RE: Configuring ISA 2004 for outbound MS VPN access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi Andrew,

Thanks for your reply.

>From the description, do you mean you can not RDP to remote clients from
the SBS LAN clients? If so, you may need to disable firewall client on SBS
LAN clients.

The following is the method of allowing outbound 3389 and 5900 traffic:

1. New a Protocols as following:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", expand "<ISA_Server_Name>", where
<ISA_Server_Name> is the name of your ISA Server computer. Expand "Firewall
Policy", click the "Toolbox" tab, and then click New Protocol.
3) Follow the wizard to create a outbound protocol for 3389 and 5900.

2. Create a Firewall Policy to allow outgoing traffic as following:

1) Click "Start", point to "Programs", point to "Microsoft ISA Server", and
then click "ISA Server Management".
2) In "ISA Server Management", expand "<ISA_Server_Name>", where
<ISA_Server_Name> is the name of your ISA Server computer. Expand "Firewall
Policy", click the "Tasks" tab, and then click "Create New Access Rule".
3) On the "Welcome to the New Access Rule Wizard" page, type a name in the
"Access rule name" field, and then click "Next".
4) On the "Rule Action" page, click the "Allow" option, and then click
"Next".
5) On the "Protocols" page, select "Selected protocols" and Add the
protocol you have created just now on User-Defined and then click next.
6) On User sets page, add all users.
7) Follow the wizard to finish it.

Hope the above information help and I look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Configuring ISA 2004 for outbound MS VPN access
|| From: =?Utf-8?B?QW5kcmV3?= <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx>
|| Subject: RE: Configuring ISA 2004 for outbound MS VPN access
| Date: Wed, 23 Nov 2005 05:05:05 -0800
| | Newsgroups: microsoft.public.windows.server.sbs

|
| Hi Crina,
|
| Thank you for your help.
|
| Using article 838245 I was able to configure outbound PPTP connections to
| External netowrks. I am able to connect to my clients now and ping their
| internal IP addresses. I cannot howecer use RDP oir VNC through the
| connection. What else do I need to do to allow 3389 and 5900 traffic to
them?
|
| Thanks,
|
| Andrew
|
| ""Crina Li"" wrote:
|
| > Hi Andrew,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > From the description, I understand the issue to be: you want to let
| > internal users to connect to an external VPN server through Microsoft
| > Internet Security and Acceleration (ISA) Server 2004. If I have
| > misunderstood your concerns, please do not hesitate to let me know.
| >
| > As I know, the firewall client application identifies the
internal/external
| > traffic according to the LAT and the routing table. When the traffic is
| > identified as outgoing external traffic, it would be picked up by the
| > firewall client application and then sent to the ISA server. Since the
| > remote VPN network is not in the local ISA server's LAT (for ISA 2004,
it's
| > the address range of internal network objects), the firewall client
picks
| > up the traffic and send it to the ISA server. This caused the problem.
| > Generally speaking, to use a VPN client through the ISA server, we
| > recommend the client use SecureNAT mode. You may refer to the following
KB
| > article for the detailed information:
| >
| > 838245 How to permit PPTP clients to access the external network
through ISA
| > http://support.microsoft.com/?id=838245
| >
| > 887006 When you use the ISA 2004 Firewall Client program, you cannot
make a
| > http://support.microsoft.com/?id=887006
| >
| > Please also run CEICW and select Enable firewall and then make sure
Virtual
| > Private Networking (VPN) is selected in the Services Configuration
page.
| >
| > More information:
| >
| > 323441 How To Install and Configure a Virtual Private Network Server in
| > Windows
| > http://support.microsoft.com/?id=323441
| >
| > 886621 You receive an "Unable to establish the VPN connection" error
message
| > http://support.microsoft.com/?id=886621
| >
| > 283628 How to Enable PPTP Clients to Connect Through an ISA Firewall
| > http://support.microsoft.com/?id=283628
| >
| > 812076 How to enable a Cisco IPSec VPN client to connect to a Cisco VPN
| > http://support.microsoft.com/?id=812076
| >
| > For remote access between two offices, I also provide the following
| > documents for your reference:
| >
| > Connecting a Remote Office to a Small Business Server 2000 Network
| >
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/remotofc.mspx
| >
| > Note: this article is for SBS 2000 network but it can also apply to SBS
| > 2003 network.
| >
| > 888711 Site-to-site VPN in ISA Server 2004
| > http://support.microsoft.com/?id=888711
| >
| > 812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN
| > http://support.microsoft.com/?id=812076
| >
| > Virtual Private Networking with Windows Server 2003: Deploying
Site-to-Site
| > VPNs
| >
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
| > ol/windowsserver2003/deploy/confeat/vpndpls2.asp
| >
| > Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
| > Server to Windows 2000 RRAS - Part 1
| > http://www.isaserver.org/tutorials/g2gisa2rraspart1.html
| >
| > Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
| > Server to Windows 2000 RRAS - Part 2
| > http://www.isaserver.org/articles/g2gisa2rraspart2.html
| >
| > Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
| > Server to Branch Office ISA Server/Domain Controller - Part 1
| > http://www.isaserver.org/tutorials/gatewaytogatewaywithdc.html
| >
| > Joining Networks over the Internet with a Gateway to Gateway VPN: ISA
| > Server to Branch Office ISA Server/Domain Controller - Part 2
| > http://www.isaserver.org/tutorials/gatewaytogatewaywithdcpart2.html
| >
| > I hope the above information helps. If you have any questions or
concerns,
| > please feel free to let me know. I look forward to your reply!
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: Configuring ISA 2004 for outbound MS VPN access
| > | | From: =?Utf-8?B?QW5kcmV3?= <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Configuring ISA 2004 for outbound MS VPN access
| > | Date: Mon, 21 Nov 2005 20:57:02 -0800
| > | | Newsgroups: microsoft.public.windows.server.sbs
| > | |
| > | I'm trying to connect to my clients networks through the Microsoft
VPN
| > | client. ISA is blocking this traffic on port 1723. When I create a
rule
| > to
| > | allow outgoing traffic on 1723, I notice that I can connect but not
| > | authenticate.
| > |
| > | So, what Rule do I need to create and what protocols to I need to
enable
| > to
| > | allow access from any internal computers behind my ISA 2004 server to
| > either
| > | all external sources, or specific IP addresses associated with my
clients
| > | routers.
| > |
| >
| >
|

.