RE: SBS PE - Unable to establish Outbound VPN
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Mon, 28 Aug 2006 06:41:12 GMT
Hi Andy,
Thanks for your update.
To narrow down the problem, would you please help me confirm if the
configuration is same in the 2 SBS sites and also there is ISA 2004 in good
SBS site?
Based on my experience, ISA 2004 will check Call ID of the VPN connection,
and many routers will modify the Call ID during the session. At this point,
ISA will consider it as a threat and drop the connection. Please contact
your router's provider to install the latest version of firmware for the
router.
Based on my research, some third party router will drop the connection.
Please see:
Remote VPN Clients Cannot Log On to Network
http://support.microsoft.com/default.aspx?scid=kb;EN-US;329858
Thanks for your time and I look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: SBS PE - Unable to establish Outbound VPN
| thread-index: AcbIN5G4MRXOFhJZSyOXaoc4f6YMtQ==
| X-WBNR-Posting-Host: 70.88.138.214
| From: =?Utf-8?B?QW5keSBI?= <AndyH@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <19D8B170-2056-4277-88EE-138B80F2AE0E@xxxxxxxxxxxxx>
<3$A2H#AyGHA.4616@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: SBS PE - Unable to establish Outbound VPN
| Date: Fri, 25 Aug 2006 04:14:02 -0700
| Lines: 198
| Message-ID: <96166744-FC10-4264-B617-AE98A7ED7863@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:292874
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Crina
|
| Thank you for your response. What we are trying to do is connect to a
| remote server via PPTP from inside the SBS network. I understand that
the
| firewall client does not support this and secure NAT must be configured
(it
| is). To assist in testing I have tried to connect from the SBS server to
the
| remote server and still get error 628. Note that I have another SBS (in
| another location) with the same configuration and I can connect to the
remote
| server.
|
| I have created a PPTP outbound rule as described in 838245 and also note
| there is a SBS PPTP Outbound rule. I still see the same error.
|
| Regards
|
| Andy
|
| ""Crina Li"" wrote:
|
| > Hi Andy,
| >
| > Thank you for posting in the SBS Newsgroup.
| >
| > From the description, do you mean you want to let internal clients to
| > connect to an external VPN server through SBS with ISA 2004 or VPN to
SBS
| > with ISA 2004 from remote client?
| >
| > If it is former, due to you have ISA 2004 installed on SBS, please
refer to
| > the following information:
| >
| > As I know, the firewall client application identifies the
internal/external
| > traffic according to the LAT and the routing table. When the traffic is
| > identified as outgoing external traffic, it would be picked up by the
| > firewall client application and then sent to the ISA server. Since the
| > remote VPN network is not in the local ISA server's LAT (for ISA 2004,
it's
| > the address range of internal network objects), the firewall client
picks
| > up the traffic and send it to the ISA server. Generally speaking, to
use a
| > VPN client through the ISA server, we recommend the client use
SecureNAT
| > mode. You may refer to the following KB article for the detailed
| > information:
| >
| > 838245 How to permit PPTP clients to access the external network
through ISA
| > http://support.microsoft.com/?id=838245
| >
| > 887006 When you use the ISA 2004 Firewall Client program, you cannot
make a
| > http://support.microsoft.com/?id=887006
| >
| > Please also run CEICW and select Enable firewall and then make sure
Virtual
| > Private Networking (VPN) is selected in the Services Configuration
page.
| >
| > If it is the later, please refer to the following steps:
| >
| > 1. Run CEICW, follow the wizard and select Enable firewall and then
make
| > sure Virtual Private Networking (VPN) is selected in the Services
| > Configuration page. And make sure you have typed the public FQDN of the
SBS
| > server on the Web Server Certificate page.
| > 2. Run Remote Access Wizard in Server Management\Internet and
| > E-mail\Configure Remote Access, and select VPN access in the Remote
Access
| > Method page. After finishing this wizard, RRAS is configured to allow
| > inbound VPN access, and it can assign IP addresses to the VPN clients
by
| > using DHCP.
| >
| > Note: When we run the remote access wizard to set up the VPN service,
we
| > need to input the public IP address or the public FQDN of the SBS
server.
| > We need to make sure that the address can be accessed from the internet.
| >
| > 3. On the VPN client, go to https://publicFQDN/remote, clear I'm using
a
| > public or shared computer, log in and download Connection Manager.
| > 4. Install Connection Manager on the VPN client.
| > 5. Is there a hardware router installed in front of the SBS server? If
so,
| > ensure that the port forwarding for TCP 1723 and GRE port (protocol
number
| > 47) are opened. PPTP VPN is negotiating a connection on TCP port 1723
and
| > send data to and from the PPTP server using the GRE protocol (IP
Protocol
| > 47, 0x2F if you are looking in Network Monitor). You should open port
1723
| > on the router and also make sure IP Protocol 47 is allowed.
| >
| > More information:
| >
| > 323441 How To Install and Configure a Virtual Private Network Server in
| > Windows
| > http://support.microsoft.com/?id=323441
| >
| > 886621 You receive an "Unable to establish the VPN connection" error
message
| > http://support.microsoft.com/?id=886621
| >
| > ISA Server 2004 Performance Best Practices
| >
http://www.microsoft.com/technet/prodtechnol/isa/2004/performancebestpractic
| > es.mspx
| >
| > How to configure networks in ISA Server 2004
| > http://support.microsoft.com/?id=867483
| >
| > What's New and Improved in ISA Server 2004
| > http://www.microsoft.com/isaserver/evaluation/whatsnew.asp
| >
| > ISA Server 2004 Quick Start Guide
| >
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
| > 76f06/ISA2004SE_quickstartguide-Rev%201%2003.doc
| >
| > ISA Server 2004 ISA Server 2004 Configuration Guide
| >
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
| > 76f06/ISA2004SE_configguide-Rev%201%2003.doc
| >
| > I appreciate your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: SBS PE - Unable to establish Outbound VPN
| > | thread-index: AcbHrs4VgukD5xbKT6CfdXO+tcUacQ==
| > | X-WBNR-Posting-Host: 70.88.138.214
| > | From: =?Utf-8?B?QW5keSBI?= <AndyH@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: SBS PE - Unable to establish Outbound VPN
| > | Date: Thu, 24 Aug 2006 11:55:02 -0700
| > | Lines: 31
| > | Message-ID: <19D8B170-2056-4277-88EE-138B80F2AE0E@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:292692
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I am having some difficulty at one client site (SBS PE with ISA 2004)
| > | establishing PPTP VPN connections. I keep getting an error 628, the
| > | connection was terminated by the remote computer before it could be
| > | completed. I have tested from the server and from client workstations
| > | inside the network with the same result. When I try from my network
| > | (exactly the same config right down to ISA rules), I do not have any
| > | issues.
| > |
| > | Turing on ISA realtime monitoring, I can see the connection being
| > | established with the right IP, destination port 1723, PPTP, Initiated
| > | Connection with the SBS PPTP Outbound Access Rule. Next line is same
| > | IP, destination port 0, PPTP, Initiated Connection, SBS PPTP Outbound
| > | Access Rule.
| > |
| > | Next 2 lines are for destination ports 1723 and 0, Closed Connection,
| > | SBS PPTP Outbound Access Rule.
| > |
| > | When making the VPN connection you can see it getting as far as
| > | verifying username and password before error 628 pops up.
| > |
| > | Outside of the ISA server they have a Draytek Vigor firewall, and we
| > | have successfully established a PPTP connection from behind it, ruling
| > | it out of the equation I think!
| > |
| > | I have searched and can find no solutions to this. I have tried it
from
| > the
| > | server and from client workstations with the firewall client disabled.
| > |
| > | Wonder if anyone has any ideas.
| > |
| > | Andy
| > |
| > |
| >
| >
|
.
- References:
- RE: SBS PE - Unable to establish Outbound VPN
- From: "Crina Li"
- RE: SBS PE - Unable to establish Outbound VPN
- From: Andy H
- RE: SBS PE - Unable to establish Outbound VPN
- Prev by Date: Re: Client Computer.No Internet.Not recognized by Server
- Next by Date: Publish a new Website in IIS
- Previous by thread: RE: SBS PE - Unable to establish Outbound VPN
- Next by thread: Access Exchange using pop3 /rpc
- Index(es):
Relevant Pages
|
