RE: ISA 2004 and vpn
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Mon, 12 Sep 2005 05:45:57 GMT
Hi:
Thank you for posting here.
>From the description, I understand that you received an error 628 when
trying to connect to another SBS server via PPTP connection. If I am off
base, please do let me know.
Here, I assume your network diagram as follows (If I am wrong, please feel
free to correct me):
Internal clients---SBS(with ISA2k4 installed, two
NIC)----router-----internet----router----SBS Standard
You said that some internal clients that are not the members of the domain
can VPN to another SBS box, so could you tell me if those client computers
are located behind the ISA Server (the same location as the other clients)
or directly connected to the router? This will help us confirm if the
traffic is blocked by ISA Server.
Before we go any further, please first re-run the CEICW Wizard, this will
help us automatically configure the network settings, and then follow this
KB article to create the appropriate access rule for outbound PPTP
connection.
How to permit PPTP clients to access the external network through ISA
Server 2004
http://support.microsoft.com/?id=838245
(You can follow this article when running the CEICW Wizard:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763 )
Then, establish the VPN connection again, does it work this time?
If the problem persists, we may need to make a further analysis. Please
help me gather the following information in order to narrow down this issue:
1. Do you have firewall client installed? If so, please try disabling the
FW client and configure the client as a SecureNAT client. When we make a
PPTP-based connection from an internal client to the internet VPN server,
we cannot have the firewall client installed because the ISA Server
Firewall Client program does not support a PPTP-based VPN connection. You
can refer to this article for more information:
When you use the ISA 2004 Firewall Client program, you cannot make a
PPTP-based VPN connection
http://support.microsoft.com/?id=887006
Note: SecureNAT client is the machine that its default gateway is the
internal IP of the ISA server.
2. Which device is configured to be the remote VPN Server, the hardware
router or the SBS Standard Server?
Please try connecting to another remote VPN Server from the internal
client, does this problem persist?
3. Does this problem occur on all the internal clients except those who
haven't joined the domain?
If we put a client directly connected to the router, does it work?
4. Has the ISA Server joined the domain?
5. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
6. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
Note: Please also let me know the IP address of the testing client/server
and the remote VPN server so that I can filter the data.
I appreciate you taking time to perform the above steps and gather the
information. Please feel free to let me know if you have any questions or
concerns.
I look forward to hearing from you.
Have a nice day! :)
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "mugen" <b@xxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: ISA 2004 and vpn
| Date: Mon, 12 Sep 2005 00:17:41 +0100
| Lines: 20
| Message-ID: <3ojs8jF6aoccU1@xxxxxxxxxxxxxx>
| X-Trace: individual.net L3zVqkLmBXhQ/DRWhPHpcALhL03EuK300bUINHKlWo1ZJvZVVl
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news-lei1.dfn.de!news-ber1.dfn.de!fu-berlin.de!uni-berlin.de!individua
l.net!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152440
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| hi,
|
| have set up an ISA 2004 on sbs2k3 SP1.
|
| currently trying to connect to another SBS box via vpn.
| getting error 628.
| Using pptp.
|
| can connect from client machines not on domain, but using same router.
| have configured VPN remote sites with remote site info.
| also created an outbound firewall policy.
|
| trying to connect from
sbs-->ISA2k4---->router---->internet-->router--->SBS
| standard
|
| what have i missed or done wrong
|
| thanks
|
|
|
.
- References:
- ISA 2004 and vpn
- From: mugen
- ISA 2004 and vpn
- Prev by Date: SBS 2003 transtion pack and pop3 connector
- Next by Date: Re: Remote web Workplace
- Previous by thread: ISA 2004 and vpn
- Next by thread: Sbs companyweb problems...
- Index(es):
Relevant Pages
|
Loading
