Re: VPN issues on SBS2003 with ISA 2004 installed
- From: "KenCraft" <kwcraft@xxxxxxxxx>
- Date: 8 Nov 2006 07:31:53 -0800
Thanks for the response.
I setup a new Access Rule per your settings and have put it at the top
of the list. Unfortunately we still cannot browse.
The user can connect the VPN without trouble. Even the ISA firewall
monitor says "Initiated Connection". When the user opens my computer
and either clicks on a mapped drive OR types in the name of the server
(\\max) the firewall monitor says "Kerberos-SEC(UDP)" Denied
Connection. and they are unable to browse.
To clear up the ipconfig /all, I forgot that I wasn't connected to the
VPN when I posted that. When I am connected the default gateway is the
IP of the vpn client, not 192.168.254.1. Sorry.
Any other suggestions?
Thanks again,
Ken
Terence Liu [MSFT] wrote:
Hello Ken Craft,
Thank you for posting here.
From your post, I understand that the VPN client which join in domain are
can not browse internal resources. If I am off base, please feel free to
let me know.
Based on my research, domain user authentication need Kerberos-SEC(UDP) and
Kerberos-SEC(TCP) protocols, so I suggest that we try to create a new
Access Rule to allow these protocols.
Please open the ISA management console, navigate to Firewall Policy, right
click "Firewall Policy" and click New->Access Rule, then create a new
access rule as following:
Rule name: allow VPN user authentication
Rule Action: Allow
Protocols: Kerberos-SEC(UDP) and Kerberos-SEC(TCP)
Sources: VPN client
Destination: Local host and internal network
User Sets: All Users
Then move this rule to the top and click Apply to save all the settings.
Also, you can add other protocols which VPN client browse resources used to
this rule.
In additional, I check the ipconfig /all result and notice that the default
gateway (192.168.254.1) of client is not point to PPP adapter RAS Server
(Dial In) Interface IP address (192.168.254.11). Please check the DHCP
server configuration.
Hope these steps will give you some help. Please let me know the results so
that I can provide further assistance on this problem. I am looking forward
to your reply. Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "KenCraft" <kwcraft@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: VPN issues on SBS2003 with ISA 2004 installed
| Date: 7 Nov 2006 10:18:15 -0800
| Organization: http://groups.google.com
| Lines: 113
| Message-ID: <1162923495.384659.274340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 65.196.108.242
| Mime-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-1"
| X-Trace: posting.google.com 1162923501 9918 127.0.0.1 (7 Nov 2006
18:18:21 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Tue, 7 Nov 2006 18:18:21 +0000 (UTC)
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;
.NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.1 MAX
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: m73g2000cwd.googlegroups.com; posting-host=65.196.108.242;
| posting-account=71KxLw0AAABiTnlnimrciJlnr67B_d_v
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrnewsc1!
msrtrans!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews.google.com
!m73g2000cwd.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:310947
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| I asked a question awhile ago about VPN but forgot where I posted it,
| found it today and it has been closed for being to old. :-( my fault.
| Anyhow:
|
| I've been working on this issue for nearly 2 months. I have SBS 2003
| patched to SP1 as well as ISA 2004 patched to SP1. My clients can
| connect to VPN and log in, however most of them cannot browse. I've
| narrowed down the problem to be an issue between either:
|
| 1. The Windows Firewall installed on the laptop. (I've turned this
| "off" and a few of them are now able to browse. but it didn't solve
| EVERYONE's problem).
|
| 2. ISA Firewall isn't accepting new policies. Running the Monitoring, I
| get Kerberos-SEC(UDP) Denied when a user tries to browse. I've added a
| policy to allow that protocol, but it doesn't work.
|
| I cannot run the wizard right now because everyone is here and working,
| but I can run it this evening after 6pm. Do I need to specifically add
| something to the "firewall" portion of the wizard for everyone to
| access?
|
| I'm also noticing that the issue is only prevelant on machines that are
| joined to the domain. I have 2 systems at home that do not belong to
| the domain, but they can connect and browse resources using the proper
| authentication without any problems.
|
| another note: we are not using the firewall client on the network, it
| gave us a fit when we first installed the server 2 years ago and we
| developed a workaround to avoid installing it on the computers. We have
| a seperate router setup as an internet gateway and that supplies
| internet access to the users. below is a copy of an IPConfig /ALL from
| one laptop in question, and another from the server.
|
| Laptop:
|
| Windows IP Configuration:
|
| Host Name: croom1
| Primary Dns Suffix: ourdomain.local
| Node Type: Hybrid
| IP Routing Enabled: No
| WINS Proxy Enabled: No
| DNS Suffix Search List: ourdomain.local
|
|
| Ethernet adapter local area connection:
|
| Connection-specific DNS Suffix .: ourdomain.local
| description: 3Com 10/100
| Physical Address: 00-00-86-4F-7C
| Dhcp Enabled: Yes
| Autoconfiguration Enabled: Yes
| IP Address: 192.168.254.27
| Subnet Mask: 255.255.255.0
| Default Gateway: 192.168.254.1
| DHCP Server: 192.168.254.3
| DNS Servers: 192.168.254.3
| Primary WINS Server: 192.168.254.3
| Lease Obtained: Tues, Nov 07,06 12:56:11
| Lease Expires: Wed, Nov 08, 06 12:56:11
|
| Server:
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : max
| Primary Dns Suffix . . . . . . . : hannonarmstrong.local
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : Yes
| WINS Proxy Enabled. . . . . . . . : Yes
| DNS Suffix Search List. . . . . . : hannonarmstrong.local
|
| Ethernet adapter Internet Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
| Physical Address. . . . . . . . . : 00-0E-7F-AB-D6-48
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 65.196.108.242
| Subnet Mask . . . . . . . . . . . : 255.255.240.0
| Default Gateway . . . . . . . . . : 65.196.108.241
| DNS Servers . . . . . . . . . . . : 192.168.254.3
| Primary WINS Server . . . . . . . : 192.168.254.3
| NetBIOS over Tcpip. . . . . . . . : Disabled
|
| PPP adapter RAS Server (Dial In) Interface:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| Physical Address. . . . . . . . . : 00-53-45-00-00-00
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.254.11
| Subnet Mask . . . . . . . . . . . : 255.255.255.255
| Default Gateway . . . . . . . . . :
| NetBIOS over Tcpip. . . . . . . . : Disabled
|
| Ethernet adapter Local Area Connection:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI Adapter
| Physical Address. . . . . . . . . : 00-09-5B-8D-12-6C
| DHCP Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.254.3
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . :
| DNS Servers . . . . . . . . . . . : 192.168.254.3
|
| I can drop a netdiag or dcdiag post if you want it. When I ran it there
| were no errors.
|
| thanks
|
|
.
- Follow-Ups:
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: Terence Liu [MSFT]
- Re: VPN issues on SBS2003 with ISA 2004 installed
- References:
- VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- RE: VPN issues on SBS2003 with ISA 2004 installed
- From: Terence Liu [MSFT]
- VPN issues on SBS2003 with ISA 2004 installed
- Prev by Date: Re: Upgrading from sbs2k to 2003 Premium R2 - questions
- Next by Date: Re: Outbound Mail Failure
- Previous by thread: RE: VPN issues on SBS2003 with ISA 2004 installed
- Next by thread: Re: VPN issues on SBS2003 with ISA 2004 installed
- Index(es):
Relevant Pages
|
Loading
