Re: Remote Access and ISA Server in SBS 2003?
- From: v-edtian@xxxxxxxxxxxxxxxxxxxx (Edward Tian)
- Date: Thu, 20 Oct 2005 01:47:33 GMT
Dear Tom:
Thank you for the update.
I am glad to hear the Remote Access Wizard is working fine now.
Regarding the error 800 issue, can you provide me the output of the PPTP
Ping test?
Generally speaking, there is no difference in VPN between SBS 4.5 and SBS
2003. To enable VPN connection, we need to open TCP port 1723 and IP
protocol 47 for GRE packets. As I mentioned before, the VPN error 800 is
probably caused by the hardware router. If the PPTP Ping test doesn't work,
it appears that either the port 1723 or the GRE 47 packets are blocked by
the hardware router. (Since the VPN test works fine if the client is
directly connected to the SBS box, the VPN Server should be configured
correctly.)
Here, I would suggest you contact the vendor of the hardware router for
more detailed information.
Note: The problem may also be caused by the hardware router at the remote
side. You may go to a remote client which is directly connected to the
modem and perform a VPN test again to see if the VPN can be established.
Error Message: VPN Connection Error 800: Unable to Establish Connection
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q319108
Moreover, I would suggest you try the following workaround:
In some cases, we can configure the router to forward TCP/UDP port 47 to
the external NIC of the SBS Server. Some routers may still not work after
we perform the port forwarding. GRE was designed to provide a simple,
general purpose mechanism for encapsulating data sent over IP networks. GRE
is a client protocol of IP using IP protocol 47. Compared with TCP/UCP
protocol, the IP protocol is definitely a different layer protocol. That is
why forwarding TCP/UDP port 47 is just a WORKAROUND in some cases.
More information about GRE 47:
GRE Protocol 47 Packet Description and Use
http://support.microsoft.com/default.aspx?scid=KB;[LN];241251
Look forward to hearing how it goes!
Have a nice day!
Best Regards
Edward Tian(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| NNTP-Posting-Date: Wed, 19 Oct 2005 11:30:34 -0500
| From: "Tom Walker" <twalker@xxxxxxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| References: <hfednexQD5gZdNbenZ2dnUVZ8qudnZ2d@xxxxxxxxx>
<nUTDMOw0FHA.1144@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Remote Access and ISA Server in SBS 2003?
| Date: Wed, 19 Oct 2005 17:30:25 +0100
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <2OWdnQ2x2Ks36cveRVnyjQ@xxxxxxxxx>
| Lines: 237
| NNTP-Posting-Host: 81.179.30.19
| X-Trace:
sv3-bpqRWQdtOTg8atZKnnvrUvyyK+1CKrPSkWlN84zYRk3LXK8BxRByb0UD1PIDMZoYj77IDOuf
8H3lEcL!cq0QieXHZEiKyUDHNbs997kv7wIgmWDa+ulO3SsR/jfJv0xuxBtjLUgfmIy2aqbJWQlK
St8P6p3v!6wti/O00RQ4=
| X-Complaints-To: abuse@xxxxxxxxxxxxx
| X-DMCA-Complaints-To: abuse@xxxxxxxxxxxxx
| X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
complaint properly
| X-Postfilter: 1.3.32
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!border1.nntp.dca.giganews.com!nntp.giganews.com!local01
nntp.dca.giganews.com!nntp.pipex.net!news.pipex.net.POSTED!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:162739
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Edward
|
| I've managed to work through your suggestions and have got the following
| results:
|
| 1/2. Fixed the LAT and removed the 192.168.0.x range as my server
external
| NIC and router belong to this range.
|
| 3. Once I was able to get the server started with the NIC addresses OK, I
| was able to run the Remote Access Wizard (and previously the CEICW)
without
| errors being reported. I was also able to complete the ISA Management
| dialogue to allow VPN connections without objection.
|
| Unfortunately, attempts to connect remotely by VPN still get the 800
| message.
|
| I haven't tried the PPTP Ping tests as I'm not getting any kind of
| connection.
|
| Finally, I connected my laptop via a switch to the server Internet NIC
and
| configured the IP settings to a fixed address on the same subnet. I
| couldn't change the Firewall settings because "for my safety, some
settings
| are controlled by Group Policy"!
|
| Configured a VPN connection on the client and connected straight through!
| Was able to access shared folders on the server and open my email in
| Outlook.
|
| According to your notes - I assume that means it's the router. But I can
| connect to the SBS4.5 production server from the same remote PC using VPN
| through the same router without changing any settings (I'm going to
| double-check this tonight with both the remote PC and the laptop I've
just
| used to test the direct VPN connection to the SBS 2003 box).
|
| My router settings are very simple:
| - Outbound allows Any/Always
| - Inbound blocks everything except:
| VPN-PPTP (TCP 1723)
| SMTP (TCP 25)
|
| Is there a difference in VPN between SBS4.5 and SBS2003 that needs
something
| else to be opened on the router?
|
| Regards
|
| Tom
|
| "Edward Tian" <v-edtian@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:nUTDMOw0FHA.1144@xxxxxxxxxxxxxxxxxxxxxxxx
| > Dear Tom:
| > Thank you for your reply in mail.
| >
| > I am sorry for the delayed response due to weekend. Please understand
that
| > the newsgroups are staffed weekdays by Microsoft Support professionals
to
| > answer your systems and applications questions. Your understanding is
| > greatly appreciated!
| >
| > From the error information:
| > ========
| > *** Configuring ISA for VPN returned ERROR 8007041c Specifying error
| > location returned OK
| > *** CRRASCommit::CommitRRAS returned ERROR 8007041c
| > *** CRRASCommit::CommitEx returned ERROR 8007041c ========
| >
| > Can I assume you are using the ISA 2000?
| > This issue may occur if the Microsoft Firewall service is not started
and
| > will not start due to a mis-configuration in the ISA LAT. This is
| > preventing the Remote Access Wizard from completing successfully.
| >
| > In addition, you may receive the following error and event ID's when you
| > try to start the Microsoft Firewall service.
| >
| > I suggest that we do the following:
| >
| > 1. Fix the ISA LAT.
| >
| > a. Open the ISA Management Console.
| > b. Expand 'Servers and Arrays', expand COMPUTERNAME, and expand Network
| > Configuration.
| > c. Right-click 'Local Address Table (LAT)' and click 'Construct LAT'.
| > Leave
| > any check boxes that are selected by default selected. Click to select
| > the
| > check box for your internal adapter. Click OK two times.
| >
| > 2. Restart the Microsoft ISA Server Control service.
| >
| > 3. Re-run the Remote Access Wizard.
| >
| > By the way, if we try the following method to configure the VPN Server,
| > will it work?
| > a. Open the ISA management console, navigate to Network Configuration,
| > right click it and choose "Allow VPN client connections", follow the
| > instruction and complete the wizard.
| > b. Establish the VPN Connection again, does it work this time?
| >
| >
| > As I mentioned in my first reply, we can use the PPTP Ping utility to
| > check
| > the connectivity between the remote client and the VPN Server. For your
| > convenience, I attach the steps below:
| >
| > Please use PPTP Ping to test if 1723 port and GRE protocol are allowed
to
| > pass through. To do so:
| > a. Please run Pptpsrv.exe on the server side.
| > b. Run Pptpclnt.exe [ServerNameorIPaddress] on remote client.
| > c. When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
| > and then click Enter.
| > d. You will see the text received at the host running Pptpsrv.exe. Then
| > you
| > will see five GRE packets sent from Pptpclnt.exe and received at
| > Pptpsrv.exe.
| > Provide me with the output for reference.
| > NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP support
| > tools. For your convenience, I have attached the file within this reply.
| > NOTE: You should stop the Routing and Remote Access service on the RRAS
| > (VPN) server so that PPTPSRV can bind to port 1723
| >
| > In addition, to verify whether the router is the root cause, please do
the
| > following steps:
| >
| > a. Please temporarily place a client directly connected to the external
| > NIC
| > of the SBS Server. You can connect the external network adapter of the
SBS
| > Server to a simple hub and connect the client to the same hub.
| >
| > b. Manually configure the TCP/IP settings on the client computer to be
on
| > the same subnet as the external network adapter of the SBS Server.
| >
| > c. Turn off the Firewall Client on the client computer.
| >
| > d. Configure the VPN connection on the client and do a VPN test.
| >
| > Does this problem persist?
| >
| > I appreciate your time and patience. Please feel free to let me know if
| > there is anything I can do for you.
| >
| > Have a nice day!
| >
| >
| > Best Regards
| > Edward Tian(MSFT)
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | NNTP-Posting-Date: Tue, 11 Oct 2005 11:34:12 -0500
| > | From: "Tom Walker" <twalker@xxxxxxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Subject: Remote Access and ISA Server in SBS 2003?
| > | Date: Tue, 11 Oct 2005 17:32:59 +0100
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| > | X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <hfednexQD5gZdNbenZ2dnUVZ8qudnZ2d@xxxxxxxxx>
| > | Lines: 24
| > | NNTP-Posting-Host: 81.179.30.19
| > | X-Trace:
| >
sv3-QbeoXMUIwHh1xi4MZBQykgCkzUUWfhghdfopcxObNWXtHHfHySrGuy06Uue+ayAKWevTIbNQ
| >
C6QdU9d!4vwTUmD3wcE6DG7TsyjvC61E/ZWY0FAFOl9wF58STpLs28q4KScz/HLoUgQN4GepOxJg
| > RK3ylUK/!pGssg38B7ZiE0PKTIyPNlZ0F
| > | X-Complaints-To: abuse@xxxxxxxxxxxxx
| > | X-DMCA-Complaints-To: abuse@xxxxxxxxxxxxx
| > | X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
| > | X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your
| > complaint properly
| > | X-Postfilter: 1.3.32
| > | Path:
| >
TK2MSFTNGXA02.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.
| >
sul.t-online.de!t-online.de!border2.nntp.dca.giganews.com!border1.nntp.dca.g
| >
iganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp.pipex.net!n
| > ews.pipex.net.POSTED!not-for-mail
| > | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:212021
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I'm in the last stages (i hope) of testing a new SBS 2003 server
created
| > | using Jeff Middleton's SwingIT method (from SBS 4.5).
| > |
| > | One of the last tasks prior to scheduling the live switch-over is to
get
| > the
| > | VPN working again with a small number of home-based clients using the
| > same
| > | Router/DSL modem that's working on the SBS 4.5 setup (unplug/replug).
| > |
| > | When I try to connect a VPN client to SBS 2003, the client gets an 800
| > | message - "unable to establish VPN...unable to contact server or
| > | security..." message. However, I also get a System event logged in
the
| > SBS
| > | 2003 box - Remote/Access 20192 (I think I can clear this by applying
MS
| > | Article 245476). Does that suggest I'm getting through?
| > |
| > | I've got the User and Computer set up to allow dial-in.
| > |
| > | Any guidance on how to establish wher it's getting stopped would be
very
| > | much appreciated.
| > |
| > | Many thanks
| > |
| > | Tom Walker
| > |
| > |
| > |
| > |
| >
|
|
|
.
- References:
- RE: Remote Access and ISA Server in SBS 2003?
- From: Edward Tian
- RE: Remote Access and ISA Server in SBS 2003?
- Prev by Date: RE: Windows Server 2003 Configuration error.
- Next by Date: Re: Hotmail blocking SMTP?
- Previous by thread: RE: Remote Access and ISA Server in SBS 2003?
- Next by thread: RE: ISA report question
- Index(es):
Relevant Pages
|
