Re: ISA2004 kills VPN outbound
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Mon, 12 Sep 2005 21:45:23 -0700
Edward,
Thanks for your attention to this, but I have a more-serious problem that I
must first address, and I would very much appreciate your help:
I have just upgraded a branch-office Windows 2000 server from ISA2000 to
ISA2004. Under ISA2000, the branch-office workstations could VPN into the
main-office VPN server and then connect via pcAnywhere to internal machines
on the main-office network. However after the upgrade to ISA2004, these same
branch-office workstations, although they successfully connect to the VPN
server, can no longer connect via pcAnywhere to the main-office
workstations. The branch-office Windows 2000 server itself can VPN into the
main-offie VPN server and connect to these main-office workstations, but the
branch-office workstations cannot.
Is it possible that you can suggest a remedy for this? My need is great.
GaryK
"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
> Dear Gary:
> Now I understand that the problem doesn't reside at the remote side.
>
> Here, I would suggest you use the PPTP Ping utility to perform the test
> and
> check if the GRE packet is allowed to pass through the router:
>
> Basically, we will use PPTP Ping utility to determine whether any hardware
> router or firewall is blocking GRE Protocol 47. The router must be able to
> pass Generic Route Encapsulation (GRE) protocol 47 for PPTP traffic to
> connect correctly to use VPN. When a cable/DSL router cannot map GRE
> protocol 47 to the Routing and Remote Access server, you cannot connect to
> the server from the Internet.
>
> a. Please run Pptpsrv.exe on the server side.
> b. Run Pptpclnt.exe [ServerNameorIPaddress] on remote client.
> c. When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
> and then click Enter.
> d. You will see the text received at the host running Pptpsrv.exe. Then
> you
> will see five GRE packets sent from Pptpclnt.exe and received at
> Pptpsrv.exe.
> Provide me with the output for reference.
>
> NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP support
> tools.
> For your convenience, I have attached the file within this reply.
>
> NOTE: You should stop the Routing and Remote Access service on the RRAS
> (VPN) server so that PPTPSRV can bind to port 1723.
>
> I look forward to your update! :)
>
> Have a nice day.
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: ISA2004 kills VPN outbound
> | Date: Mon, 12 Sep 2005 06:50:13 -0700
> | Lines: 324
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | X-RFC2646: Format=Flowed; Response
> | Message-ID: <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 216.115.232.13
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:152633
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | Also, the system originating the outbound VPN has a hardware
> | router/firewall. It is open on port 1723. It will be several weeks
> before
> I
> | can test without the firewall.
> |
> | GaryK
> |
> | "Gary Karasik" <gkarasik@xxxxxxx> wrote in message
> | news:%233lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxxxxx
> | >I have the same problem connecting to several different VPN servers.
> Two
> | >are SBS2003-based (RRAS) servers with inexpensive hardware routers
> | >(firewalls) in front of them. One is a Windows 2000-based (also RRAS)
> | >server with no hardware router.
> | >
> | > GaryK
> | >
> | > "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | > news:mf9MV%231tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
> | >> Dear Gary:
> | >> Thanks for your quick response.
> | >>
> | >> Can you please tell me some information about the remote VPN Server?
> Does
> | >> it use a hardware router or a windows-based computer to be its VPN
> | >> Server?
> | >>
> | >> Comparing with ISA 2000, ISA 2004 increases its security level, the
> VPN
> | >> connection will fail in some cases when a hardware firewall resides
> in
> | >> the
> | >> remote network. So, please try connecting to another remote VPN
> server
> | >> and
> | >> see if the problem persists. This will help us confirm whether the
> | >> problem
> | >> resides at the remote side.
> | >>
> | >> I look forward to your update. Thank you for your time and patience.
> | >> Have a nice day. :)
> | >>
> | >> Best Regards
> | >> Edward Tian(MSFT)
> | >> Microsoft CSS Online Newsgroup Support
> | >>
> | >> Get Secure! - www.microsoft.com/security
> | >> ======================================================
> | >> This newsgroup only focuses on SBS technical issues. If you have
> issues
> | >> regarding other Microsoft products, you'd better post in the
> | >> corresponding
> | >> newsgroups so that they can be resolved in an efficient and timely
> | >> manner.
> | >> You can locate the newsgroup here:
> | >> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >>
> | >> When opening a new thread via the web interface, we recommend you
> check
> | >> the
> | >> "Notify me of replies" box to receive e-mail notifications when there
> are
> | >> any updates in your thread. When responding to posts via your
> newsreader,
> | >> please "Reply to Group" so that others may learn and benefit from
> your
> | >> issue.
> | >>
> | >> Microsoft engineers can only focus on one issue per thread. Although
> we
> | >> provide other information for your reference, we recommend you post
> | >> different incidents in different threads to keep the thread clean. In
> | >> doing
> | >> so, it will ensure your issues are resolved in a timely manner.
> | >>
> | >> For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | >> check http://support.microsoft.com for regional support phone
> numbers.
> | >>
> | >> Any input or comments in this thread are highly appreciated.
> | >> ======================================================
> | >> This posting is provided "AS IS" with no warranties, and confers no
> | >> rights.
> | >>
> | >> --------------------
> | >> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | >> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | >> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | >> | Subject: Re: ISA2004 kills VPN outbound
> | >> | Date: Sun, 11 Sep 2005 21:18:31 -0700
> | >> | Lines: 185
> | >> | X-Priority: 3
> | >> | X-MSMail-Priority: Normal
> | >> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | >> | X-RFC2646: Format=Flowed; Original
> | >> | Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | >> | Newsgroups: microsoft.public.windows.server.sbs
> | >> | NNTP-Posting-Host: 216.115.232.13
> | >> | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | >> | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:152505
> | >> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | >> |
> | >> | Thank you, Edward.
> | >> |
> | >> | > How to permit PPTP clients to access the external network through
> ISA
> | >> | > Server 2004
> | >> | > http://support.microsoft.com/?id=838245
> | >> | >
> | >> | > (You can follow this article when running the CEICW Wizard:
> | >> | > 825763 How to configure Internet access in Windows Small Business
> | >> Server
> | >> | > 2003
> | >> | > http://support.microsoft.com/?id=825763 )
> | >> |
> | >> | Such a rule already exists.
> | >> |
> | >> | > Then, establish the VPN connection again, does it work this time?
> | >> |
> | >> | I recreated the rule after rerunning the CEICW. Problem persists.
> | >> |
> | >> | > If the problem persists, we may need to make a further analysis.
> | >> Please
> | >> | > help me gather the following information in order to narrow down
> this
> | >> | > issue:
> | >> | >
> | >> | > 1. Do you have firewall client installed? If so, please try
> disabling
> | >> the
> | >> | > FW client and configure the client as a SecureNAT client. When we
> | >> make a
> | >> | > PPTP-based connection from an internal client to the internet VPN
> | >> server,
> | >> | > we cannot have the firewall client installed because the ISA
> Server
> | >> | > Firewall Client program does not support a PPTP-based VPN
> connection.
> | >> You
> | >> | > can refer to this article for more information:
> | >> |
> | >> | Same problem regardless of firewall-client status.
> | >> |
> | >> | > When you use the ISA 2004 Firewall Client program, you cannot
> make
> a
> | >> | > PPTP-based VPN connection
> | >> | > http://support.microsoft.com/?id=887006
> | >> |
> | >> | > 2. Are you using a Linksys BEFSR41 router? The error 628 may
> occur
> if
> | >> your
> | >> | > VPN server is located behind a Linksys BEFSR41 router.
> | >> |
> | >> | No. It's a Netgear FVM318. By the way, this all works fine under
> | >> ISA2000.
> | >> |
> | >> | > Remote VPN Clients Cannot Log On to Network
> | >> | > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
> | >> | >
> | >> | > 3. If the client directly connects to the Internet, can the PPTP
> | >> | > connection
> | >> | > to the same VPN server work? This can verify if the remote VPN
> server
> | >> is
> | >> | > configured well.
> | >> |
> | >> | I have the same problem connecting from the server. I can connect
> to
> | >> the
> | >> VPN
> | >> | server from clients not behind ISA 2004.
> | >> |
> | >> | > If this works, would you please tell me if this problem occurs on
> all
> | >> the
> | >> | > internal clients?
> | >> |
> | >> | Yes.
> | >> |
> | >> | > 4. Please help to gather the ISA Info:
> | >> | >
> | >> | > 1) Download the file from the following URL:
> | >> |
> | >> | > http://www.isatools.org/isainfo/ISAInfo.zip
> | >> |
> | >> | I will not be able to get to this until next week.
> | >> |
> | >> | > 2) Extract all files to a folder on ISA server.
> | >> | > 3) Double click Isainfo.js. This will generate 2 files
> | >> | > ISAInfo2004-<computer-name>.log and
> ISAInfo2004-<computer-name>.xml
> | >> in
> | >> the
> | >> | > current folder.
> | >> | > 4) Please send these files to me.
> | >> | >
> | >> | > 5. Please also help to gather the ISA logs:
> | >> | >
> | >> | > 1) Schedule a down time.
> | >> | >
> | >> | > 2) Open ISA 2004 management console.
> | >> | >
> | >> | > 3) Expand the server node and highlight 'Monitoring'.
> | >> | >
> | >> | > 4) In the right pane, switch to the 'Logging' tab, make sure the
> | >> 'Task
> | >> | > Pane' is showed there.
> | >> | >
> | >> | > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
> | >> 'Logging
> | >> | > Tasks', and then switch the 'log storage format' from 'MSDE
> database'
> | >> | > (default) to 'File'.
> | >> | >
> | >> | > 6) Switch to the 'Fields' tab, click 'Select All', and then click
> OK.
> | >> | >
> | >> | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
> | >> 'Logging
> | >> | > Tasks', and then switch the 'log storage format' from 'MSDE
> database'
> | >> | > (default) to 'File'.
> | >> | >
> | >> | > 8) Switch to the 'Fields' tab, click 'Select All', and then click
> OK.
> | >> | >
> | >> | > 9) Click 'Apply' to save changes and update the configuration.
> | >> | >
> | >> | > 10) Temporarily disable the Firewall service. To do that, please
> | >> click
> | >> | > Monitoring | Services tab, and then right click 'Microsoft
> Firewall'
> | >> to
> | >> | > choose 'Stop'.
> | >> | >
> | >> | > 11) Clear the current existing W3C logs. To do that, go to the
> log
> | >> saving
> | >> | > directory and clean any existing .W3C logs. By default, the logs
> will
> | >> be
> | >> | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some
> MDF
> | >> may
> | >> | > not
> | >> | > be able to deleted, that's normal.) You may backup them first
> and
> | >> then
> | >> | > delete them.
> | >> | >
> | >> | > 12) Go back to the ISA 2004 management console, and then Start
> the
> | >> stopped
> | >> | > 'Microsoft Firewall' service.
> | >> | >
> | >> | > 13) Reproduce the problem, stop the service, and then gather the
> | >> resulting
> | >> | > W3C files to me for analysis.
> | >> | >
> | >> | > Note: Please also let me know the IP address of the testing
> | >> client/server
> | >> | > and the remote VPN server so that I can filter the data.
> | >> | >
> | >> | > I appreciate you taking time to perform the above steps and
> gather
> | >> the
> | >> | > information. Please feel free to let me know if you have any
> | >> questions
> | >> or
> | >> | > concerns.
> | >> | >
> | >> | > I look forward to hearing from you.
> | >> | > Have a nice day, Gary! :)
> | >> | >
> | >> | > Best Regards
> | >> | > Edward Tian(MSFT)
> | >> | > Microsoft CSS Online Newsgroup Support
> | >> | >
> | >> | > Get Secure! - www.microsoft.com/security
> | >> | > ======================================================
> | >> | > This newsgroup only focuses on SBS technical issues. If you have
> | >> issues
> | >> | > regarding other Microsoft products, you'd better post in the
> | >> corresponding
> | >> | > newsgroups so that they can be resolved in an efficient and
> timely
> | >> manner.
> | >> | > You can locate the newsgroup here:
> | >> | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >> | >
> | >> | > When opening a new thread via the web interface, we recommend you
> | >> check
> | >> | > the
> | >> | > "Notify me of replies" box to receive e-mail notifications when
> there
> | >> are
> | >> | > any updates in your thread. When responding to posts via your
> | >> newsreader,
> | >> | > please "Reply to Group" so that others may learn and benefit from
> | >> your
> | >> | > issue.
> | >> | >
> | >> | > Microsoft engineers can only focus on one issue per thread.
> Although
> | >> we
> | >> | > provide other information for your reference, we recommend you
> post
> | >> | > different incidents in different threads to keep the thread
> clean.
> In
> | >> | > doing
> | >> | > so, it will ensure your issues are resolved in a timely manner.
> | >> | >
> | >> | > For urgent issues, you may want to contact Microsoft CSS
> directly.
> | >> Please
> | >> | > check http://support.microsoft.com for regional support phone
> | >> numbers.
> | >> | >
> | >> | > Any input or comments in this thread are highly appreciated.
> | >> | > ======================================================
> | >> | > This posting is provided "AS IS" with no warranties, and confers
> no
> | >> | > rights.
> | >> | >
> | >> | > --------------------
> | >> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | >> | > | Subject: ISA2004 kills VPN outbound
> | >> | > | Date: Sat, 10 Sep 2005 23:56:37 -0700
> | >> | > | Lines: 9
> | >> | > | X-Priority: 3
> | >> | > | X-MSMail-Priority: Normal
> | >> | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | >> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | >> | > | X-RFC2646: Format=Flowed; Original
> | >> | > | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | >> | > | Newsgroups: microsoft.public.windows.server.sbs
> | >> | > | NNTP-Posting-Host: 216.115.232.13
> | >> | > | Path:
> | >> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | >> | > | Xref: TK2MSFTNGXA01.phx.gbl
> | >> microsoft.public.windows.server.sbs:152337
> | >> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | >> | > |
> | >> | > | Hi,
> | >> | > |
> | >> | > | Since upgrading from ISA2000 to ISA2004, neither the server nor
> | >> clients
> | >> | > | behind ISA can VPN out. Server gets error 619, clients get
> error
> | >> 628.
> | >> | > This
> | >> | > | worked under ISA2000. Is there an access rule I need to set up?
> | >> | > |
> | >> | > | GaryK
> | >> | > |
> | >> | > |
> | >> | > |
> | >> | >
> | >> |
> | >> |
> | >> |
> | >>
> | >
> | >
> |
> |
> |
.
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- ISA2004 kills VPN outbound
- Prev by Date: Symantec on sbs server and virus
- Next by Date: Re: sbs sp1 and isa 2004
- Previous by thread: Re: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
Loading
