RE: Configuring ISA 2004 for outbound MS VPN access

---

• From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
• Date: Wed, 23 Nov 2005 02:37:43 GMT

---

Hi Andrew,

Thank you for posting in SBS newsgroup.

>From the description, I understand the issue to be: you want to let
internal users to connect to an external VPN server through Microsoft
Internet Security and Acceleration (ISA) Server 2004. If I have
misunderstood your concerns, please do not hesitate to let me know.

As I know, the firewall client application identifies the internal/external
traffic according to the LAT and the routing table. When the traffic is
identified as outgoing external traffic, it would be picked up by the
firewall client application and then sent to the ISA server. Since the
remote VPN network is not in the local ISA server's LAT (for ISA 2004, it's
the address range of internal network objects), the firewall client picks
up the traffic and send it to the ISA server. This caused the problem.
Generally speaking, to use a VPN client through the ISA server, we
recommend the client use SecureNAT mode. You may refer to the following KB
article for the detailed information:

838245 How to permit PPTP clients to access the external network through ISA
http://support.microsoft.com/?id=838245

887006 When you use the ISA 2004 Firewall Client program, you cannot make a
http://support.microsoft.com/?id=887006

Please also run CEICW and select Enable firewall and then make sure Virtual
Private Networking (VPN) is selected in the Services Configuration page.

More information:

323441 How To Install and Configure a Virtual Private Network Server in
Windows
http://support.microsoft.com/?id=323441

886621 You receive an "Unable to establish the VPN connection" error message
http://support.microsoft.com/?id=886621

283628 How to Enable PPTP Clients to Connect Through an ISA Firewall
http://support.microsoft.com/?id=283628

812076 How to enable a Cisco IPSec VPN client to connect to a Cisco VPN
http://support.microsoft.com/?id=812076

For remote access between two offices, I also provide the following
documents for your reference:

Connecting a Remote Office to a Small Business Server 2000 Network
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/remotofc.mspx

Note: this article is for SBS 2000 network but it can also apply to SBS
2003 network.

888711 Site-to-site VPN in ISA Server 2004
http://support.microsoft.com/?id=888711

812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN
http://support.microsoft.com/?id=812076

Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/deploy/confeat/vpndpls2.asp

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 1
http://www.isaserver.org/tutorials/g2gisa2rraspart1.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Windows 2000 RRAS - Part 2
http://www.isaserver.org/articles/g2gisa2rraspart2.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Branch Office ISA Server/Domain Controller - Part 1
http://www.isaserver.org/tutorials/gatewaytogatewaywithdc.html

Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
Server to Branch Office ISA Server/Domain Controller - Part 2
http://www.isaserver.org/tutorials/gatewaytogatewaywithdcpart2.html

I hope the above information helps. If you have any questions or concerns,
please feel free to let me know. I look forward to your reply!

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Configuring ISA 2004 for outbound MS VPN access
| | From: =?Utf-8?B?QW5kcmV3?= <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: Configuring ISA 2004 for outbound MS VPN access
| Date: Mon, 21 Nov 2005 20:57:02 -0800
| | Newsgroups: microsoft.public.windows.server.sbs
| |
| I'm trying to connect to my clients networks through the Microsoft VPN
| client. ISA is blocking this traffic on port 1723. When I create a rule
to
| allow outgoing traffic on 1723, I notice that I can connect but not
| authenticate.
|
| So, what Rule do I need to create and what protocols to I need to enable
to
| allow access from any internal computers behind my ISA 2004 server to
either
| all external sources, or specific IP addresses associated with my clients
| routers.
|

.

---

• Follow-Ups:
  • RE: Configuring ISA 2004 for outbound MS VPN access
    • From: Andrew

• Prev by Date: Re: SBS Backup Problems SBS2k3 with latest known updates.
• Next by Date: RE: Connecting via RPC
• Previous by thread: Re: SBS Backup Problems SBS2k3 with latest known updates.
• Next by thread: RE: Configuring ISA 2004 for outbound MS VPN access
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Internet Intermittent Connection ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ... (microsoft.public.isa) Re: Disable dynamic route entries in Windows 2003? ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ... (microsoft.public.windows.server.networking) Re: Outgoing VPN Error 619 ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ... (microsoft.public.isa.vpn) Re: Connect the SBS to a remote IIS for Internet Printing ... the server can access the Internet with no problems at all. ... Checking network connection, and after a few seconds it says The ... the problem is cause by the configuration of ISA. ... (microsoft.public.windows.server.sbs) Re: routing on isa 2006 ... LAN connects to Internet via ISA which is connected to the Internet ... Several branches are connected to HQ via hardware VPN ... In "Internal network list" I added the LAN IP range as well as remote ... (microsoft.public.isaserver)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)