RE: Site-to-Site with ISA 2004
- From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
- Date: Tue, 10 Apr 2007 10:29:07 GMT
Hi Danny,
Thanks for posting in our newsgroup.
From your description, I know that set up a site-to-site VPN between SBSserver and client's office. When you try connecting to the remote office on
SBS server, the VPN doesn't work. If I am off-base, please don't hesitate
to let me know.
Please let me know the following to make the situation more clearly:
Which device is used at your client's office side, ISA server or third
party router? If you use third party router, the problem may also be caused
by the third party router and you can contact the hardware manufacture for
more help.
First please make sure you strictly followed this document to create
site-to-site VPN.
Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004 Firewalls
http://www.isaserver.org/tutorials/2004ipsectunnelmode.html
Suppose you created an access rule from SBS server to client's office named
Main to Branch, please check the following access rule:
Main to Branch:
From: Internal
To: Branch
Action: Allow
Protocol: All Outbound Traffic
Schedule: Always
Users: All users
If you are using third party router, please check according to the
following articles:
Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and
Third-Party Gateways
http://www.microsoft.com/technet/isa/2004/plan/sitetositeipsec.mspx
Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX
v6.3.1
http://www.microsoft.com/technet/isa/2004/plan/ipsecvpn.mspx
If the problem persists, please help me collect the following information
for further research:
1. Please help to gather the ISA Info:
1) Download the file from the following
URL:http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
2. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service.To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
may not be able to deleted, that's normal.) You may backup them first and
then delete them.
12) Go back to the ISA 2004 management console, and then start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
Please send the information to v-robeli@xxxxxxxxxxxxx with subject:
38684558-Site-to-Site with ISA 2004.
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<From: "Dan24" <dliberty@xxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Site-to-Site with ISA 2004
<Date: 9 Apr 2007 08:39:16 -0700
<Organization: http://groups.google.com
<Lines: 20
<Message-ID: <1176133156.465792.73900@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: 80.179.28.118
<Mime-Version: 1.0
<Content-Type: text/plain; charset="iso-8859-1"
<X-Trace: posting.google.com 1176133157 7567 127.0.0.1 (9 Apr 2007 15:39:17
GMT)
<X-Complaints-To: groups-abuse@xxxxxxxxxx
<NNTP-Posting-Date: Mon, 9 Apr 2007 15:39:17 +0000 (UTC)
<User-Agent: G2/1.0
<X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
<X-HTTP-Via: 1.1 GALR-SRVR
<Complaints-To: groups-abuse@xxxxxxxxxx
<Injection-Info: y80g2000hsf.googlegroups.com; posting-host=80.179.28.118;
< posting-account=u8AvCA0AAAD1liAqRATfkseTNIBPzfpY
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!y80g2000hsf
googlegroups.com!not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28583
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi,
<
<I am trying to set up a simple site-to-site VPN from my SBS 2003
<running ISA 2004 to a client's office. Our internal subnet is:
<192.168.16.X and the server internal IP is 192.168.16.2
<The client has defined an IPsec tunnel, defining 192.168.16.X as the
<remote subnet.
<Now it seems like the tunnel is working since if I use one of the
<machines on the network I am able to connect to the client's office.
<But when I try to connect from the server itself the VPN does not
<work. I can see in ISA monitoring that the request to connect to the
<remote network is coming from the external IP of the server and not
<the internal address, and I can assume this is the problem.
<
<How can I solve this issue?
<
<Thanks in advance!
<
<Danny
<
<
.
- Follow-Ups:
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- References:
- Site-to-Site with ISA 2004
- From: Dan24
- Site-to-Site with ISA 2004
- Prev by Date: Re: Roaming profiles and folder redirection
- Next by Date: Re: Vista / office 2007 - companyweb
- Previous by thread: Site-to-Site with ISA 2004
- Next by thread: Re: Site-to-Site with ISA 2004
- Index(es):
Relevant Pages
|
