Sun, 11 Sep 2005 21:18:31 -0700
| Lines: 185
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 216.115.232.13
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152505
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thank you, Edward.
|
| > How to permit PPTP clients to access the external network through ISA
| > Server 2004
| > http://support.microsoft.com/?id=838245
| >
| > (You can follow this article when running the CEICW Wizard:
| > 825763 How to configure Internet access in Windows Small Business Server
| > 2003
| > http://support.microsoft.com/?id=825763 )
|
| Such a rule already exists.
|
| > Then, establish the VPN connection again, does it work this time?
|
| I recreated the rule after rerunning the CEICW. Problem persists.
|
| > If the problem persists, we may need to make a further analysis. Please
| > help me gather the following information in order to narrow down this
| > issue:
| >
| > 1. Do you have firewall client installed? If so, please try disabling
the
| > FW client and configure the client as a SecureNAT client. When we make a
| > PPTP-based connection from an internal client to the internet VPN
server,
| > we cannot have the firewall client installed because the ISA Server
| > Firewall Client program does not support a PPTP-based VPN connection.
You
| > can refer to this article for more information:
|
| Same problem regardless of firewall-client status.
|
| > When you use the ISA 2004 Firewall Client program, you cannot make a
| > PPTP-based VPN connection
| > http://support.microsoft.com/?id=887006
|
| > 2. Are you using a Linksys BEFSR41 router? The error 628 may occur if
your
| > VPN server is located behind a Linksys BEFSR41 router.
|
| No. It's a Netgear FVM318. By the way, this all works fine under ISA2000.
|
| > Remote VPN Clients Cannot Log On to Network
| > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
| >
| > 3. If the client directly connects to the Internet, can the PPTP
| > connection
| > to the same VPN server work? This can verify if the remote VPN server is
| > configured well.
|
| I have the same problem connecting from the server. I can connect to the
VPN
| server from clients not behind ISA 2004.
|
| > If this works, would you please tell me if this problem occurs on all
the
| > internal clients?
|
| Yes.
|
| > 4. Please help to gather the ISA Info:
| >
| > 1) Download the file from the following URL:
|
| > http://www.isatools.org/isainfo/ISAInfo.zip
|
| I will not be able to get to this until next week.
|
| > 2) Extract all files to a folder on ISA server.
| > 3) Double click Isainfo.js. This will generate 2 files
| > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the
| > current folder.
| > 4) Please send these files to me.
| >
| > 5. Please also help to gather the ISA logs:
| >
| > 1) Schedule a down time.
| >
| > 2) Open ISA 2004 management console.
| >
| > 3) Expand the server node and highlight 'Monitoring'.
| >
| > 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
| > Pane' is showed there.
| >
| > 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
'Logging
| > Tasks', and then switch the 'log storage format' from 'MSDE database'
| > (default) to 'File'.
| >
| > 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
| >
| > 9) Click 'Apply' to save changes and update the configuration.
| >
| > 10) Temporarily disable the Firewall service. To do that, please click
| > Monitoring | Services tab, and then right click 'Microsoft Firewall' to
| > choose 'Stop'.
| >
| > 11) Clear the current existing W3C logs. To do that, go to the log
saving
| > directory and clean any existing .W3C logs. By default, the logs will be
| > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
| > not
| > be able to deleted, that's normal.) You may backup them first and then
| > delete them.
| >
| > 12) Go back to the ISA 2004 management console, and then Start the
stopped
| > 'Microsoft Firewall' service.
| >
| > 13) Reproduce the problem, stop the service, and then gather the
resulting
| > W3C files to me for analysis.
| >
| > Note: Please also let me know the IP address of the testing
client/server
| > and the remote VPN server so that I can filter the data.
| >
| > I appreciate you taking time to perform the above steps and gather the
| > information. Please feel free to let me know if you have any questions
or
| > concerns.
| >
| > I look forward to hearing from you.
| > Have a nice day, Gary! :)
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "Gary Karasik" <gkarasik@xxxxxxx>
| > | Subject: ISA2004 kills VPN outbound
| > | Date: Sat, 10 Sep 2005 23:56:37 -0700
| > | Lines: 9
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 216.115.232.13
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152337
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi,
| > |
| > | Since upgrading from ISA2000 to ISA2004, neither the server nor
clients
| > | behind ISA can VPN out. Server gets error 619, clients get error 628.
| > This
| > | worked under ISA2000. Is there an access rule I need to set up?
| > |
| > | GaryK
| > |
| > |
| > |
| >
|
|
|

.

Relevant Pages

  • Re: ISA2004 kills VPN outbound
    ... I have the same problem connecting to several different VPN servers. ... > it use a hardware router or a windows-based computer to be its VPN Server? ... > connection will fail in some cases when a hardware firewall resides in the ... > |> FW client and configure the client as a SecureNAT client. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN server (hardware) and VPN client (Software) - both with changing IP. Can it be?
    ... How many clients will be using the VPN functionality simultanesously? ... >to have VPN server as a hardware box and client could be software. ... >For server we have registered with dyndns.org, so we have constant dns name ... what VPN server box would you recommend to buy? ...
    (comp.security.firewalls)
  • Re: VPN Routing Problem
    ... to my company's LAN using Kerio Winroute Firewall 6 and the VPN server and client that comes with it. ... resolve to 172.16.200.0 range ip addresses. ...
    (alt.os.windows-xp)
  • Re: RAS/VPN routing on client?
    ... I've set up a VPN Server and Client, ... On the client side the router has internal address 192.168.178.1 ... the client is that all internet traffic is routed over the VPN, ...
    (microsoft.public.windowsxp.network_web)
  • VPN Questions - How does the client work?
    ... was wondering if anyone could shed some light....I'm using the Cisco VPN ... I assume that the client works at a kernel level and hijacks all ... What's hijacked is controlled by the remote VPN server side ... And thus preventing me to bridge networks. ...
    (comp.os.linux.security)