Re: ISA2004 kills VPN outbound
- From: "Gary Karasik" <gkarasik@xxxxxxx>
- Date: Wed, 14 Sep 2005 01:13:37 -0700
Hi, Edward,
The VPN connection you're seeing into the branch-office server is me
connecting to it from home. I could not be running these tests otherwise.
I tried to telnet to port 3389 as you asked. The connection failed.
GaryK
"Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:$V0xlIQuFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Gary:
> Thank you for the update.
>
> It seems that the Windows Server 2000 is also acting as a VPN Server for
> remote VPN access because I have found an interface called "PPP adapter
> RAS
> Server (Dial In) Interface:" in the list of ipconfig. It appears some
> remote clients are establishing the VPN connection to the branch office at
> that time. Please temprarily do not use it to be the VPN server.
>
> In addition, please try to telnet the 3389 port of the main office
> workstations. To do that:
> 1. Go to an branch office workstation, and then establish the VPN
> connection to the main office VPN Server.
>
> 2. After the VPN connection was successfully established, go to the
> command
> prompt window.
>
> 3. Type "telnet 10.0.0.100 3389" without the quotation mark. Here I assume
> 10.0.0.100 is one of the IP address of your internal clients at the main
> office side.
>
> Does the telnet command work?
>
> I look forward to your update. Thank you.
> Have a nice day.
>
> Best Regards
> Edward Tian(MSFT)
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
> <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> <R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> <uJuF13BuFHA.2848@xxxxxxxxxxxxxxxxxxxx>
> <NZ9iOSDuFHA.3848@xxxxxxxxxxxxxxxxxxxxx>
> <euET#GMuFHA.3752@xxxxxxxxxxxxxxxxxxxx>
> <pJYzC2NuFHA.580@xxxxxxxxxxxxxxxxxxxxx>
> <uc0KH$NuFHA.2076@xxxxxxxxxxxxxxxxxxxx>
> <v8EAqnOuFHA.896@xxxxxxxxxxxxxxxxxxxxx>
> | Subject: Re: ISA2004 kills VPN outbound
> | Date: Tue, 13 Sep 2005 22:32:38 -0700
> | Lines: 1370
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | X-RFC2646: Format=Flowed; Original
> | Message-ID: <emF552OuFHA.1136@xxxxxxxxxxxxxxxxxxxx>
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: 216.115.232.13
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:153181
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> |
> | "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | news:v8EAqnOuFHA.896@xxxxxxxxxxxxxxxxxxxxxxxx
> | > Hi Gary:
> | > I have received your attached file. Everything looks good except this
> one:
> | >
> | > The ipconfig on the branch office server:
> | > PPP adapter RAS Server (Dial In) Interface:
> | >
> | >
> | >
> | > Connection-specific DNS Suffix . :
> | > Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> | >
> | > Physical Address. . . . . . . . . : 00-53-45-00-00-00
> | >
> | > DHCP Enabled. . . . . . . . . . . : No
> | >
> | > IP Address. . . . . . . . . . . . : 10.0.100.20
> | >
> | > Subnet Mask . . . . . . . . . . . : 255.255.255.255
> | >
> | > Default Gateway . . . . . . . . . :
> | >
> | > DNS Servers . . . . . . . . . . . : 127.0.0.1
> | >
> | > Can you tell me if you got this ipconfig information after the windows
> | > server 2000 VPN to the SBS 2003 at the main office? Since the branch
> | > office
> | > is using the 10.0.100.x subnet, it's weird that the win 2000 server
> | > obtains
> | > a PPP ip address 10.0.100.20 from the remote VPN server which belongs
> to
> | > its own subnet. However, the windows 2000 server works fine.
> |
> | I redid the IPCONFIG /ALL. Here are the results:
> |
> | With VPN connected:
> |
> |
> | Windows 2000 IP Configuration
> |
> |
> |
> | Host Name . . . . . . . . . . . . : laserver
> | Primary DNS Suffix . . . . . . . : sfdomain.org
> | Node Type . . . . . . . . . . . . : Hybrid
> |
> | IP Routing Enabled. . . . . . . . : Yes
> |
> | WINS Proxy Enabled. . . . . . . . : No
> |
> | DNS Suffix Search List. . . . . . : sfdomain.org
> |
> | Ethernet adapter Internal:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
> | Physical Address. . . . . . . . . : 00-02-B3-A1-58-CA
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 10.0.100.1
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.0
> |
> | Default Gateway . . . . . . . . . :
> |
> | DNS Servers . . . . . . . . . . . : 10.0.100.1
> | Primary WINS Server . . . . . . . : 10.0.100.1
> |
> |
> | Ethernet adapter External:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
> Adapter
> | (10/100)
> | Physical Address. . . . . . . . . : 00-C0-9F-04-6C-B7
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 192.168.0.30
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.0
> |
> | Default Gateway . . . . . . . . . : 192.168.0.1
> |
> | DNS Servers . . . . . . . . . . . : 10.0.100.1
> | NetBIOS over Tcpip. . . . . . . . : Disabled
> |
> |
> | PPP adapter RAS Server (Dial In) Interface:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> |
> | Physical Address. . . . . . . . . : 00-53-45-00-00-00
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 10.0.100.20
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.255
> |
> | Default Gateway . . . . . . . . . :
> |
> | DNS Servers . . . . . . . . . . . : 127.0.0.1
> |
> | PPP adapter VPNKF:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> |
> | Physical Address. . . . . . . . . : 00-53-45-00-00-00
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 10.0.0.110
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.255
> |
> | Default Gateway . . . . . . . . . :
> |
> | DNS Servers . . . . . . . . . . . : 10.0.0.2
> | Primary WINS Server . . . . . . . : 10.0.0.2
> |
> | -------------------------------------------------------------
> | Without VPN connected:
> |
> | Windows 2000 IP Configuration
> |
> |
> |
> | Host Name . . . . . . . . . . . . : laserver
> | Primary DNS Suffix . . . . . . . : sfdomain.org
> | Node Type . . . . . . . . . . . . : Hybrid
> |
> | IP Routing Enabled. . . . . . . . : Yes
> |
> | WINS Proxy Enabled. . . . . . . . : No
> |
> | DNS Suffix Search List. . . . . . : sfdomain.org
> |
> | Ethernet adapter Internal:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : Intel(R) PRO/100 S Server Adapter
> | Physical Address. . . . . . . . . : 00-02-B3-A1-58-CA
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 10.0.100.1
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.0
> |
> | Default Gateway . . . . . . . . . :
> |
> | DNS Servers . . . . . . . . . . . : 10.0.100.1
> | Primary WINS Server . . . . . . . : 10.0.100.1
> |
> |
> | Ethernet adapter External:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : Intel 8255x-based PCI Ethernet
> Adapter
> | (10/100)
> | Physical Address. . . . . . . . . : 00-C0-9F-04-6C-B7
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 192.168.0.30
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.0
> |
> | Default Gateway . . . . . . . . . : 192.168.0.1
> |
> | DNS Servers . . . . . . . . . . . : 10.0.100.1
> | NetBIOS over Tcpip. . . . . . . . : Disabled
> |
> |
> | PPP adapter RAS Server (Dial In) Interface:
> |
> |
> |
> | Connection-specific DNS Suffix . :
> | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> |
> | Physical Address. . . . . . . . . : 00-53-45-00-00-00
> |
> | DHCP Enabled. . . . . . . . . . . : No
> |
> | IP Address. . . . . . . . . . . . : 10.0.100.20
> |
> | Subnet Mask . . . . . . . . . . . : 255.255.255.255
> |
> | Default Gateway . . . . . . . . . :
> |
> | DNS Servers . . . . . . . . . . . : 127.0.0.1
> |
> |
> | > In addition, I remember that at the main office side, there is also a
> ISA
> | > 2004 server installed. So, please add the subnet of the branch office
> | > 10.0.100.x into the address range of the "Internal" object as well.
> |
> | Done.
> |
> | > Since you can access the file shares and ping the main office
> workstation,
> | > the internet connection has no problems. I suspect that the port 3389
> is
> | > blocked by the ISA Server. Please create a ALLOW ALL/ALL/ALL rule in
> the
> | > ISA Server at the branch office side:
> |
> | Such a rule already exists.
> |
> | > Please understand that this is such a strange problem and we may need
> to
> | > perform a deep investigation. Thank you for your time and
> understanding
> on
> | > this case.
> |
> | I will give it as much time as it needs. I appreciate your attention to
> | this.
> |
> | > I am standing by for your update. Thank you.
> | >
> | > Best Regards
> | > Edward Tian(MSFT)
> | > Microsoft CSS Online Newsgroup Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | > ======================================================
> | > This newsgroup only focuses on SBS technical issues. If you have
> issues
> | > regarding other Microsoft products, you'd better post in the
> corresponding
> | > newsgroups so that they can be resolved in an efficient and timely
> manner.
> | > You can locate the newsgroup here:
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | >
> | > When opening a new thread via the web interface, we recommend you
> check
> | > the
> | > "Notify me of replies" box to receive e-mail notifications when there
> are
> | > any updates in your thread. When responding to posts via your
> newsreader,
> | > please "Reply to Group" so that others may learn and benefit from your
> | > issue.
> | >
> | > Microsoft engineers can only focus on one issue per thread. Although
> we
> | > provide other information for your reference, we recommend you post
> | > different incidents in different threads to keep the thread clean. In
> | > doing
> | > so, it will ensure your issues are resolved in a timely manner.
> | >
> | > For urgent issues, you may want to contact Microsoft CSS directly.
> Please
> | > check http://support.microsoft.com for regional support phone numbers.
> | >
> | > Any input or comments in this thread are highly appreciated.
> | > ======================================================
> | > This posting is provided "AS IS" with no warranties, and confers no
> | > rights.
> | >
> | > --------------------
> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | > <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | > <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> | > <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
> | > <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> | > <R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> | > <uJuF13BuFHA.2848@xxxxxxxxxxxxxxxxxxxx>
> | > <NZ9iOSDuFHA.3848@xxxxxxxxxxxxxxxxxxxxx>
> | > <euET#GMuFHA.3752@xxxxxxxxxxxxxxxxxxxx>
> | > <pJYzC2NuFHA.580@xxxxxxxxxxxxxxxxxxxxx>
> | > | Subject: Re: ISA2004 kills VPN outbound
> | > | Date: Tue, 13 Sep 2005 20:52:48 -0700
> | > | Lines: 925
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | > | X-RFC2646: Format=Flowed; Original
> | > | Message-ID: <uc0KH$NuFHA.2076@xxxxxxxxxxxxxxxxxxxx>
> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | NNTP-Posting-Host: 216.115.232.13
> | > | Path:
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
> | > | Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.sbs:153157
> | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > |
> | > | Adding 10.0.0.1-10.0.0.255 does not help.
> | > |
> | > | I will do the rest of this this weekend.
> | > |
> | > | I will send the IPCONFIG files to you tonight.
> | > |
> | > | GaryK
> | > |
> | > | "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
> | > | news:pJYzC2NuFHA.580@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > Dear Gary:
> | > | > Thanks for your detailed reply.
> | > | >
> | > | > In ISA2004 management console, please expand to
> | > Configuration|Networks,
> | > | > click the Networks object, double click Internal. Then click the
> | > Addresses
> | > | > tab, Add "10.0.0.1" to "10.0.0.255" into the list of address
> range.
> | > (By
> | > | > default, it should only have the address range from 10.0.100.0 to
> | > | > 10.0.100.255)
> | > | >
> | > | > Then apply the settings. Does it work this time?
> | > | >
> | > | > If the problem persists, we may need to gather more detailed
> | > information
> | > | > for deep investigation:
> | > | > 1. Please help to ISA Info:
> | > | >
> | > | > 1) Download the file from the following URL:
> | > | >
> | > | > http://www.isatools.org/isainfo/ISAInfo.zip
> | > | >
> | > | > 2) Extract all files to a folder on ISA server.
> | > | > 3) Double click Isainfo.js. This will generate 2 files
> | > | > ISAInfo2004-<computer-name>.log and
> ISAInfo2004-<computer-name>.xml
> in
> | > the
> | > | > current folder.
> | > | > 4) Please send these files to me.
> | > | >
> | > | > 2. Please also help to gather the ISA logs:
> | > | >
> | > | > 1) Schedule a down time.
> | > | >
> | > | > 2) Open ISA 2004 management console.
> | > | >
> | > | > 3) Expand the server node and highlight 'Monitoring'.
> | > | >
> | > | > 4) In the right pane, switch to the 'Logging' tab, make sure the
> 'Task
> | > | > Pane' is showed there.
> | > | >
> | > | > 5) In the 'Task Pane', click 'Configure Firewall Logging' under
> | > 'Logging
> | > | > Tasks', and then switch the 'log storage format' from 'MSDE
> database'
> | > | > (default) to 'File'.
> | > | >
> | > | > 6) Switch to the 'Fields' tab, click 'Select All', and then click
> OK.
> | > | >
> | > | > 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
> | > 'Logging
> | > | > Tasks', and then switch the 'log storage format' from 'MSDE
> database'
> | > | > (default) to 'File'.
> | > | >
> | > | > 8) Switch to the 'Fields' tab, click 'Select All', and then click
> OK.
> | > | >
> | > | > 9) Click 'Apply' to save changes and update the configuration.
> | > | >
> | > | > 10) Temporarily disable the Firewall service. To do that, please
> | > click
> | > | > Monitoring | Services tab, and then right click 'Microsoft
> Firewall'
> | > to
> | > | > choose 'Stop'.
> | > | >
> | > | > 11) Clear the current existing W3C logs. To do that, go to the
> log
> | > saving
> | > | > directory and clean any existing .W3C logs. By default, the logs
> will
> | > be
> | > | > saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some
> MDF
> | > may
> | > | > not
> | > | > be able to deleted, that's normal.) You may backup them first
> and
> | > then
> | > | > delete them.
> | > | >
> | > | > 12) Go back to the ISA 2004 management console, and then Start the
> | > stopped
> | > | > 'Microsoft Firewall' service.
> | > | >
> | > | > 13) Reproduce the problem, stop the service, and then gather the
> | > resulting
> | > | > W3C files to me for analysis.
> | > | >
> | > | > 14) Please also let me know the IP address of the branch office
> client
> | > and
> | > | > the main office client so that I can filter the data.
> | > | >
> | > | > 3. After the VPN connection was established, please type "route
> print"
> | > on
> | > | > the client side and send me the output.
> | > | >
> | > | > For some reasons I cannot save the file ipconfig.zip to my local
> | > computer,
> | > | > would you please send it directly to my mailbox:
> | > v-edtian@xxxxxxxxxxxxx
> | > | > You
> | > | > can also send the Route print, ISA log and ISA info to my mailbox,
> | > thank
> | > | > you. :-)
> | > | >
> | > | > Note: Please type the ipconfig/all command AFTER the VPN
> connection
> | > was
> | > | > established.
> | > | >
> | > | > I appreciate your time and effort. Please feel free to let me know
> if
> | > you
> | > | > have any questions or concerns.
> | > | > Have a nice day!
> | > | >
> | > | > Best Regards
> | > | > Edward Tian(MSFT)
> | > | > Microsoft CSS Online Newsgroup Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | > ======================================================
> | > | > This newsgroup only focuses on SBS technical issues. If you have
> | > issues
> | > | > regarding other Microsoft products, you'd better post in the
> | > corresponding
> | > | > newsgroups so that they can be resolved in an efficient and timely
> | > manner.
> | > | > You can locate the newsgroup here:
> | > | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | >
> | > | > When opening a new thread via the web interface, we recommend you
> | > check
> | > | > the
> | > | > "Notify me of replies" box to receive e-mail notifications when
> there
> | > are
> | > | > any updates in your thread. When responding to posts via your
> | > newsreader,
> | > | > please "Reply to Group" so that others may learn and benefit from
> your
> | > | > issue.
> | > | >
> | > | > Microsoft engineers can only focus on one issue per thread.
> Although
> | > we
> | > | > provide other information for your reference, we recommend you
> post
> | > | > different incidents in different threads to keep the thread clean.
> In
> | > | > doing
> | > | > so, it will ensure your issues are resolved in a timely manner.
> | > | >
> | > | > For urgent issues, you may want to contact Microsoft CSS directly.
> | > Please
> | > | > check http://support.microsoft.com for regional support phone
> numbers.
> | > | >
> | > | > Any input or comments in this thread are highly appreciated.
> | > | > ======================================================
> | > | > This posting is provided "AS IS" with no warranties, and confers
> no
> | > | > rights.
> | > | >
> | > | > --------------------
> | > | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | > | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > | > <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | > | > <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
> | > | > <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> | > | > <R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> | > | > <uJuF13BuFHA.2848@xxxxxxxxxxxxxxxxxxxx>
> | > | > <NZ9iOSDuFHA.3848@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | Subject: Re: ISA2004 kills VPN outbound
> | > | > | Date: Tue, 13 Sep 2005 17:17:48 -0700
> | > | > | Lines: 725
> | > | > | X-Priority: 3
> | > | > | X-MSMail-Priority: Normal
> | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | > | > | X-RFC2646: Format=Flowed; Original
> | > | > | Message-ID: <euET#GMuFHA.3752@xxxxxxxxxxxxxxxxxxxx>
> | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | NNTP-Posting-Host: 216.115.232.13
> | > | > | Path:
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
> | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > microsoft.public.windows.server.sbs:153109
> | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > |
> | > | > | > From the description, I assume the network diagram as
> following:
> | > | > | >
> | > | > | > Main office workstations----{Nic 1}The VPN Server{Nic
> | > | > | > 2}---Router----Internet----Router----{Nic 1}Windows 2k
> | > | > Server/ISA2k4{Nic
> | > | > | > 2}-----Branch office workstations
> | > | > |
> | > | > | Yes.
> | > | > |
> | > | > | > Can you tell me what device do you use for your VPN Server, a
> two
> | > | > | > NIC-based
> | > | > | > SBS Server or a hardware router?
> | > | > |
> | > | > | A 2-Nic-based SBS2003 server.
> | > | > |
> | > | > | > You mentioned that the ISA 2004 is installed on the Windows
> Server
> | > | > 2000.
> | > | > | > Technically speaking, ISA 2k4 is not fully compatiable with
> Win
> | > Server
> | > | > 2k,
> | > | > | > it will cause some compatibility problems. If possible, please
> | > | > temporarily
> | > | > | > put a laptop directly connected to the router, manually assign
> the
> | > IP
> | > | > | > address, and then connect to the VPN Server at the main office
> | > side
> | > | > and
> | > | > | > establish the RDP session again (Use the Remote Desktop
> Connection
> | > or
> | > | > the
> | > | > | > PcAnywhere), does it work this time?
> | > | > |
> | > | > | Yes, it works from the laptop. It also works from the remote
> Windows
> | > | > 2000
> | > | > | server itself.
> | > | > |
> | > | > | > Since the branch office workstations can connect to the VPN
> | > server,
> | > | > the
> | > | > | > VPN
> | > | > | > connection is successfully established. The problem is that
> the
> | > RDP
> | > | > | > session
> | > | > | > cannot be established. To narrow down the issue, please help
> to
> | > gather
> | > | > the
> | > | > | > following information:
> | > | > | > 1. After the branch office workstation connect to the VPN
> server,
> | > can
> | > | > you
> | > | > | > ping the internal workstation at the main office side? Please
> try
> | > to
> | > | > Ping
> | > | > | > the workstation using both the ip address and the computer
> name.
> | > | > |
> | > | > | I can ping using both IP and name.
> | > | > |
> | > | > | > If both the above tests work, then can you access the shared
> | > folders
> | > | > on
> | > | > | > the
> | > | > | > main office workstations?
> | > | > |
> | > | > | Yes. I can also map to shares on the main-office network, both
> on
> | > the
> | > | > | servers and workstations.
> | > | > |
> | > | > | > 2. Is ISA Server installed on the main office side? If so,
> please
> | > make
> | > | > | > sure
> | > | > | > the following settings is configured in the ISA server:
> | > | > | >
> | > | > | > a. The relation between the VPN clients and Internal Netowrk
> is
> | > | > "Route".
> | > | > |
> | > | > | It is Route.
> | > | > |
> | > | > | > b. An access rule that allows the traffic between VPN clients
> and
> | > | > Internal
> | > | > | > networks:
> | > | > |
> | > | > | Done.
> | > | > |
> | > | > | > 4. Disable the Use Default Gateway on Remote Network setting
> in
> | > the
> | > | > VPN
> | > | > | > dial-up connection item on the client computer:
> | > | > |
> | > | > | Always was disabled.
> | > | > |
> | > | > | > 5. After the VPN connection is established, click Start->Run
> on
> | > the
> | > | > branch
> | > | > | > office workstation side, and then type mstsc. On the Remote
> | > Desktop
> | > | > | > Connection window, input one IP address of the main office
> | > | > workstations
> | > | > | > and
> | > | > | > then click "Connect". Can you got the log on window?
> | > | > |
> | > | > | No. Remote Desktop error: "The client could not connect to the
> | > remote
> | > | > | computer."
> | > | > |
> | > | > | > 6. To have a more clear understanding on the network topology,
> | > please
> | > | > type
> | > | > | > ipconfig/all at both the branch/main office
> workstation/server,
> | > and
> | > | > send
> | > | > | > the four outputs to me in the reply.
> | > | > |
> | > | > | Attached.
> | > | > |
> | > | > | > Note: Please double check if the branch/main office
> workstations
> | > are
> | > | > using
> | > | > | > the same network schema. For example, if both are using the
> | > | > 192.168.1.x
> | > | > | > subnet, it will cause unexpected problems due to the same
> schema.
> | > | > |
> | > | > | Main office is 10.0.0.X. Branch office is 10.0.100.X.
> | > | > |
> | > | > | > 7. Does this problem occur on all the branch/main office
> | > workstations?
> | > | > |
> | > | > | Yes.
> | > | > |
> | > | > | Under ISA2000, I was able to make this work by putting
> | > | > 10.0.0.1-10.0.0.255
> | > | > | into the LAT so that ISA2000 thought this address range was
> local
> | > and
> | > | > | therefore trusted. I can't figure out how to do the equivalent
> in
> | > | > ISA2004.
> | > | > |
> | > | > | GaryK
> | > | > |
> | > | > |
> | > | > | > | Edward,
> | > | > | > |
> | > | > | > | Thanks for your attention to this, but I have a more-serious
> | > problem
> | > | > | > that
> | > | > | > I
> | > | > | > | must first address, and I would very much appreciate your
> help:
> | > | > | > |
> | > | > | > | I have just upgraded a branch-office Windows 2000 server
> from
> | > | > ISA2000
> | > | > to
> | > | > | > | ISA2004. Under ISA2000, the branch-office workstations could
> VPN
> | > | > into
> | > | > | > the
> | > | > | > | main-office VPN server and then connect via pcAnywhere to
> | > internal
> | > | > | > machines
> | > | > | > | on the main-office network. However after the upgrade to
> | > ISA2004,
> | > | > these
> | > | > | > same
> | > | > | > | branch-office workstations, although they successfully
> connect
> | > to
> | > | > the
> | > | > | > VPN
> | > | > | > | server, can no longer connect via pcAnywhere to the
> main-office
> | > | > | > | workstations. The branch-office Windows 2000 server itself
> can
> | > VPN
> | > | > into
> | > | > | > the
> | > | > | > | main-offie VPN server and connect to these main-office
> | > workstations,
> | > | > but
> | > | > | > the
> | > | > | > | branch-office workstations cannot.
> | > | > | > |
> | > | > | > | Is it possible that you can suggest a remedy for this? My
> need
> | > is
> | > | > great.
> | > | > | > |
> | > | > | > | GaryK
> | > | > | > |
> | > | > | > |
> | > | > | > | "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in
> message
> | > | > | > | news:R8mMI4$tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > | > Dear Gary:
> | > | > | > | > Now I understand that the problem doesn't reside at the
> remote
> | > | > side.
> | > | > | > | >
> | > | > | > | > Here, I would suggest you use the PPTP Ping utility to
> perform
> | > the
> | > | > | > test
> | > | > | > | > and
> | > | > | > | > check if the GRE packet is allowed to pass through the
> router:
> | > | > | > | >
> | > | > | > | > Basically, we will use PPTP Ping utility to determine
> whether
> | > any
> | > | > | > hardware
> | > | > | > | > router or firewall is blocking GRE Protocol 47. The router
> | > must
> | > be
> | > | > | > able
> | > | > | > to
> | > | > | > | > pass Generic Route Encapsulation (GRE) protocol 47 for
> PPTP
> | > | > traffic
> | > | > to
> | > | > | > | > connect correctly to use VPN. When a cable/DSL router
> cannot
> | > map
> | > | > GRE
> | > | > | > | > protocol 47 to the Routing and Remote Access server, you
> | > cannot
> | > | > | > connect
> | > | > | > to
> | > | > | > | > the server from the Internet.
> | > | > | > | >
> | > | > | > | > a. Please run Pptpsrv.exe on the server side.
> | > | > | > | > b. Run Pptpclnt.exe [ServerNameorIPaddress] on remote
> client.
> | > | > | > | > c. When prompted by Pptpclnt.exe, type some text to send
> to
> | > | > | > Pptpsrv.exe,
> | > | > | > | > and then click Enter.
> | > | > | > | > d. You will see the text received at the host running
> | > Pptpsrv.exe.
> | > | > | > Then
> | > | > | > | > you
> | > | > | > | > will see five GRE packets sent from Pptpclnt.exe and
> received
> | > at
> | > | > | > | > Pptpsrv.exe.
> | > | > | > | > Provide me with the output for reference.
> | > | > | > | >
> | > | > | > | > NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in
> Windows
> | > XP
> | > | > | > support
> | > | > | > | > tools.
> | > | > | > | > For your convenience, I have attached the file within this
> | > reply.
> | > | > | > | >
> | > | > | > | > NOTE: You should stop the Routing and Remote Access
> service
> on
> | > the
> | > | > | > RRAS
> | > | > | > | > (VPN) server so that PPTPSRV can bind to port 1723.
> | > | > | > | >
> | > | > | > | > I look forward to your update! :)
> | > | > | > | >
> | > | > | > | > Have a nice day.
> | > | > | > | >
> | > | > | > | > Best Regards
> | > | > | > | > Edward Tian(MSFT)
> | > | > | > | > Microsoft CSS Online Newsgroup Support
> | > | > | > | >
> | > | > | > | > Get Secure! - www.microsoft.com/security
> | > | > | > | > ======================================================
> | > | > | > | > This newsgroup only focuses on SBS technical issues. If
> you
> | > have
> | > | > | > issues
> | > | > | > | > regarding other Microsoft products, you'd better post in
> the
> | > | > | > corresponding
> | > | > | > | > newsgroups so that they can be resolved in an efficient
> and
> | > timely
> | > | > | > manner.
> | > | > | > | > You can locate the newsgroup here:
> | > | > | > | >
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | > | >
> | > | > | > | > When opening a new thread via the web interface, we
> recommend
> | > you
> | > | > | > check
> | > | > | > | > the
> | > | > | > | > "Notify me of replies" box to receive e-mail notifications
> | > when
> | > | > there
> | > | > | > are
> | > | > | > | > any updates in your thread. When responding to posts via
> your
> | > | > | > newsreader,
> | > | > | > | > please "Reply to Group" so that others may learn and
> benefit
> | > from
> | > | > your
> | > | > | > | > issue.
> | > | > | > | >
> | > | > | > | > Microsoft engineers can only focus on one issue per
> thread.
> | > | > Although
> | > | > | > we
> | > | > | > | > provide other information for your reference, we recommend
> you
> | > | > post
> | > | > | > | > different incidents in different threads to keep the
> thread
> | > clean.
> | > | > In
> | > | > | > | > doing
> | > | > | > | > so, it will ensure your issues are resolved in a timely
> | > manner.
> | > | > | > | >
> | > | > | > | > For urgent issues, you may want to contact Microsoft CSS
> | > directly.
> | > | > | > Please
> | > | > | > | > check http://support.microsoft.com for regional support
> phone
> | > | > numbers.
> | > | > | > | >
> | > | > | > | > Any input or comments in this thread are highly
> appreciated.
> | > | > | > | > ======================================================
> | > | > | > | > This posting is provided "AS IS" with no warranties, and
> | > confers
> | > | > no
> | > | > | > | > rights.
> | > | > | > | >
> | > | > | > | > --------------------
> | > | > | > | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | > | > | > | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <mf9MV#1tFHA.3160@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > <#3lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | Subject: Re: ISA2004 kills VPN outbound
> | > | > | > | > | Date: Mon, 12 Sep 2005 06:50:13 -0700
> | > | > | > | > | Lines: 324
> | > | > | > | > | X-Priority: 3
> | > | > | > | > | X-MSMail-Priority: Normal
> | > | > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
> | > | > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> | > | > | > | > | X-RFC2646: Format=Flowed; Response
> | > | > | > | > | Message-ID: <etMFnD6tFHA.3500@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | > | NNTP-Posting-Host: 216.115.232.13
> | > | > | > | > | Path:
> | > | > | >
> TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
> | > | > | > | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > | > microsoft.public.windows.server.sbs:152633
> | > | > | > | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > | > |
> | > | > | > | > | Also, the system originating the outbound VPN has a
> hardware
> | > | > | > | > | router/firewall. It is open on port 1723. It will be
> several
> | > | > weeks
> | > | > | > | > before
> | > | > | > | > I
> | > | > | > | > | can test without the firewall.
> | > | > | > | > |
> | > | > | > | > | GaryK
> | > | > | > | > |
> | > | > | > | > | "Gary Karasik" <gkarasik@xxxxxxx> wrote in message
> | > | > | > | > | news:%233lA$15tFHA.1284@xxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > | > | >I have the same problem connecting to several different
> VPN
> | > | > | > servers.
> | > | > | > | > Two
> | > | > | > | > | >are SBS2003-based (RRAS) servers with inexpensive
> hardware
> | > | > routers
> | > | > | > | > | >(firewalls) in front of them. One is a Windows
> 2000-based
> | > (also
> | > | > | > RRAS)
> | > | > | > | > | >server with no hardware router.
> | > | > | > | > | >
> | > | > | > | > | > GaryK
> | > | > | > | > | >
> | > | > | > | > | > "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in
> | > message
> | > | > | > | > | > news:mf9MV%231tFHA.3160@xxxxxxxxxxxxxxxxxxxxxxxx
> | > | > | > | > | >> Dear Gary:
> | > | > | > | > | >> Thanks for your quick response.
> | > | > | > | > | >>
> | > | > | > | > | >> Can you please tell me some information about the
> remote
> | > VPN
> | > | > | > Server?
> | > | > | > | > Does
> | > | > | > | > | >> it use a hardware router or a windows-based computer
> to
> | > be
> | > | > its
> | > | > | > VPN
> | > | > | > | > | >> Server?
> | > | > | > | > | >>
> | > | > | > | > | >> Comparing with ISA 2000, ISA 2004 increases its
> security
> | > | > level,
> | > | > | > the
> | > | > | > | > VPN
> | > | > | > | > | >> connection will fail in some cases when a hardware
> | > firewall
> | > | > | > resides
> | > | > | > | > in
> | > | > | > | > | >> the
> | > | > | > | > | >> remote network. So, please try connecting to another
> | > remote
> | > | > VPN
> | > | > | > | > server
> | > | > | > | > | >> and
> | > | > | > | > | >> see if the problem persists. This will help us
> confirm
> | > | > whether
> | > | > | > the
> | > | > | > | > | >> problem
> | > | > | > | > | >> resides at the remote side.
> | > | > | > | > | >>
> | > | > | > | > | >> I look forward to your update. Thank you for your
> time
> | > and
> | > | > | > patience.
> | > | > | > | > | >> Have a nice day. :)
> | > | > | > | > | >>
> | > | > | > | > | >> Best Regards
> | > | > | > | > | >> Edward Tian(MSFT)
> | > | > | > | > | >> Microsoft CSS Online Newsgroup Support
> | > | > | > | > | >>
> | > | > | > | > | >> Get Secure! - www.microsoft.com/security
> | > | > | > | > | >>
> ======================================================
> | > | > | > | > | >> This newsgroup only focuses on SBS technical issues.
> If
> | > you
> | > | > have
> | > | > | > | > issues
> | > | > | > | > | >> regarding other Microsoft products, you'd better post
> in
> | > the
> | > | > | > | > | >> corresponding
> | > | > | > | > | >> newsgroups so that they can be resolved in an
> efficient
> | > and
> | > | > | > timely
> | > | > | > | > | >> manner.
> | > | > | > | > | >> You can locate the newsgroup here:
> | > | > | > | > | >>
> | > | > | >
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | > | > | >>
> | > | > | > | > | >> When opening a new thread via the web interface, we
> | > recommend
> | > | > you
> | > | > | > | > check
> | > | > | > | > | >> the
> | > | > | > | > | >> "Notify me of replies" box to receive e-mail
> | > notifications
> | > | > when
> | > | > | > there
> | > | > | > | > are
> | > | > | > | > | >> any updates in your thread. When responding to posts
> via
> | > your
> | > | > | > | > newsreader,
> | > | > | > | > | >> please "Reply to Group" so that others may learn and
> | > benefit
> | > | > from
> | > | > | > | > your
> | > | > | > | > | >> issue.
> | > | > | > | > | >>
> | > | > | > | > | >> Microsoft engineers can only focus on one issue per
> | > thread.
> | > | > | > Although
> | > | > | > | > we
> | > | > | > | > | >> provide other information for your reference, we
> | > recommend
> | > | > you
> | > | > | > post
> | > | > | > | > | >> different incidents in different threads to keep the
> | > thread
> | > | > | > clean.
> | > | > | > In
> | > | > | > | > | >> doing
> | > | > | > | > | >> so, it will ensure your issues are resolved in a
> timely
> | > | > manner.
> | > | > | > | > | >>
> | > | > | > | > | >> For urgent issues, you may want to contact Microsoft
> CSS
> | > | > | > directly.
> | > | > | > | > Please
> | > | > | > | > | >> check http://support.microsoft.com for regional
> support
> | > phone
> | > | > | > | > numbers.
> | > | > | > | > | >>
> | > | > | > | > | >> Any input or comments in this thread are highly
> | > appreciated.
> | > | > | > | > | >>
> ======================================================
> | > | > | > | > | >> This posting is provided "AS IS" with no warranties,
> and
> | > | > confers
> | > | > | > no
> | > | > | > | > | >> rights.
> | > | > | > | > | >>
> | > | > | > | > | >> --------------------
> | > | > | > | > | >> | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | > | > | > | >> | References: <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | >> <HAtUGr0tFHA.780@xxxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | >> | Subject: Re: ISA2004 kills VPN outbound
> | > | > | > | > | >> | Date: Sun, 11 Sep 2005 21:18:31 -0700
> | > | > | > | > | >> | Lines: 185
> | > | > | > | > | >> | X-Priority: 3
> | > | > | > | > | >> | X-MSMail-Priority: Normal
> | > | > | > | > | >> | X-Newsreader: Microsoft Outlook Express
> 6.00.2900.2670
> | > | > | > | > | >> | X-MimeOLE: Produced By Microsoft MimeOLE
> | > V6.00.2900.2670
> | > | > | > | > | >> | X-RFC2646: Format=Flowed; Original
> | > | > | > | > | >> | Message-ID: <e0BRKE1tFHA.2948@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | >> | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | > | >> | NNTP-Posting-Host: 216.115.232.13
> | > | > | > | > | >> | Path:
> | > | > | > | >
> | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | > | > | > | > | >> | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > | > | > microsoft.public.windows.server.sbs:152505
> | > | > | > | > | >> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> | > | > | > | > | >> |
> | > | > | > | > | >> | Thank you, Edward.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > How to permit PPTP clients to access the external
> | > network
> | > | > | > through
> | > | > | > | > ISA
> | > | > | > | > | >> | > Server 2004
> | > | > | > | > | >> | > http://support.microsoft.com/?id=838245
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > (You can follow this article when running the
> CEICW
> | > | > Wizard:
> | > | > | > | > | >> | > 825763 How to configure Internet access in
> Windows
> | > Small
> | > | > | > Business
> | > | > | > | > | >> Server
> | > | > | > | > | >> | > 2003
> | > | > | > | > | >> | > http://support.microsoft.com/?id=825763 )
> | > | > | > | > | >> |
> | > | > | > | > | >> | Such a rule already exists.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > Then, establish the VPN connection again, does it
> | > work
> | > | > this
> | > | > | > time?
> | > | > | > | > | >> |
> | > | > | > | > | >> | I recreated the rule after rerunning the CEICW.
> Problem
> | > | > | > persists.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > If the problem persists, we may need to make a
> | > further
> | > | > | > analysis.
> | > | > | > | > | >> Please
> | > | > | > | > | >> | > help me gather the following information in order
> to
> | > | > narrow
> | > | > | > down
> | > | > | > | > this
> | > | > | > | > | >> | > issue:
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 1. Do you have firewall client installed? If so,
> | > please
> | > | > try
> | > | > | > | > disabling
> | > | > | > | > | >> the
> | > | > | > | > | >> | > FW client and configure the client as a SecureNAT
> | > client.
> | > | > | > When
> | > | > | > we
> | > | > | > | > | >> make a
> | > | > | > | > | >> | > PPTP-based connection from an internal client to
> the
> | > | > internet
> | > | > | > VPN
> | > | > | > | > | >> server,
> | > | > | > | > | >> | > we cannot have the firewall client installed
> because
> | > the
> | > | > ISA
> | > | > | > | > Server
> | > | > | > | > | >> | > Firewall Client program does not support a
> PPTP-based
> | > VPN
> | > | > | > | > connection.
> | > | > | > | > | >> You
> | > | > | > | > | >> | > can refer to this article for more information:
> | > | > | > | > | >> |
> | > | > | > | > | >> | Same problem regardless of firewall-client status.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > When you use the ISA 2004 Firewall Client
> program,
> | > you
> | > | > cannot
> | > | > | > | > make
> | > | > | > | > a
> | > | > | > | > | >> | > PPTP-based VPN connection
> | > | > | > | > | >> | > http://support.microsoft.com/?id=887006
> | > | > | > | > | >> |
> | > | > | > | > | >> | > 2. Are you using a Linksys BEFSR41 router? The
> error
> | > 628
> | > | > may
> | > | > | > | > occur
> | > | > | > | > if
> | > | > | > | > | >> your
> | > | > | > | > | >> | > VPN server is located behind a Linksys BEFSR41
> | > router.
> | > | > | > | > | >> |
> | > | > | > | > | >> | No. It's a Netgear FVM318. By the way, this all
> works
> | > fine
> | > | > | > under
> | > | > | > | > | >> ISA2000.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > Remote VPN Clients Cannot Log On to Network
> | > | > | > | > | >> | >
> | > | > | > http://support.microsoft.com/default.aspx?scid=KB;EN-US;329858
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 3. If the client directly connects to the
> Internet,
> | > can
> | > | > the
> | > | > | > PPTP
> | > | > | > | > | >> | > connection
> | > | > | > | > | >> | > to the same VPN server work? This can verify if
> the
> | > | > remote
> | > | > | > VPN
> | > | > | > | > server
> | > | > | > | > | >> is
> | > | > | > | > | >> | > configured well.
> | > | > | > | > | >> |
> | > | > | > | > | >> | I have the same problem connecting from the server.
> I
> | > can
> | > | > | > connect
> | > | > | > | > to
> | > | > | > | > | >> the
> | > | > | > | > | >> VPN
> | > | > | > | > | >> | server from clients not behind ISA 2004.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > If this works, would you please tell me if this
> | > problem
> | > | > | > occurs
> | > | > | > on
> | > | > | > | > all
> | > | > | > | > | >> the
> | > | > | > | > | >> | > internal clients?
> | > | > | > | > | >> |
> | > | > | > | > | >> | Yes.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > 4. Please help to gather the ISA Info:
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 1) Download the file from the following URL:
> | > | > | > | > | >> |
> | > | > | > | > | >> | > http://www.isatools.org/isainfo/ISAInfo.zip
> | > | > | > | > | >> |
> | > | > | > | > | >> | I will not be able to get to this until next week.
> | > | > | > | > | >> |
> | > | > | > | > | >> | > 2) Extract all files to a folder on ISA server.
> | > | > | > | > | >> | > 3) Double click Isainfo.js. This will generate 2
> | > files
> | > | > | > | > | >> | > ISAInfo2004-<computer-name>.log and
> | > | > | > | > ISAInfo2004-<computer-name>.xml
> | > | > | > | > | >> in
> | > | > | > | > | >> the
> | > | > | > | > | >> | > current folder.
> | > | > | > | > | >> | > 4) Please send these files to me.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 5. Please also help to gather the ISA logs:
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 1) Schedule a down time.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 2) Open ISA 2004 management console.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 3) Expand the server node and highlight
> 'Monitoring'.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 4) In the right pane, switch to the 'Logging'
> tab,
> | > make
> | > | > sure
> | > | > | > the
> | > | > | > | > | >> 'Task
> | > | > | > | > | >> | > Pane' is showed there.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 5) In the 'Task Pane', click 'Configure Firewall
> | > Logging'
> | > | > | > under
> | > | > | > | > | >> 'Logging
> | > | > | > | > | >> | > Tasks', and then switch the 'log storage format'
> from
> | > | > 'MSDE
> | > | > | > | > database'
> | > | > | > | > | >> | > (default) to 'File'.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 6) Switch to the 'Fields' tab, click 'Select
> All',
> | > and
> | > | > then
> | > | > | > click
> | > | > | > | > OK.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 7) In the 'Task Pane', click 'Configure Web Proxy
> | > | > Logging'
> | > | > | > under
> | > | > | > | > | >> 'Logging
> | > | > | > | > | >> | > Tasks', and then switch the 'log storage format'
> from
> | > | > 'MSDE
> | > | > | > | > database'
> | > | > | > | > | >> | > (default) to 'File'.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 8) Switch to the 'Fields' tab, click 'Select
> All',
> | > and
> | > | > then
> | > | > | > click
> | > | > | > | > OK.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 9) Click 'Apply' to save changes and update the
> | > | > | > configuration.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 10) Temporarily disable the Firewall service. To
> do
> | > that,
> | > | > | > please
> | > | > | > | > | >> click
> | > | > | > | > | >> | > Monitoring | Services tab, and then right click
> | > | > 'Microsoft
> | > | > | > | > Firewall'
> | > | > | > | > | >> to
> | > | > | > | > | >> | > choose 'Stop'.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 11) Clear the current existing W3C logs. To do
> that,
> | > go
> | > | > to
> | > | > | > the
> | > | > | > | > log
> | > | > | > | > | >> saving
> | > | > | > | > | >> | > directory and clean any existing .W3C logs. By
> | > default,
> | > | > the
> | > | > | > logs
> | > | > | > | > will
> | > | > | > | > | >> be
> | > | > | > | > | >> | > saved to 'C:\Program Files\Microsoft ISA
> | > Server\ISALogs'.
> | > | > | > (Some
> | > | > | > | > MDF
> | > | > | > | > | >> may
> | > | > | > | > | >> | > not
> | > | > | > | > | >> | > be able to deleted, that's normal.) You may
> backup
> | > them
> | > | > | > first
> | > | > | > | > and
> | > | > | > | > | >> then
> | > | > | > | > | >> | > delete them.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 12) Go back to the ISA 2004 management console,
> and
> | > then
> | > | > | > Start
> | > | > | > | > the
> | > | > | > | > | >> stopped
> | > | > | > | > | >> | > 'Microsoft Firewall' service.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > 13) Reproduce the problem, stop the service, and
> then
> | > | > gather
> | > | > | > the
> | > | > | > | > | >> resulting
> | > | > | > | > | >> | > W3C files to me for analysis.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > Note: Please also let me know the IP address of
> the
> | > | > testing
> | > | > | > | > | >> client/server
> | > | > | > | > | >> | > and the remote VPN server so that I can filter
> the
> | > data.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > I appreciate you taking time to perform the above
> | > steps
> | > | > and
> | > | > | > | > gather
> | > | > | > | > | >> the
> | > | > | > | > | >> | > information. Please feel free to let me know if
> you
> | > have
> | > | > any
> | > | > | > | > | >> questions
> | > | > | > | > | >> or
> | > | > | > | > | >> | > concerns.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > I look forward to hearing from you.
> | > | > | > | > | >> | > Have a nice day, Gary! :)
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > Best Regards
> | > | > | > | > | >> | > Edward Tian(MSFT)
> | > | > | > | > | >> | > Microsoft CSS Online Newsgroup Support
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > Get Secure! - www.microsoft.com/security
> | > | > | > | > | >> | >
> | > ======================================================
> | > | > | > | > | >> | > This newsgroup only focuses on SBS technical
> issues.
> | > If
> | > | > you
> | > | > | > have
> | > | > | > | > | >> issues
> | > | > | > | > | >> | > regarding other Microsoft products, you'd better
> post
> | > in
> | > | > the
> | > | > | > | > | >> corresponding
> | > | > | > | > | >> | > newsgroups so that they can be resolved in an
> | > efficient
> | > | > and
> | > | > | > | > timely
> | > | > | > | > | >> manner.
> | > | > | > | > | >> | > You can locate the newsgroup here:
> | > | > | > | > | >> | >
> | > | > | > | >
> | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > When opening a new thread via the web interface,
> we
> | > | > recommend
> | > | > | > you
> | > | > | > | > | >> check
> | > | > | > | > | >> | > the
> | > | > | > | > | >> | > "Notify me of replies" box to receive e-mail
> | > | > notifications
> | > | > | > when
> | > | > | > | > there
> | > | > | > | > | >> are
> | > | > | > | > | >> | > any updates in your thread. When responding to
> posts
> | > via
> | > | > your
> | > | > | > | > | >> newsreader,
> | > | > | > | > | >> | > please "Reply to Group" so that others may learn
> and
> | > | > benefit
> | > | > | > from
> | > | > | > | > | >> your
> | > | > | > | > | >> | > issue.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > Microsoft engineers can only focus on one issue
> per
> | > | > thread.
> | > | > | > | > Although
> | > | > | > | > | >> we
> | > | > | > | > | >> | > provide other information for your reference, we
> | > | > recommend
> | > | > | > you
> | > | > | > | > post
> | > | > | > | > | >> | > different incidents in different threads to keep
> the
> | > | > thread
> | > | > | > | > clean.
> | > | > | > | > In
> | > | > | > | > | >> | > doing
> | > | > | > | > | >> | > so, it will ensure your issues are resolved in a
> | > timely
> | > | > | > manner.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > For urgent issues, you may want to contact
> Microsoft
> | > CSS
> | > | > | > | > directly.
> | > | > | > | > | >> Please
> | > | > | > | > | >> | > check http://support.microsoft.com for regional
> | > support
> | > | > phone
> | > | > | > | > | >> numbers.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > Any input or comments in this thread are highly
> | > | > appreciated.
> | > | > | > | > | >> | >
> | > ======================================================
> | > | > | > | > | >> | > This posting is provided "AS IS" with no
> warranties,
> | > and
> | > | > | > confers
> | > | > | > | > no
> | > | > | > | > | >> | > rights.
> | > | > | > | > | >> | >
> | > | > | > | > | >> | > --------------------
> | > | > | > | > | >> | > | From: "Gary Karasik" <gkarasik@xxxxxxx>
> | > | > | > | > | >> | > | Subject: ISA2004 kills VPN outbound
> | > | > | > | > | >> | > | Date: Sat, 10 Sep 2005 23:56:37 -0700
> | > | > | > | > | >> | > | Lines: 9
> | > | > | > | > | >> | > | X-Priority: 3
> | > | > | > | > | >> | > | X-MSMail-Priority: Normal
> | > | > | > | > | >> | > | X-Newsreader: Microsoft Outlook Express
> | > 6.00.2900.2670
> | > | > | > | > | >> | > | X-MimeOLE: Produced By Microsoft MimeOLE
> | > | > V6.00.2900.2670
> | > | > | > | > | >> | > | X-RFC2646: Format=Flowed; Original
> | > | > | > | > | >> | > | Message-ID:
> <Orid23ptFHA.3528@xxxxxxxxxxxxxxxxxxxx>
> | > | > | > | > | >> | > | Newsgroups: microsoft.public.windows.server.sbs
> | > | > | > | > | >> | > | NNTP-Posting-Host: 216.115.232.13
> | > | > | > | > | >> | > | Path:
> | > | > | > | > | >>
> | > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
> | > | > | > | > | >> | > | Xref: TK2MSFTNGXA01.phx.gbl
> | > | > | > | > | >> microsoft.public.windows.server.sbs:152337
> | > | > | > | > | >> | > | X-Tomcat-NG:
> microsoft.public.windows.server.sbs
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | > | Hi,
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | > | Since upgrading from ISA2000 to ISA2004,
> neither
> | > the
> | > | > server
> | > | > | > nor
> | > | > | > | > | >> clients
> | > | > | > | > | >> | > | behind ISA can VPN out. Server gets error 619,
> | > clients
> | > | > get
> | > | > | > | > error
> | > | > | > | > | >> 628.
> | > | > | > | > | >> | > This
> | > | > | > | > | >> | > | worked under ISA2000. Is there an access rule I
> | > need
> | > to
> | > | > set
> | > | > | > up?
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | > | GaryK
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | > |
> | > | > | > | > | >> | >
> | > | > | > | > | >> |
> | > | > | > | > | >> |
> | > | > | > | > | >> |
> | > | > | > | > | >>
> | > | > | > | > | >
> | > | > | > | > | >
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | > |
> | > | > | >
> | > | > |
> | > | > |
> | > | > |
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
.
- References:
- ISA2004 kills VPN outbound
- From: Gary Karasik
- RE: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Edward Tian
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- Re: ISA2004 kills VPN outbound
- From: Gary Karasik
- ISA2004 kills VPN outbound
- Prev by Date: RE: Uninstall/Reinstall Exchange Server on SBS 2003
- Next by Date: Sharepoint rss now working
- Previous by thread: Re: ISA2004 kills VPN outbound
- Next by thread: Re: ISA2004 kills VPN outbound
- Index(es):
Relevant Pages
|
