Re: VPN issues on SBS2003 with ISA 2004 installed
- From: "KenCraft" <kwcraft@xxxxxxxxx>
- Date: 10 Nov 2006 07:29:06 -0800
Hello again,
I had to create a VPN connection using the network connection wizard on
the client in order to see the TCP/IP settings. I was using the
connection wizard that the server created and with that, I could not
accesss properties pages.
Unfortunately, we're still having the same problem. unable to browse
the network even though we are connected and authenticated. The ISA
firewall says Kerberos-sec(UDP) denied again.
Is there anything else I can try?
Ken
Terence Liu [MSFT] wrote:
Hello Ken,
Thanks for your kind update.
Based on our work above, it seems the problem in client side, so I suggest
we try the follow steps to see if the issue could resolve:
Please try not using the remote gateway on the client, to do so:
On the remote client
1). Double-click My Computer, and then click the Network and Dial-up
Connections link.
2). Right-click the VPN connection that you want to change, and then click
Properties.
3). Click the Networking tab, click Internet Protocol (TCP/IP) in the
'Components checked are used by this connection' list, and then click
Properties.
4). Click Advanced, and then click to clear the Use default gateway on
remote network check box.
If the issue persists, please kindly send me the report gather by the tool
I give you. And I working mailbox is: v-terliu@xxxxxxxxxxxxx
Hope these steps will give you some help.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "KenCraft" <kwcraft@xxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: VPN issues on SBS2003 with ISA 2004 installed
| Date: 9 Nov 2006 08:05:24 -0800
| Organization: http://groups.google.com
| Lines: 303
| Message-ID: <1163088324.613505.70870@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <1162923495.384659.274340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| <ftv#uQyAHHA.1976@xxxxxxxxxxxxxxxxxxxxx>
| <1162999913.894212.221120@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 72.81.130.11
| Mime-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| X-Trace: posting.google.com 1163088328 23817 127.0.0.1 (9 Nov 2006
16:05:28 GMT)
| X-Complaints-To: groups-abuse@xxxxxxxxxx
| NNTP-Posting-Date: Thu, 9 Nov 2006 16:05:28 +0000 (UTC)
| In-Reply-To: <1162999913.894212.221120@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
| Complaints-To: groups-abuse@xxxxxxxxxx
| Injection-Info: e3g2000cwe.googlegroups.com; posting-host=72.81.130.11;
| posting-account=71KxLw0AAABiTnlnimrciJlnr67B_d_v
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrtrans!m
srn-in!newshub.sdsu.edu!postnews.google.com!e3g2000cwe.googlegroups.com!not-
for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:311408
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Heres an updated shot of my VPN Client IPCONFIG /ALL
|
| Windows IP Configuration
|
| Host Name . . . . . . . . . . . . : kenny
| Primary Dns Suffix . . . . . . . :
| Node Type . . . . . . . . . . . . : Unknown
| IP Routing Enabled. . . . . . . . : No
| WINS Proxy Enabled. . . . . . . . : Yes
| DNS Suffix Search List. . . . . . : ourdomain.local
|
| Ethernet adapter Local Area Connection 5:
|
| Connection-specific DNS Suffix . :
| Description . . . . . . . . . . . : NVIDIA nForce MCP
| Networking Controller
| Physical Address. . . . . . . . . : 00-0C-76-13-44-74
| Dhcp Enabled. . . . . . . . . . . : Yes
| Autoconfiguration Enabled . . . . : Yes
| IP Address. . . . . . . . . . . . : 192.168.0.102
| Subnet Mask . . . . . . . . . . . : 255.255.255.0
| Default Gateway . . . . . . . . . : 192.168.0.1
| DHCP Server . . . . . . . . . . . : 192.168.0.1
| DNS Servers . . . . . . . . . . . : 192.168.0.1
| Lease Obtained. . . . . . . . . . : Wednesday, November 08,
| 2006 10:57:44 PM
| Lease Expires . . . . . . . . . . : Wednesday, November 15,
| 2006 10:57:44 PM
|
| PPP adapter Connect to Small Business Server:
|
| Connection-specific DNS Suffix . : ourdomain.local
| Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| Physical Address. . . . . . . . . : 00-53-45-00-00-00
| Dhcp Enabled. . . . . . . . . . . : No
| IP Address. . . . . . . . . . . . : 192.168.253.202
| Subnet Mask . . . . . . . . . . . : 255.255.255.255
| Default Gateway . . . . . . . . . : 192.168.253.202
| DNS Servers . . . . . . . . . . . : 192.168.254.3
| Primary WINS Server . . . . . . . : 192.168.254.3
|
|
| I moved the Protected Networks Rule to the top, and applied changes. I
| also reconfigured the RAS to give out the 192.168.253.xxx addresses.
| VPN uses subnet 255.255.255.255. My local network is configured for
| 192.168.0.xxx /24 network.
|
| I'm still getting the Kerberos-SEC(UDP) protocol "Access Denied" when
| monitoring my connections. :-(
|
| I'll grab the tool you refered me to and repost the results to that (or
| email it to you).
|
| Thanks for all your help.
|
| Ken
|
|
|
|
| KenCraft wrote:
| > Thanks for the response.
| >
| > I setup a new Access Rule per your settings and have put it at the top
| > of the list. Unfortunately we still cannot browse.
| >
| > The user can connect the VPN without trouble. Even the ISA firewall
| > monitor says "Initiated Connection". When the user opens my computer
| > and either clicks on a mapped drive OR types in the name of the server
| > (\\max) the firewall monitor says "Kerberos-SEC(UDP)" Denied
| > Connection. and they are unable to browse.
| >
| > To clear up the ipconfig /all, I forgot that I wasn't connected to the
| > VPN when I posted that. When I am connected the default gateway is the
| > IP of the vpn client, not 192.168.254.1. Sorry.
| >
| > Any other suggestions?
| >
| > Thanks again,
| >
| > Ken
| >
| > Terence Liu [MSFT] wrote:
| > > Hello Ken Craft,
| > >
| > > Thank you for posting here.
| > >
| > > From your post, I understand that the VPN client which join in domain
are
| > > can not browse internal resources. If I am off base, please feel free
to
| > > let me know.
| > >
| > > Based on my research, domain user authentication need
Kerberos-SEC(UDP) and
| > > Kerberos-SEC(TCP) protocols, so I suggest that we try to create a new
| > > Access Rule to allow these protocols.
| > >
| > > Please open the ISA management console, navigate to Firewall Policy,
right
| > > click "Firewall Policy" and click New->Access Rule, then create a new
| > > access rule as following:
| > >
| > > Rule name: allow VPN user authentication
| > >
| > > Rule Action: Allow
| > >
| > > Protocols: Kerberos-SEC(UDP) and Kerberos-SEC(TCP)
| > >
| > > Sources: VPN client
| > >
| > > Destination: Local host and internal network
| > >
| > > User Sets: All Users
| > >
| > > Then move this rule to the top and click Apply to save all the
settings.
| > >
| > > Also, you can add other protocols which VPN client browse resources
used to
| > > this rule.
| > >
| > > In additional, I check the ipconfig /all result and notice that the
default
| > > gateway (192.168.254.1) of client is not point to PPP adapter RAS
Server
| > > (Dial In) Interface IP address (192.168.254.11). Please check the DHCP
| > > server configuration.
| > >
| > > Hope these steps will give you some help. Please let me know the
results so
| > > that I can provide further assistance on this problem. I am looking
forward
| > > to your reply. Thanks and have a nice day!
| > >
| > > Best regards,
| > >
| > > Terence Liu(MSFT)
| > >
| > > Microsoft CSS Online Newsgroup Support
| > >
| > > Get Secure! - www.microsoft.com/security
| > >
| > > =====================================================
| > > This newsgroup only focuses on SBS technical issues. If you have
issues
| > > regarding other Microsoft products, you'd better post in the
corresponding
| > > newsgroups so that they can be resolved in an efficient and timely
manner.
| > > You can locate the newsgroup here:
| > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > >
| > > When opening a new thread via the web interface, we recommend you
check the
| > > "Notify me of replies" box to receive e-mail notifications when there
are
| > > any updates in your thread. When responding to posts via your
newsreader,
| > > please "Reply to Group" so that others may learn and benefit from your
| > > issue.
| > >
| > > Microsoft engineers can only focus on one issue per thread. Although
we
| > > provide other information for your reference, we recommend you post
| > > different incidents in different threads to keep the thread clean. In
doing
| > > so, it will ensure your issues are resolved in a timely manner.
| > >
| > > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > > check http://support.microsoft.com for regional support phone numbers.
| > >
| > > Any input or comments in this thread are highly appreciated.
| > > =====================================================
| > >
| > > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > >
| > > --------------------
| > > | From: "KenCraft" <kwcraft@xxxxxxxxx>
| > > | Newsgroups: microsoft.public.windows.server.sbs
| > > | Subject: VPN issues on SBS2003 with ISA 2004 installed
| > > | Date: 7 Nov 2006 10:18:15 -0800
| > > | Organization: http://groups.google.com
| > > | Lines: 113
| > > | Message-ID: <1162923495.384659.274340@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| > > | NNTP-Posting-Host: 65.196.108.242
| > > | Mime-Version: 1.0
| > > | Content-Type: text/plain; charset="iso-8859-1"
| > > | X-Trace: posting.google.com 1162923501 9918 127.0.0.1 (7 Nov 2006
| > > 18:18:21 GMT)
| > > | X-Complaints-To: groups-abuse@xxxxxxxxxx
| > > | NNTP-Posting-Date: Tue, 7 Nov 2006 18:18:21 +0000 (UTC)
| > > | User-Agent: G2/1.0
| > > | X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.2; SV1;
| > > .NET CLR 1.1.4322),gzip(gfe),gzip(gfe)
| > > | X-HTTP-Via: 1.1 MAX
| > > | Complaints-To: groups-abuse@xxxxxxxxxx
| > > | Injection-Info: m73g2000cwd.googlegroups.com;
posting-host=65.196.108.242;
| > > | posting-account=71KxLw0AAABiTnlnimrciJlnr67B_d_v
| > > | Path:
| > >
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!msrnewsc1!
| > >
msrtrans!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!postnews.google.com
| > > !m73g2000cwd.googlegroups.com!not-for-mail
| > > | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.sbs:310947
| > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > > |
| > > | I asked a question awhile ago about VPN but forgot where I posted
it,
| > > | found it today and it has been closed for being to old. :-( my
fault.
| > > | Anyhow:
| > > |
| > > | I've been working on this issue for nearly 2 months. I have SBS 2003
| > > | patched to SP1 as well as ISA 2004 patched to SP1. My clients can
| > > | connect to VPN and log in, however most of them cannot browse. I've
| > > | narrowed down the problem to be an issue between either:
| > > |
| > > | 1. The Windows Firewall installed on the laptop. (I've turned this
| > > | "off" and a few of them are now able to browse. but it didn't solve
| > > | EVERYONE's problem).
| > > |
| > > | 2. ISA Firewall isn't accepting new policies. Running the
Monitoring, I
| > > | get Kerberos-SEC(UDP) Denied when a user tries to browse. I've
added a
| > > | policy to allow that protocol, but it doesn't work.
| > > |
| > > | I cannot run the wizard right now because everyone is here and
working,
| > > | but I can run it this evening after 6pm. Do I need to specifically
add
| > > | something to the "firewall" portion of the wizard for everyone to
| > > | access?
| > > |
| > > | I'm also noticing that the issue is only prevelant on machines that
are
| > > | joined to the domain. I have 2 systems at home that do not belong to
| > > | the domain, but they can connect and browse resources using the
proper
| > > | authentication without any problems.
| > > |
| > > | another note: we are not using the firewall client on the network,
it
| > > | gave us a fit when we first installed the server 2 years ago and we
| > > | developed a workaround to avoid installing it on the computers. We
have
| > > | a seperate router setup as an internet gateway and that supplies
| > > | internet access to the users. below is a copy of an IPConfig /ALL
from
| > > | one laptop in question, and another from the server.
| > > |
| > > | Laptop:
| > > |
| > > | Windows IP Configuration:
| > > |
| > > | Host Name: croom1
| > > | Primary Dns Suffix: ourdomain.local
| > > | Node Type: Hybrid
| > > | IP Routing Enabled: No
| > > | WINS Proxy Enabled: No
| > > | DNS Suffix Search List: ourdomain.local
| > > |
| > > |
| > > | Ethernet adapter local area connection:
| > > |
| > > | Connection-specific DNS Suffix .: ourdomain.local
| > > | description: 3Com 10/100
| > > | Physical Address: 00-00-86-4F-7C
| > > | Dhcp Enabled: Yes
| > > | Autoconfiguration Enabled: Yes
| > > | IP Address: 192.168.254.27
| > > | Subnet Mask: 255.255.255.0
| > > | Default Gateway: 192.168.254.1
| > > | DHCP Server: 192.168.254.3
| > > | DNS Servers: 192.168.254.3
| > > | Primary WINS Server: 192.168.254.3
| > > | Lease Obtained: Tues, Nov 07,06 12:56:11
| > > | Lease Expires: Wed, Nov 08, 06 12:56:11
| > > |
| > > | Server:
| > > |
| > > | Windows IP Configuration
| > > |
| > > | Host Name . . . . . . . . . . . . : max
| > > | Primary Dns Suffix . . . . . . . : hannonarmstrong.local
| > > | Node Type . . . . . . . . . . . . : Unknown
| > > | IP Routing Enabled. . . . . . . . : Yes
| > > | WINS Proxy Enabled. . . . . . . . : Yes
| > > | DNS Suffix Search List. . . . . . : hannonarmstrong.local
| > > |
| > > | Ethernet adapter Internet Connection:
| > > |
| > > | Connection-specific DNS Suffix . :
| > > | Description . . . . . . . . . . . : BCM5703 Gigabit Ethernet
| > > | Physical Address. . . . . . . . . : 00-0E-7F-AB-D6-48
| > > | DHCP Enabled. . . . . . . . . . . : No
| > > | IP Address. . . . . . . . . . . . : 65.196.108.242
| > > | Subnet Mask . . . . . . . . . . . : 255.255.240.0
| > > | Default Gateway . . . . . . . . . : 65.196.108.241
| > > | DNS Servers . . . . . . . . . . . : 192.168.254.3
| > > | Primary WINS Server . . . . . . . : 192.168.254.3
| > > | NetBIOS over Tcpip. . . . . . . . : Disabled
| > > |
| > > | PPP adapter RAS Server (Dial In) Interface:
| > > |
| > > | Connection-specific DNS Suffix . :
| > > | Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
| > > | Physical Address. . . . . . . . . : 00-53-45-00-00-00
| > > | DHCP Enabled. . . . . . . . . . . : No
| > > | IP Address. . . . . . . . . . . . : 192.168.254.11
| > > | Subnet Mask . . . . . . . . . . . : 255.255.255.255
| > > | Default Gateway . . . . . . . . . :
| > > | NetBIOS over Tcpip. . . . . . . . : Disabled
| > > |
| > > | Ethernet adapter Local Area Connection:
| > > |
| > > | Connection-specific DNS Suffix . :
| > > | Description . . . . . . . . . . . : NETGEAR FA311/FA312 PCI
Adapter
| > > | Physical Address. . . . . . . . . : 00-09-5B-8D-12-6C
| > > | DHCP Enabled. . . . . . . . . . . : No
| > > | IP Address. . . . . . . . . . . . : 192.168.254.3
| > > | Subnet Mask . . . . . . . . . . . : 255.255.255.0
| > > | Default Gateway . . . . . . . . . :
| > > | DNS Servers . . . . . . . . . . . : 192.168.254.3
| > > |
| > > | I can drop a netdiag or dcdiag post if you want it. When I ran it
there
| > > | were no errors.
| > > |
| > > | thanks
| > > |
| > > |
|
|
.
- Follow-Ups:
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: Terence Liu [MSFT]
- Re: VPN issues on SBS2003 with ISA 2004 installed
- References:
- VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: KenCraft
- Re: VPN issues on SBS2003 with ISA 2004 installed
- From: Terence Liu [MSFT]
- VPN issues on SBS2003 with ISA 2004 installed
- Prev by Date: Reverse Lookup
- Next by Date: Re: Multiple mailboxes for 1 user?
- Previous by thread: Re: VPN issues on SBS2003 with ISA 2004 installed
- Next by thread: Re: VPN issues on SBS2003 with ISA 2004 installed
- Index(es):
Relevant Pages
|
