Re: VPN issues on SBS2003 with ISA 2004 installed
- From: v-terliu@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
- Date: Thu, 09 Nov 2006 06:46:44 GMT
Hello Ken,
Thanks for your kind update.
Based on my more careful research, I notice that your VPN client and the
SBS local network are using the same IP schema 192.168.254.0/255.255.255.0
which is the root cause of this issue. The computer sends the IP packages
according to the path defined in the routing table. If the local and the
remote network are using the same IP subnet, the client computer would not
send the packages through the VPN interface. Instead, the traffic will go
through the local NIC to the local internal network.
Step 1:
-------------------
You will need to change either your local network IP schema (VPN client
side) or the SBS side IP schema.
For example, configure the remote network (where the VPN client resides) to
uses 192.168.253.0/255.255.255.0 subnet and don't change the IP schema of
the SBS Server.
Note: If you want to change the SBS internal subnet, you need to run the
"Change Server IP address wizard".
Step 2:
---------------------
Please find the "SBS Protected Networks access rule" created by CEICW and
move it to the top then click Apply to save configuration.
If the issue persists, you can also send me the ISA info/ISAbpa so that I
can help you check if your ISA Server is correctly configured:
1. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-terliu@xxxxxxxxxxxxx
2. Please follow the link and download and run the Microsoft Internet
Security and Acceleration (ISA) Server 2004 Best Practices Analyzer Tool
and then send me the results
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-
91EC-0829E5F84063&displaylang=en
Hope above info helps. Please don't hesitate to let me to know if there is
anything unclear.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "KenCraft" <kwcraft@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: VPN issues on SBS2003 with ISA 2004 installed
| Date: 8 Nov 2006 07:31:53 -0800
| Organization: http://groups.google.com
| Lines: 242
| Message-ID: <1162999913.894212.221120@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1162923495.384659.274340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <ftv#uQyAHHA.1976@xxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 65.196.108.242
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1162999919 5171 127.0.0.1 (8 Nov 2006
15:31:59 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Wed, 8 Nov 2006 15:31:59 +0000 (UTC)
| In-Reply-To: <ftv#uQyAHHA.1976@xxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1;
NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
| X-HTTP-Via: 1.1 MAX
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: h48g2000cwc.googlegroups.com; posting-host=65.196.108.242;
| posting-account=71KxLw0AAABiTnlnimrciJlnr67B_d_v
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed.c
w.net!cw.net!news-FFM2.ecrc.de!news.glorb.com!postnews.google.com!h48g2000cw
c.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:311145
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Thanks for the response.
|
| I setup a new Access Rule per your settings and have put it at the top
| of the list. Unfortunately we still cannot browse.
|
| The user can connect the VPN without trouble. Even the ISA firewall
| monitor says "Initiated Connection". When the user opens my computer
| and either clicks on a mapped drive OR types in the name of the server
| (\\max) the firewall monitor says "Kerberos-SEC(UDP)" Denied
| Connection. and they are unable to browse.
|
| To clear up the ipconfig /all, I forgot that I wasn't connected to the
| VPN when I posted that. When I am connected the default gateway is the
| IP of the vpn client, not 192.168.254.1. Sorry.
|
| Any other suggestions?
|
| Thanks again,
|
| Ken
|
| Terence Liu [MSFT] wrote:
| > Hello Ken Craft,
| >
| > Thank you for posting here.
| >
| > From your post, I understand that the VPN client which join in domain
are
| > can not browse internal resources. If I am off base, please feel free to
| > let me know.
| >
| > Based on my research, domain user authentication need Kerberos-SEC(UDP)
and
| > Kerberos-SEC(TCP) protocols, so I suggest that we try to create a new
| > Access Rule to allow these protocols.
| >
| > Please open the ISA management console, navigate to Firewall Policy,
right
| > click "Firewall Policy" and click New->Access Rule, then create a new
| > access rule as following:
| >
| > Rule name: allow VPN user authentication
| >
| > Rule Action: Allow
| >
| > Protocols: Kerberos-SEC(UDP) and Kerberos-SEC(TCP)
| >
| > Sources: VPN client
| >
| > Destination: Local host and internal network
| >
| > User Sets: All Users
| >
| > Then move this rule to the top and click Apply to save all the settings.
| >
| > Also, you can add other protocols which VPN client browse resources
used to
| > this rule.
| >
| > In additional, I check the ipconfig /all result and notice that the
default
| > gateway (192.168.254.1) of client is not point to PPP adapter RAS Server
| > (Dial In) Interface IP address (192.168.254.11). Please check the DHCP
| > server configuration.
| >
| > Hope these steps will give you some help. Please let me know the
results so
| > that I can provide further assistance on this problem. I am looking
forward
| > to your reply. Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | From: "KenCraft" <kwcraft@xxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Subject: VPN issues on SBS2003 with ISA 2004 installed
| > | Date: 7 Nov 2006 10:18:15 -0800
| > | Organization: http://groups.google.com
| > | Lines: 113
| > | Message-ID: <1162923495.384659.274340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > | NNTP-Posting-Host: 65.196.108.242
| > | Mime-Version: 1.0
| > | Content-Type: text/plain; charset="iso-8859-1"
| > | X-Trace: posting.google.com 1162923501 9918 127.0.0.1 (7 Nov 2006
| > 18:18:21 GMT)
| > | X-Complaints-To: groups-abuse@xxxxxxxxxx
| > | NNTP-Posting-Date: Tue, 7 Nov 2006 18:18:21 +0000 (UTC)
| > | User-Agent: G2/1.0
| > | X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;
SV1;
| > .NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
| > | X-HTTP-Via: 1.1 MAX
| > | Complaints-To: groups-abuse@xxxxxxxxxx
| > | Injection-Info: m73g2000cwd.googlegroups.com;
posting-host=65.196.108.242;
| > | posting-account=71KxLw0AAABiTnlnimrciJlnr67B_d_v
| > | Path:
| >
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrnewsc1!
| >
msrtrans!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews.google.com
| > !m73g2000cwd.googlegroups.com!not-for-mail
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:310947
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I asked a question awhile ago about VPN but forgot where I posted it,
| > | found it today and it has been closed for being to old. :-( my fault.
| > | Anyhow:
| > |
| > | I've been working on this issue for nearly 2 months. I have SBS 2003
| > | patched to SP1 as well as ISA 2004 patched to SP1. My clients can
| > | connect to VPN and log in, however most of them cannot browse. I've
| > | narrowed down the problem to be an issue between either:
| > |
| > | 1. The Windows Firewall installed on the laptop. (I've turned this
| > | "off" and a few of them are now able to browse. but it didn't solve
| > | EVERYONE's problem).
| > |
| > | 2. ISA Firewall isn't accepting new policies. Running the Monitoring,
I
| > | get Kerberos-SEC(UDP) Denied when a user tries to browse. I've added a
| > | policy to allow that protocol, but it doesn't work.
| > |
| > | I cannot run the wizard right now because everyone is here and
working,
| > | but I can run it this evening after 6pm. Do I need to specifically add
| > | something to the "firewall" portion of the wizard for everyone to
| > | access?
| > |
| > | I'm also noticing that the issue is only prevelant on machines that
are
| > | joined to the domain. I have 2 systems at home that do not belong to
| > | the domain, but they can connect and browse resources using the proper
| > | authentication without any problems.
| > |
| > | another note: we are not using the firewall client on the network, it
| > | gave us a fit when we first installed the server 2 years ago and we
| > | developed a workaround to avoid installing it on the computers. We
have
| > | a seperate router setup as an internet gateway and that supplies
| > | internet access to the users. below is a copy of an IPConfig /ALL from
| > | one laptop in question, and another from the server.
| > |
| > | Laptop:
| > |
| > | Windows IP Configuration:
| > |
| > | Host Name: croom1
| > | Primary Dns Suffix: ourdomain.local
| > | Node Type: Hybrid
| > | IP Routing Enabled: No
| > | WINS Proxy Enabled: No
| > | DNS Suffix Search List: ourdomain.local
| > |
| > |
| > | Ethernet adapter local area connection:
| > |
| > | Connection-specific DNS Suffix .: ourdomain.local
| > | description: 3Com 10/100
| > | Physical Address: 00-00-86-4F-7C
| > | Dhcp Enabled: Yes
| > | Autoconfiguration Enabled: Yes
| > | IP Address: 192.168.254.27
| > | Subnet Mask: 255.255.255.0
| > | Default Gateway: 192.168.254.1
| > | DHCP Server: 192.168.254.3
| > | DNS Servers: 192.168.254.3
| > | Primary WINS Server: 192.168.254.3
| > | Lease Obtained: Tues, Nov 07,06 12:56:11
| > | Lease Expires: Wed, Nov 08, 06 12:56:11
| > |
| > | Server:
| > |
| > | Windows IP Configuration
| > |
| > | Host Name . . . . . . . . . . . . : max
| > | Primary Dns Suffix . . . . . . . : hannonarmstrong.local
| > | Node Type . . . . . . . . . . . . : Unknown
| > | IP Routing Enabled. . . . . . . . : Yes
| > | WINS Proxy Enabled. . . . . . . . : Yes
| > | DNS Suffix Search List. . . . . . : hannonarmstrong.local
| > |
| > | Ethernet adapter Internet Connection:
| > |
| > | Connection-specific DNS Suffix . :
| > | Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
| > | Physical Address. . . . . . . . . : 00-0E-7F-AB-D6-48
| > | DHCP Enabled. . . . . . . . . . . : No
| > | IP Address. . . . . . . . . . . . : 65.196.108.242
| > | Subnet Mask . . . . . . . . . . . : 255.255.240.0
| > | Default Gateway . . . . . . . . . : 65.196.108.241
| > | DNS Servers . . . . . . . . . . . : 192.168.254.3
| > | Primary WINS Server . . . . . . . : 192.168.254.3
| > | NetBIOS over Tcpip. . . . . . . . : Disabled
| > |
| > | PPP adapter RAS Server (Dial In) Interface:
| > |
| > | Connection-specific DNS Suffix . :
| > | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| > | Physical Address. . . . . . . . . : 00-53-45-00-00-00
| > | DHCP Enabled. . . . . . . . . . . : No
| > | IP Address. . . . . . . . . . . . : 192.168.254.11
| > | Subnet Mask . . . . . . . . . . . : 255.255.255.255
| > | Default Gateway . . . . . . . . . :
| > | NetBIOS over Tcpip. . . . . . . . : Disabled
| > |
| > | Ethernet adapter Local Area Connection:
| > |
| > | Connection-specific DNS Suffix . :
| > | Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI Adapter
| > | Physical Address. . . . . . . . . : 00-09-5B-8D-12-6C
| > | DHCP Enabled. . . . . . . . . . . : No
| > | IP Address. . . . . . . . . . . . : 192.168.254.3
| > | Subnet Mask . . . . . . . . . . . : 255.255.255.0
| > | Default Gateway . . . . . . . . . :
| > | DNS Servers . . . . . . . . . . . : 192.168.254.3
| > |
| > | I can drop a netdiag or dcdiag post if you want it. When I ran it
there
| > | were no errors.
| > |
| > | thanks
| > |
| > |
|
|
.
- Follow-Ups:
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: Justin
- Re: VPN issues on SBS2003 with ISA 2004 installed
- References:
- VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- VPN issues on SBS2003 with ISA 2004 installed
- Prev by Date: RE: VBScript: Remote Desktop Disconnect
- Next by Date: Re: OWA publishing problem on SBS 2003
- Previous by thread: Re: VPN issues on SBS2003 with ISA 2004 installed
- Next by thread: Re: VPN issues on SBS2003 with ISA 2004 installed
- Index(es):
Relevant Pages
|
