RE: VPN Access to External Site

---

• From: SpinalTap <SpinalTap@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sat, 1 Apr 2006 14:10:02 -0800

---

Hi Crina,

I was able to try your suggestions, but I am still not having any luck.

I tried the following:

- ran CEICW, and ensured that VPN was selected
- added the PPTP access rule to ISA 2004
- made my ISA 2004 server my default gateway
- ensured that IP routing was enabled in ISA 2004

I received the following errors in the ISA log:

192.168.16.28:1540 VPN.IP.x.122:1723 - Internal xxx_VPN Failed 0x80072743
192.168.16.28:1540 VPN.IP.x.122:1723 - Internal xxx_VPN Failed 0x80072743
192.168.16.28:1540 VPN.IP.x.122:1723 - Internal xxx_VPN Failed 0x80072743

It almost seems as if the destination is denying my connection, although if
I connect a computer directly to the internet, it allows the connection.
That is why I think it has to do with ISA 2004.

I googled 0x80072743, with the following results:

WSAENETUNREACH (0x80072743)

Network is unreachable.

A socket operation was attempted to an unreachable network. This usually
means the local software knows no route to reach the remote host

Unfortunately, that still does not mean much to me.

Any further assitance you could provide would be greatly appreciated.

Thanks.

-Dean

""Crina Li"" wrote:

Hi Dean,

Thank you for posting in SBS newsgroup.

From the description, I understand the issue to be: you want to let
internal users to connect to an external VPN server through Microsoft
Internet Security and Acceleration (ISA) Server 2004. If I have
misunderstood your concerns, please do not hesitate to let me know.

As I know, the firewall client application identifies the internal/external
traffic according to the LAT and the routing table. When the traffic is
identified as outgoing external traffic, it would be picked up by the
firewall client application and then sent to the ISA server. Since the
remote VPN network is not in the local ISA server's LAT (for ISA 2004, it's
the address range of internal network objects), the firewall client picks
up the traffic and send it to the ISA server. This caused the problem.
Generally speaking, to use a VPN client through the ISA server, we
recommend the client use SecureNAT mode. You may refer to the following KB
article for the detailed information:

838245 How to permit PPTP clients to access the external network through ISA
http://support.microsoft.com/?id=838245

887006 When you use the ISA 2004 Firewall Client program, you cannot make a
http://support.microsoft.com/?id=887006

Please also run CEICW and select Enable firewall and then make sure Virtual
Private Networking (VPN) is selected in the Services Configuration page.

More information:

323441 How To Install and Configure a Virtual Private Network Server in
Windows
http://support.microsoft.com/?id=323441

886621 You receive an "Unable to establish the VPN connection" error message
http://support.microsoft.com/?id=886621

867483 How to configure networks in ISA Server 2004
http://support.microsoft.com/?id=867483

Connecting a Remote Office to a Small Business Server 2000 Network
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/remotofc.mspx

Note: this article is for SBS 2000 network but it can also apply to SBS
2003 network.

888711 Site-to-site VPN in ISA Server 2004
http://support.microsoft.com/?id=888711

305550 How to configure a VPN connection to your corporate network in
Windows
http://support.microsoft.com/?id=305550

I hope the above information helps. If you have any questions or concerns,
please feel free to let me know. I look forward to your reply!

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: VPN Access to External Site
|| From: =?Utf-8?B?U3BpbmFsVGFw?= <SpinalTap@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: VPN Access to External Site
| Date: Thu, 30 Mar 2006 08:24:03 -0800
| Newsgroups: microsoft.public.windows.server.sbs
| |
| SBS 2003 Premium, ISA 2004 SP1
|
| Hello,
|
| I am trying to VPN to an external site from a computer on my SBS 2003
| network. The external site is not related to our network at all.
|
| Is there a set of documented steps on how to configure ISA 2004 for this
| (i.e. Step 1, add a new network, step 2 add network rule, Step 3 add
firewall
| policy, etc)? I have tried to piece it together, but have had no luck
and
| must be missing something.
|
| To confirm that the external network is configured correctly, I am able
to
| VPN via a computer directly connected to the network, and not behind an
ISA
| 2004 firewall.
|
| Thanks in advance.
|
| -Dean
|

.

---

• Follow-Ups:
  • RE: VPN Access to External Site
    • From: "Crina Li"

• Prev by Date: Re: Internet Blockin
• Next by Date: Re: Technet DVD install
• Previous by thread: RE: Manual VPN works...Connect to SBS doesn't
• Next by thread: RE: VPN Access to External Site
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Quick Mode SA fails because of ISA Server proposal ... You should get in tough with SAP and get your VPN connection working up to ... presents the entire IP-range of your internal network. ... Everytime you restart your ISA Server or the IPsec service, ... (microsoft.public.isa.vpn) Re: Outgoing VPN Error 619 ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ... (microsoft.public.isa.vpn) Re: Outgoing VPN Error 619 ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ... (microsoft.public.isa.vpn) Re: VPN not working when i connect through SBS 2003 server running ISA 2004 ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ... (microsoft.public.windows.server.sbs) Re: VPN from workstation behind ISA 2006 ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ... (microsoft.public.isa.vpn)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-04