Re: ISA2004 kills VPN outbound
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Wed, 14 Sep 2005 03:36:29 GMT
Dear Gary:
Thanks for your detailed reply.
In ISA2004 management console, please expand to Configuration|Networks,
click the Networks object, double click Internal. Then click the Addresses
tab, Add "10.0.0.1" to "10.0.0.255" into the list of address range. (By
default, it should only have the address range from 10.0.100.0 to
10.0.100.255)
Then apply the settings. Does it work this time?
If the problem persists, we may need to gather more detailed information
for deep investigation:
1. Please help to ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
2. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the branch office client and
the main office client so that I can filter the data.
3. After the VPN connection was established, please type "route print" on
the client side and send me the output.
For some reasons I cannot save the file ipconfig.zip to my local computer,
would you please send it directly to my mailbox: v-edtian@xxxxxxxxxxxxx You
can also send the Route print, ISA log and ISA info to my mailbox, thank
you. :-)
Note: Please type the ipconfig/all command AFTER the VPN connection was
established.
I appreciate your time and effort. Please feel free to let me know if you
have any questions or concerns.
Have a nice day!
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Gary Karasik" <gkarasik@xxxxxxx>
| References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
<HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
<e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
<mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
<#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
<etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
<R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
<uJuF13BuFHA.2848@xxxxxxxxxxxxxxxxxxxx>
<NZ9iOSDuFHA.3848@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: ISA2004 kills VPN outbound
| Date: Tue, 13 Sep 2005 17:17:48 -0700
| Lines: 725
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <euET#GMuFHA.3752@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 216.115.232.13
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153109
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| > From the description, I assume the network diagram as following:
| >
| > Main office workstations----{Nic 1}The VPN Server{Nic
| > 2}---Router----Internet----Router----{Nic 1}Windows 2k Server/ISA2k4{Nic
| > 2}-----Branch office workstations
|
| Yes.
|
| > Can you tell me what device do you use for your VPN Server, a two
| > NIC-based
| > SBS Server or a hardware router?
|
| A 2-Nic-based SBS2003 server.
|
| > You mentioned that the ISA 2004 is installed on the Windows Server 2000.
| > Technically speaking, ISA 2k4 is not fully compatiable with Win Server
2k,
| > it will cause some compatibility problems. If possible, please
temporarily
| > put a laptop directly connected to the router, manually assign the IP
| > address, and then connect to the VPN Server at the main office side and
| > establish the RDP session again (Use the Remote Desktop Connection or
the
| > PcAnywhere), does it work this time?
|
| Yes, it works from the laptop. It also works from the remote Windows 2000
| server itself.
|
| > Since the branch office workstations can connect to the VPN server, the
| > VPN
| > connection is successfully established. The problem is that the RDP
| > session
| > cannot be established. To narrow down the issue, please help to gather
the
| > following information:
| > 1. After the branch office workstation connect to the VPN server, can
you
| > ping the internal workstation at the main office side? Please try to
Ping
| > the workstation using both the ip address and the computer name.
|
| I can ping using both IP and name.
|
| > If both the above tests work, then can you access the shared folders on
| > the
| > main office workstations?
|
| Yes. I can also map to shares on the main-office network, both on the
| servers and workstations.
|
| > 2. Is ISA Server installed on the main office side? If so, please make
| > sure
| > the following settings is configured in the ISA server:
| >
| > a. The relation between the VPN clients and Internal Netowrk is "Route".
|
| It is Route.
|
| > b. An access rule that allows the traffic between VPN clients and
Internal
| > networks:
|
| Done.
|
| > 4. Disable the Use Default Gateway on Remote Network setting in the VPN
| > dial-up connection item on the client computer:
|
| Always was disabled.
|
| > 5. After the VPN connection is established, click Start->Run on the
branch
| > office workstation side, and then type mstsc. On the Remote Desktop
| > Connection window, input one IP address of the main office workstations
| > and
| > then click "Connect". Can you got the log on window?
|
| No. Remote Desktop error: "The client could not connect to the remote
| computer."
|
| > 6. To have a more clear understanding on the network topology, please
type
| > ipconfig/all at both the branch/main office workstation/server, and send
| > the four outputs to me in the reply.
|
| Attached.
|
| > Note: Please double check if the branch/main office workstations are
using
| > the same network schema. For example, if both are using the 192.168.1.x
| > subnet, it will cause unexpected problems due to the same schema.
|
| Main office is 10.0.0.X. Branch office is 10.0.100.X.
|
| > 7. Does this problem occur on all the branch/main office workstations?
|
| Yes.
|
| Under ISA2000, I was able to make this work by putting
10.0.0.1-10.0.0.255
| into the LAT so that ISA2000 thought this address range was local and
| therefore trusted. I can't figure out how to do the equivalent in ISA2004.
|
| GaryK
|
|
| > | Edward,
| > |
| > | Thanks for your attention to this, but I have a more-serious problem
| > that
| > I
| > | must first address, and I would very much appreciate your help:
| > |
| > | I have just upgraded a branch-office Windows 2000 server from ISA2000
to
| > | ISA2004. Under ISA2000, the branch-office workstations could VPN into
| > the
| > | main-office VPN server and then connect via pcAnywhere to internal
| > machines
| > | on the main-office network. However after the upgrade to ISA2004,
these
| > same
| > | branch-office workstations, although they successfully connect to the
| > VPN
| > | server, can no longer connect via pcAnywhere to the main-office
| > | workstations. The branch-office Windows 2000 server itself can VPN
into
| > the
| > | main-offie VPN server and connect to these main-office workstations,
but
| > the
| > | branch-office workstations cannot.
| > |
| > | Is it possible that you can suggest a remedy for this? My need is
great.
| > |
| > | GaryK
| > |
| > |
| > | "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | news:R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > Dear Gary:
| > | > Now I understand that the problem doesn't reside at the remote side.
| > | >
| > | > Here, I would suggest you use the PPTP Ping utility to perform the
| > test
| > | > and
| > | > check if the GRE packet is allowed to pass through the router:
| > | >
| > | > Basically, we will use PPTP Ping utility to determine whether any
| > hardware
| > | > router or firewall is blocking GRE Protocol 47. The router must be
| > able
| > to
| > | > pass Generic Route Encapsulation (GRE) protocol 47 for PPTP traffic
to
| > | > connect correctly to use VPN. When a cable/DSL router cannot map GRE
| > | > protocol 47 to the Routing and Remote Access server, you cannot
| > connect
| > to
| > | > the server from the Internet.
| > | >
| > | > a. Please run Pptpsrv.exe on the server side.
| > | > b. Run Pptpclnt.exe [ServerNameorIPaddress] on remote client.
| > | > c. When prompted by Pptpclnt.exe, type some text to send to
| > Pptpsrv.exe,
| > | > and then click Enter.
| > | > d. You will see the text received at the host running Pptpsrv.exe.
| > Then
| > | > you
| > | > will see five GRE packets sent from Pptpclnt.exe and received at
| > | > Pptpsrv.exe.
| > | > Provide me with the output for reference.
| > | >
| > | > NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP
| > support
| > | > tools.
| > | > For your convenience, I have attached the file within this reply.
| > | >
| > | > NOTE: You should stop the Routing and Remote Access service on the
| > RRAS
| > | > (VPN) server so that PPTPSRV can bind to port 1723.
| > | >
| > | > I look forward to your update! :)
| > | >
| > | > Have a nice day.
| > | >
| > | > Best Regards
| > | > Edward Tian(MSFT)
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | > ======================================================
| > | > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > newsgroups so that they can be resolved in an efficient and timely
| > manner.
| > | > You can locate the newsgroup here:
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | >
| > | > When opening a new thread via the web interface, we recommend you
| > check
| > | > the
| > | > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > please "Reply to Group" so that others may learn and benefit from
your
| > | > issue.
| > | >
| > | > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > provide other information for your reference, we recommend you post
| > | > different incidents in different threads to keep the thread clean.
In
| > | > doing
| > | > so, it will ensure your issues are resolved in a timely manner.
| > | >
| > | > For urgent issues, you may want to contact Microsoft CSS directly.
| > Please
| > | > check http://support.microsoft.com for regional support phone
numbers.
| > | >
| > | > Any input or comments in this thread are highly appreciated.
| > | > ======================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | > --------------------
| > | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
| > | > | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
| > | > <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
| > | > <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
| > | > <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
| > | > <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: Re: ISA2004 kills VPN outbound
| > | > | Date: Mon, 12 Sep 2005 06:50:13 -0700
| > | > | Lines: 324
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | > | X-RFC2646: Format=Flowed; Response
| > | > | Message-ID: <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
| > | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | NNTP-Posting-Host: 216.115.232.13
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:152633
| > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > |
| > | > | Also, the system originating the outbound VPN has a hardware
| > | > | router/firewall. It is open on port 1723. It will be several weeks
| > | > before
| > | > I
| > | > | can test without the firewall.
| > | > |
| > | > | GaryK
| > | > |
| > | > | "Gary Karasik" <gkarasik@xxxxxxx> wrote in message
| > | > | news:%233lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxxxxx
| > | > | >I have the same problem connecting to several different VPN
| > servers.
| > | > Two
| > | > | >are SBS2003-based (RRAS) servers with inexpensive hardware
routers
| > | > | >(firewalls) in front of them. One is a Windows 2000-based (also
| > RRAS)
| > | > | >server with no hardware router.
| > | > | >
| > | > | > GaryK
| > | > | >
| > | > | > "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | > | > news:mf9MV%231tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > | >> Dear Gary:
| > | > | >> Thanks for your quick response.
| > | > | >>
| > | > | >> Can you please tell me some information about the remote VPN
| > Server?
| > | > Does
| > | > | >> it use a hardware router or a windows-based computer to be its
| > VPN
| > | > | >> Server?
| > | > | >>
| > | > | >> Comparing with ISA 2000, ISA 2004 increases its security level,
| > the
| > | > VPN
| > | > | >> connection will fail in some cases when a hardware firewall
| > resides
| > | > in
| > | > | >> the
| > | > | >> remote network. So, please try connecting to another remote VPN
| > | > server
| > | > | >> and
| > | > | >> see if the problem persists. This will help us confirm whether
| > the
| > | > | >> problem
| > | > | >> resides at the remote side.
| > | > | >>
| > | > | >> I look forward to your update. Thank you for your time and
| > patience.
| > | > | >> Have a nice day. :)
| > | > | >>
| > | > | >> Best Regards
| > | > | >> Edward Tian(MSFT)
| > | > | >> Microsoft CSS Online Newsgroup Support
| > | > | >>
| > | > | >> Get Secure! - www.microsoft.com/security
| > | > | >> ======================================================
| > | > | >> This newsgroup only focuses on SBS technical issues. If you
have
| > | > issues
| > | > | >> regarding other Microsoft products, you'd better post in the
| > | > | >> corresponding
| > | > | >> newsgroups so that they can be resolved in an efficient and
| > timely
| > | > | >> manner.
| > | > | >> You can locate the newsgroup here:
| > | > | >>
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | >>
| > | > | >> When opening a new thread via the web interface, we recommend
you
| > | > check
| > | > | >> the
| > | > | >> "Notify me of replies" box to receive e-mail notifications when
| > there
| > | > are
| > | > | >> any updates in your thread. When responding to posts via your
| > | > newsreader,
| > | > | >> please "Reply to Group" so that others may learn and benefit
from
| > | > your
| > | > | >> issue.
| > | > | >>
| > | > | >> Microsoft engineers can only focus on one issue per thread.
| > Although
| > | > we
| > | > | >> provide other information for your reference, we recommend you
| > post
| > | > | >> different incidents in different threads to keep the thread
| > clean.
| > In
| > | > | >> doing
| > | > | >> so, it will ensure your issues are resolved in a timely manner.
| > | > | >>
| > | > | >> For urgent issues, you may want to contact Microsoft CSS
| > directly.
| > | > Please
| > | > | >> check http://support.microsoft.com for regional support phone
| > | > numbers.
| > | > | >>
| > | > | >> Any input or comments in this thread are highly appreciated.
| > | > | >> ======================================================
| > | > | >> This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | >> rights.
| > | > | >>
| > | > | >> --------------------
| > | > | >> | From: "Gary Karasik" <gkarasik@xxxxxxx>
| > | > | >> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
| > | > | >> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
| > | > | >> | Subject: Re: ISA2004 kills VPN outbound
| > | > | >> | Date: Sun, 11 Sep 2005 21:18:31 -0700
| > | > | >> | Lines: 185
| > | > | >> | X-Priority: 3
| > | > | >> | X-MSMail-Priority: Normal
| > | > | >> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | > | >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | > | >> | X-RFC2646: Format=Flowed; Original
| > | > | >> | Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
| > | > | >> | Newsgroups: microsoft.public.windows.server.sbs
| > | > | >> | NNTP-Posting-Host: 216.115.232.13
| > | > | >> | Path:
| > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | > | >> | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.windows.server.sbs:152505
| > | > | >> | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | >> |
| > | > | >> | Thank you, Edward.
| > | > | >> |
| > | > | >> | > How to permit PPTP clients to access the external network
| > through
| > | > ISA
| > | > | >> | > Server 2004
| > | > | >> | > http://support.microsoft.com/?id=838245
| > | > | >> | >
| > | > | >> | > (You can follow this article when running the CEICW Wizard:
| > | > | >> | > 825763 How to configure Internet access in Windows Small
| > Business
| > | > | >> Server
| > | > | >> | > 2003
| > | > | >> | > http://support.microsoft.com/?id=825763 )
| > | > | >> |
| > | > | >> | Such a rule already exists.
| > | > | >> |
| > | > | >> | > Then, establish the VPN connection again, does it work this
| > time?
| > | > | >> |
| > | > | >> | I recreated the rule after rerunning the CEICW. Problem
| > persists.
| > | > | >> |
| > | > | >> | > If the problem persists, we may need to make a further
| > analysis.
| > | > | >> Please
| > | > | >> | > help me gather the following information in order to narrow
| > down
| > | > this
| > | > | >> | > issue:
| > | > | >> | >
| > | > | >> | > 1. Do you have firewall client installed? If so, please try
| > | > disabling
| > | > | >> the
| > | > | >> | > FW client and configure the client as a SecureNAT client.
| > When
| > we
| > | > | >> make a
| > | > | >> | > PPTP-based connection from an internal client to the
internet
| > VPN
| > | > | >> server,
| > | > | >> | > we cannot have the firewall client installed because the
ISA
| > | > Server
| > | > | >> | > Firewall Client program does not support a PPTP-based VPN
| > | > connection.
| > | > | >> You
| > | > | >> | > can refer to this article for more information:
| > | > | >> |
| > | > | >> | Same problem regardless of firewall-client status.
| > | > | >> |
| > | > | >> | > When you use the ISA 2004 Firewall Client program, you
cannot
| > | > make
| > | > a
| > | > | >> | > PPTP-based VPN connection
| > | > | >> | > http://support.microsoft.com/?id=887006
| > | > | >> |
| > | > | >> | > 2. Are you using a Linksys BEFSR41 router? The error 628
may
| > | > occur
| > | > if
| > | > | >> your
| > | > | >> | > VPN server is located behind a Linksys BEFSR41 router.
| > | > | >> |
| > | > | >> | No. It's a Netgear FVM318. By the way, this all works fine
| > under
| > | > | >> ISA2000.
| > | > | >> |
| > | > | >> | > Remote VPN Clients Cannot Log On to Network
| > | > | >> | >
| > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
| > | > | >> | >
| > | > | >> | > 3. If the client directly connects to the Internet, can the
| > PPTP
| > | > | >> | > connection
| > | > | >> | > to the same VPN server work? This can verify if the remote
| > VPN
| > | > server
| > | > | >> is
| > | > | >> | > configured well.
| > | > | >> |
| > | > | >> | I have the same problem connecting from the server. I can
| > connect
| > | > to
| > | > | >> the
| > | > | >> VPN
| > | > | >> | server from clients not behind ISA 2004.
| > | > | >> |
| > | > | >> | > If this works, would you please tell me if this problem
| > occurs
| > on
| > | > all
| > | > | >> the
| > | > | >> | > internal clients?
| > | > | >> |
| > | > | >> | Yes.
| > | > | >> |
| > | > | >> | > 4. Please help to gather the ISA Info:
| > | > | >> | >
| > | > | >> | > 1) Download the file from the following URL:
| > | > | >> |
| > | > | >> | > http://www.isatools.org/isainfo/ISAInfo.zip
| > | > | >> |
| > | > | >> | I will not be able to get to this until next week.
| > | > | >> |
| > | > | >> | > 2) Extract all files to a folder on ISA server.
| > | > | >> | > 3) Double click Isainfo.js. This will generate 2 files
| > | > | >> | > ISAInfo2004-<computer-name>.log and
| > | > ISAInfo2004-<computer-name>.xml
| > | > | >> in
| > | > | >> the
| > | > | >> | > current folder.
| > | > | >> | > 4) Please send these files to me.
| > | > | >> | >
| > | > | >> | > 5. Please also help to gather the ISA logs:
| > | > | >> | >
| > | > | >> | > 1) Schedule a down time.
| > | > | >> | >
| > | > | >> | > 2) Open ISA 2004 management console.
| > | > | >> | >
| > | > | >> | > 3) Expand the server node and highlight 'Monitoring'.
| > | > | >> | >
| > | > | >> | > 4) In the right pane, switch to the 'Logging' tab, make
sure
| > the
| > | > | >> 'Task
| > | > | >> | > Pane' is showed there.
| > | > | >> | >
| > | > | >> | > 5) In the 'Task Pane', click 'Configure Firewall Logging'
| > under
| > | > | >> 'Logging
| > | > | >> | > Tasks', and then switch the 'log storage format' from 'MSDE
| > | > database'
| > | > | >> | > (default) to 'File'.
| > | > | >> | >
| > | > | >> | > 6) Switch to the 'Fields' tab, click 'Select All', and then
| > click
| > | > OK.
| > | > | >> | >
| > | > | >> | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging'
| > under
| > | > | >> 'Logging
| > | > | >> | > Tasks', and then switch the 'log storage format' from 'MSDE
| > | > database'
| > | > | >> | > (default) to 'File'.
| > | > | >> | >
| > | > | >> | > 8) Switch to the 'Fields' tab, click 'Select All', and then
| > click
| > | > OK.
| > | > | >> | >
| > | > | >> | > 9) Click 'Apply' to save changes and update the
| > configuration.
| > | > | >> | >
| > | > | >> | > 10) Temporarily disable the Firewall service. To do that,
| > please
| > | > | >> click
| > | > | >> | > Monitoring | Services tab, and then right click 'Microsoft
| > | > Firewall'
| > | > | >> to
| > | > | >> | > choose 'Stop'.
| > | > | >> | >
| > | > | >> | > 11) Clear the current existing W3C logs. To do that, go to
| > the
| > | > log
| > | > | >> saving
| > | > | >> | > directory and clean any existing .W3C logs. By default, the
| > logs
| > | > will
| > | > | >> be
| > | > | >> | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'.
| > (Some
| > | > MDF
| > | > | >> may
| > | > | >> | > not
| > | > | >> | > be able to deleted, that's normal.) You may backup them
| > first
| > | > and
| > | > | >> then
| > | > | >> | > delete them.
| > | > | >> | >
| > | > | >> | > 12) Go back to the ISA 2004 management console, and then
| > Start
| > | > the
| > | > | >> stopped
| > | > | >> | > 'Microsoft Firewall' service.
| > | > | >> | >
| > | > | >> | > 13) Reproduce the problem, stop the service, and then
gather
| > the
| > | > | >> resulting
| > | > | >> | > W3C files to me for analysis.
| > | > | >> | >
| > | > | >> | > Note: Please also let me know the IP address of the testing
| > | > | >> client/server
| > | > | >> | > and the remote VPN server so that I can filter the data.
| > | > | >> | >
| > | > | >> | > I appreciate you taking time to perform the above steps and
| > | > gather
| > | > | >> the
| > | > | >> | > information. Please feel free to let me know if you have
any
| > | > | >> questions
| > | > | >> or
| > | > | >> | > concerns.
| > | > | >> | >
| > | > | >> | > I look forward to hearing from you.
| > | > | >> | > Have a nice day, Gary! :)
| > | > | >> | >
| > | > | >> | > Best Regards
| > | > | >> | > Edward Tian(MSFT)
| > | > | >> | > Microsoft CSS Online Newsgroup Support
| > | > | >> | >
| > | > | >> | > Get Secure! - www.microsoft.com/security
| > | > | >> | > ======================================================
| > | > | >> | > This newsgroup only focuses on SBS technical issues. If you
| > have
| > | > | >> issues
| > | > | >> | > regarding other Microsoft products, you'd better post in
the
| > | > | >> corresponding
| > | > | >> | > newsgroups so that they can be resolved in an efficient and
| > | > timely
| > | > | >> manner.
| > | > | >> | > You can locate the newsgroup here:
| > | > | >> | >
| > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > | >> | >
| > | > | >> | > When opening a new thread via the web interface, we
recommend
| > you
| > | > | >> check
| > | > | >> | > the
| > | > | >> | > "Notify me of replies" box to receive e-mail notifications
| > when
| > | > there
| > | > | >> are
| > | > | >> | > any updates in your thread. When responding to posts via
your
| > | > | >> newsreader,
| > | > | >> | > please "Reply to Group" so that others may learn and
benefit
| > from
| > | > | >> your
| > | > | >> | > issue.
| > | > | >> | >
| > | > | >> | > Microsoft engineers can only focus on one issue per thread.
| > | > Although
| > | > | >> we
| > | > | >> | > provide other information for your reference, we recommend
| > you
| > | > post
| > | > | >> | > different incidents in different threads to keep the thread
| > | > clean.
| > | > In
| > | > | >> | > doing
| > | > | >> | > so, it will ensure your issues are resolved in a timely
| > manner.
| > | > | >> | >
| > | > | >> | > For urgent issues, you may want to contact Microsoft CSS
| > | > directly.
| > | > | >> Please
| > | > | >> | > check http://support.microsoft.com for regional support
phone
| > | > | >> numbers.
| > | > | >> | >
| > | > | >> | > Any input or comments in this thread are highly
appreciated.
| > | > | >> | > ======================================================
| > | > | >> | > This posting is provided "AS IS" with no warranties, and
| > confers
| > | > no
| > | > | >> | > rights.
| > | > | >> | >
| > | > | >> | > --------------------
| > | > | >> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
| > | > | >> | > | Subject: ISA2004 kills VPN outbound
| > | > | >> | > | Date: Sat, 10 Sep 2005 23:56:37 -0700
| > | > | >> | > | Lines: 9
| > | > | >> | > | X-Priority: 3
| > | > | >> | > | X-MSMail-Priority: Normal
| > | > | >> | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | > | >> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | > | >> | > | X-RFC2646: Format=Flowed; Original
| > | > | >> | > | Message-ID: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
| > | > | >> | > | Newsgroups: microsoft.public.windows.server.sbs
| > | > | >> | > | NNTP-Posting-Host: 216.115.232.13
| > | > | >> | > | Path:
| > | > | >> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
| > | > | >> | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > | >> microsoft.public.windows.server.sbs:152337
| > | > | >> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > | >> | > |
| > | > | >> | > | Hi,
| > | > | >> | > |
| > | > | >> | > | Since upgrading from ISA2000 to ISA2004, neither the
server
| > nor
| > | > | >> clients
| > | > | >> | > | behind ISA can VPN out. Server gets error 619, clients
get
| > | > error
| > | > | >> 628.
| > | > | >> | > This
| > | > | >> | > | worked under ISA2000. Is there an access rule I need to
set
| > up?
| > | > | >> | > |
| > | > | >> | > | GaryK
| > | > | >> | > |
| > | > | >> | > |
| > | > | >> | > |
| > | > | >> | >
| > | > | >> |
| > | > | >> |
| > | > | >> |
| > | > | >>
| > | > | >
| > | > | >
| > | > |
| > | > |
| > | > |
| > |
| > |
| > |
| >
|
|
|
.
- Follow-Ups:
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- ISA2004 kills VPN outbound
- Prev by Date: RE: SUS - workstations don´t getting updated
- Next by Date: RE: run remote desktop over vpn from behind ISA2004?
- Previous by thread: Re: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
