Re: ISA2004 kills VPN outbound
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Mon, 12 Sep 2005 06:50:13 -0700
Also, the system originating the outbound VPN has a hardware
router/firewall. It is open on port 1723. It will be several weeks before I
can test without the firewall.
GaryK
"Gary Karasik" <gkarasik@xxxxxxx> wrote in message
news:%233lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxxxxx
>I have the same problem connecting to several different VPN servers. Two
>are SBS2003-based (RRAS) servers with inexpensive hardware routers
>(firewalls) in front of them. One is a Windows 2000-based (also RRAS)
>server with no hardware router.
>
> GaryK
>
> "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:mf9MV%231tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
>> Dear Gary:
>> Thanks for your quick response.
>>
>> Can you please tell me some information about the remote VPN Server? Does
>> it use a hardware router or a windows-based computer to be its VPN
>> Server?
>>
>> Comparing with ISA 2000, ISA 2004 increases its security level, the VPN
>> connection will fail in some cases when a hardware firewall resides in
>> the
>> remote network. So, please try connecting to another remote VPN server
>> and
>> see if the problem persists. This will help us confirm whether the
>> problem
>> resides at the remote side.
>>
>> I look forward to your update. Thank you for your time and patience.
>> Have a nice day. :)
>>
>> Best Regards
>> Edward Tian(MSFT)
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
>> corresponding
>> newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>> | From: "Gary Karasik" <gkarasik@xxxxxxx>
>> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
>> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
>> | Subject: Re: ISA2004 kills VPN outbound
>> | Date: Sun, 11 Sep 2005 21:18:31 -0700
>> | Lines: 185
>> | X-Priority: 3
>> | X-MSMail-Priority: Normal
>> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>> | X-RFC2646: Format=Flowed; Original
>> | Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
>> | Newsgroups: microsoft.public.windows.server.sbs
>> | NNTP-Posting-Host: 216.115.232.13
>> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152505
>> | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> |
>> | Thank you, Edward.
>> |
>> | > How to permit PPTP clients to access the external network through ISA
>> | > Server 2004
>> | > http://support.microsoft.com/?id=838245
>> | >
>> | > (You can follow this article when running the CEICW Wizard:
>> | > 825763 How to configure Internet access in Windows Small Business
>> Server
>> | > 2003
>> | > http://support.microsoft.com/?id=825763 )
>> |
>> | Such a rule already exists.
>> |
>> | > Then, establish the VPN connection again, does it work this time?
>> |
>> | I recreated the rule after rerunning the CEICW. Problem persists.
>> |
>> | > If the problem persists, we may need to make a further analysis.
>> Please
>> | > help me gather the following information in order to narrow down this
>> | > issue:
>> | >
>> | > 1. Do you have firewall client installed? If so, please try disabling
>> the
>> | > FW client and configure the client as a SecureNAT client. When we
>> make a
>> | > PPTP-based connection from an internal client to the internet VPN
>> server,
>> | > we cannot have the firewall client installed because the ISA Server
>> | > Firewall Client program does not support a PPTP-based VPN connection.
>> You
>> | > can refer to this article for more information:
>> |
>> | Same problem regardless of firewall-client status.
>> |
>> | > When you use the ISA 2004 Firewall Client program, you cannot make a
>> | > PPTP-based VPN connection
>> | > http://support.microsoft.com/?id=887006
>> |
>> | > 2. Are you using a Linksys BEFSR41 router? The error 628 may occur if
>> your
>> | > VPN server is located behind a Linksys BEFSR41 router.
>> |
>> | No. It's a Netgear FVM318. By the way, this all works fine under
>> ISA2000.
>> |
>> | > Remote VPN Clients Cannot Log On to Network
>> | > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
>> | >
>> | > 3. If the client directly connects to the Internet, can the PPTP
>> | > connection
>> | > to the same VPN server work? This can verify if the remote VPN server
>> is
>> | > configured well.
>> |
>> | I have the same problem connecting from the server. I can connect to
>> the
>> VPN
>> | server from clients not behind ISA 2004.
>> |
>> | > If this works, would you please tell me if this problem occurs on all
>> the
>> | > internal clients?
>> |
>> | Yes.
>> |
>> | > 4. Please help to gather the ISA Info:
>> | >
>> | > 1) Download the file from the following URL:
>> |
>> | > http://www.isatools.org/isainfo/ISAInfo.zip
>> |
>> | I will not be able to get to this until next week.
>> |
>> | > 2) Extract all files to a folder on ISA server.
>> | > 3) Double click Isainfo.js. This will generate 2 files
>> | > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml
>> in
>> the
>> | > current folder.
>> | > 4) Please send these files to me.
>> | >
>> | > 5. Please also help to gather the ISA logs:
>> | >
>> | > 1) Schedule a down time.
>> | >
>> | > 2) Open ISA 2004 management console.
>> | >
>> | > 3) Expand the server node and highlight 'Monitoring'.
>> | >
>> | > 4) In the right pane, switch to the 'Logging' tab, make sure the
>> 'Task
>> | > Pane' is showed there.
>> | >
>> | > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
>> 'Logging
>> | > Tasks', and then switch the 'log storage format' from 'MSDE database'
>> | > (default) to 'File'.
>> | >
>> | > 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>> | >
>> | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
>> 'Logging
>> | > Tasks', and then switch the 'log storage format' from 'MSDE database'
>> | > (default) to 'File'.
>> | >
>> | > 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>> | >
>> | > 9) Click 'Apply' to save changes and update the configuration.
>> | >
>> | > 10) Temporarily disable the Firewall service. To do that, please
>> click
>> | > Monitoring | Services tab, and then right click 'Microsoft Firewall'
>> to
>> | > choose 'Stop'.
>> | >
>> | > 11) Clear the current existing W3C logs. To do that, go to the log
>> saving
>> | > directory and clean any existing .W3C logs. By default, the logs will
>> be
>> | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
>> may
>> | > not
>> | > be able to deleted, that's normal.) You may backup them first and
>> then
>> | > delete them.
>> | >
>> | > 12) Go back to the ISA 2004 management console, and then Start the
>> stopped
>> | > 'Microsoft Firewall' service.
>> | >
>> | > 13) Reproduce the problem, stop the service, and then gather the
>> resulting
>> | > W3C files to me for analysis.
>> | >
>> | > Note: Please also let me know the IP address of the testing
>> client/server
>> | > and the remote VPN server so that I can filter the data.
>> | >
>> | > I appreciate you taking time to perform the above steps and gather
>> the
>> | > information. Please feel free to let me know if you have any
>> questions
>> or
>> | > concerns.
>> | >
>> | > I look forward to hearing from you.
>> | > Have a nice day, Gary! :)
>> | >
>> | > Best Regards
>> | > Edward Tian(MSFT)
>> | > Microsoft CSS Online Newsgroup Support
>> | >
>> | > Get Secure! - www.microsoft.com/security
>> | > ======================================================
>> | > This newsgroup only focuses on SBS technical issues. If you have
>> issues
>> | > regarding other Microsoft products, you'd better post in the
>> corresponding
>> | > newsgroups so that they can be resolved in an efficient and timely
>> manner.
>> | > You can locate the newsgroup here:
>> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>> | >
>> | > When opening a new thread via the web interface, we recommend you
>> check
>> | > the
>> | > "Notify me of replies" box to receive e-mail notifications when there
>> are
>> | > any updates in your thread. When responding to posts via your
>> newsreader,
>> | > please "Reply to Group" so that others may learn and benefit from
>> your
>> | > issue.
>> | >
>> | > Microsoft engineers can only focus on one issue per thread. Although
>> we
>> | > provide other information for your reference, we recommend you post
>> | > different incidents in different threads to keep the thread clean. In
>> | > doing
>> | > so, it will ensure your issues are resolved in a timely manner.
>> | >
>> | > For urgent issues, you may want to contact Microsoft CSS directly.
>> Please
>> | > check http://support.microsoft.com for regional support phone
>> numbers.
>> | >
>> | > Any input or comments in this thread are highly appreciated.
>> | > ======================================================
>> | > This posting is provided "AS IS" with no warranties, and confers no
>> | > rights.
>> | >
>> | > --------------------
>> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
>> | > | Subject: ISA2004 kills VPN outbound
>> | > | Date: Sat, 10 Sep 2005 23:56:37 -0700
>> | > | Lines: 9
>> | > | X-Priority: 3
>> | > | X-MSMail-Priority: Normal
>> | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
>> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
>> | > | X-RFC2646: Format=Flowed; Original
>> | > | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
>> | > | Newsgroups: microsoft.public.windows.server.sbs
>> | > | NNTP-Posting-Host: 216.115.232.13
>> | > | Path:
>> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>> | > | Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.windows.server.sbs:152337
>> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
>> | > |
>> | > | Hi,
>> | > |
>> | > | Since upgrading from ISA2000 to ISA2004, neither the server nor
>> clients
>> | > | behind ISA can VPN out. Server gets error 619, clients get error
>> 628.
>> | > This
>> | > | worked under ISA2000. Is there an access rule I need to set up?
>> | > |
>> | > | GaryK
>> | > |
>> | > |
>> | > |
>> | >
>> |
>> |
>> |
>>
>
>
.
- Follow-Ups:
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- ISA2004 kills VPN outbound
- Prev by Date: Moving to larger HDs
- Next by Date: email problem after installing service pack1
- Previous by thread: Re: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
