Re: ISA2004 kills VPN outbound
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Mon, 12 Sep 2005 06:25:50 -0700
I have the same problem connecting to several different VPN servers. Two are
SBS2003-based (RRAS) servers with inexpensive hardware routers (firewalls)
in front of them. One is a Windows 2000-based (also RRAS) server with no
hardware router.
GaryK
"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:mf9MV%231tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
> Dear Gary:
> Thanks for your quick response.
>
> Can you please tell me some information about the remote VPN Server? Does
> it use a hardware router or a windows-based computer to be its VPN Server?
>
> Comparing with ISA 2000, ISA 2004 increases its security level, the VPN
> connection will fail in some cases when a hardware firewall resides in the
> remote network. So, please try connecting to another remote VPN server and
> see if the problem persists. This will help us confirm whether the problem
> resides at the remote side.
>
> I look forward to your update. Thank you for your time and patience.
> Have a nice day. :)
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: ISA2004 kills VPN outbound
> | Date: Sun, 11 Sep 2005 21:18:31 -0700
> | Lines: 185
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 216.115.232.13
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152505
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Thank you, Edward.
> |
> | > How to permit PPTP clients to access the external network through ISA
> | > Server 2004
> | > http://support.microsoft.com/?id=838245
> | >
> | > (You can follow this article when running the CEICW Wizard:
> | > 825763 How to configure Internet access in Windows Small Business
> Server
> | > 2003
> | > http://support.microsoft.com/?id=825763 )
> |
> | Such a rule already exists.
> |
> | > Then, establish the VPN connection again, does it work this time?
> |
> | I recreated the rule after rerunning the CEICW. Problem persists.
> |
> | > If the problem persists, we may need to make a further analysis.
> Please
> | > help me gather the following information in order to narrow down this
> | > issue:
> | >
> | > 1. Do you have firewall client installed? If so, please try disabling
> the
> | > FW client and configure the client as a SecureNAT client. When we make
> a
> | > PPTP-based connection from an internal client to the internet VPN
> server,
> | > we cannot have the firewall client installed because the ISA Server
> | > Firewall Client program does not support a PPTP-based VPN connection.
> You
> | > can refer to this article for more information:
> |
> | Same problem regardless of firewall-client status.
> |
> | > When you use the ISA 2004 Firewall Client program, you cannot make a
> | > PPTP-based VPN connection
> | > http://support.microsoft.com/?id=887006
> |
> | > 2. Are you using a Linksys BEFSR41 router? The error 628 may occur if
> your
> | > VPN server is located behind a Linksys BEFSR41 router.
> |
> | No. It's a Netgear FVM318. By the way, this all works fine under
> ISA2000.
> |
> | > Remote VPN Clients Cannot Log On to Network
> | > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
> | >
> | > 3. If the client directly connects to the Internet, can the PPTP
> | > connection
> | > to the same VPN server work? This can verify if the remote VPN server
> is
> | > configured well.
> |
> | I have the same problem connecting from the server. I can connect to the
> VPN
> | server from clients not behind ISA 2004.
> |
> | > If this works, would you please tell me if this problem occurs on all
> the
> | > internal clients?
> |
> | Yes.
> |
> | > 4. Please help to gather the ISA Info:
> | >
> | > 1) Download the file from the following URL:
> |
> | > http://www.isatools.org/isainfo/ISAInfo.zip
> |
> | I will not be able to get to this until next week.
> |
> | > 2) Extract all files to a folder on ISA server.
> | > 3) Double click Isainfo.js. This will generate 2 files
> | > ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
> the
> | > current folder.
> | > 4) Please send these files to me.
> | >
> | > 5. Please also help to gather the ISA logs:
> | >
> | > 1) Schedule a down time.
> | >
> | > 2) Open ISA 2004 management console.
> | >
> | > 3) Expand the server node and highlight 'Monitoring'.
> | >
> | > 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
> | > Pane' is showed there.
> | >
> | > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
> 'Logging
> | > Tasks', and then switch the 'log storage format' from 'MSDE database'
> | > (default) to 'File'.
> | >
> | > 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
> | >
> | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
> 'Logging
> | > Tasks', and then switch the 'log storage format' from 'MSDE database'
> | > (default) to 'File'.
> | >
> | > 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
> | >
> | > 9) Click 'Apply' to save changes and update the configuration.
> | >
> | > 10) Temporarily disable the Firewall service. To do that, please click
> | > Monitoring | Services tab, and then right click 'Microsoft Firewall'
> to
> | > choose 'Stop'.
> | >
> | > 11) Clear the current existing W3C logs. To do that, go to the log
> saving
> | > directory and clean any existing .W3C logs. By default, the logs will
> be
> | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
> may
> | > not
> | > be able to deleted, that's normal.) You may backup them first and
> then
> | > delete them.
> | >
> | > 12) Go back to the ISA 2004 management console, and then Start the
> stopped
> | > 'Microsoft Firewall' service.
> | >
> | > 13) Reproduce the problem, stop the service, and then gather the
> resulting
> | > W3C files to me for analysis.
> | >
> | > Note: Please also let me know the IP address of the testing
> client/server
> | > and the remote VPN server so that I can filter the data.
> | >
> | > I appreciate you taking time to perform the above steps and gather the
> | > information. Please feel free to let me know if you have any questions
> or
> | > concerns.
> | >
> | > I look forward to hearing from you.
> | > Have a nice day, Gary! :)
> | >
> | > Best Regards
> | > Edward Tian(MSFT)
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | Subject: ISA2004 kills VPN outbound
> | > | Date: Sat, 10 Sep 2005 23:56:37 -0700
> | > | Lines: 9
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | > | X-RFC2646: Format=Flowed; Original
> | > | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 216.115.232.13
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:152337
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Hi,
> | > |
> | > | Since upgrading from ISA2000 to ISA2004, neither the server nor
> clients
> | > | behind ISA can VPN out. Server gets error 619, clients get error
> 628.
> | > This
> | > | worked under ISA2000. Is there an access rule I need to set up?
> | > |
> | > | GaryK
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
.
- Follow-Ups:
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- ISA2004 kills VPN outbound
- Prev by Date: Re: What role for new member server
- Next by Date: RE: Recover SQL files & DST packages from server backup
- Previous by thread: Re: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
