Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP <jimbehning@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Apr 2007 02:46:30 GMT
On 11 Apr 2007 18:28:54 -0700, "Dan24" <dliberty@xxxxxxxxx> wrote:
On Apr 12, 3:34 am, Jim Behning SBS MVPIsn't that sort of dangerous ip scheme at the remote site? I don't
<jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 11 Apr 2007 11:07:33 -0700, "Dan24" <dlibe...@xxxxxxxxx> wrote:
On Apr 11, 3:38 pm, Jim Behning SBS MVP
<jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 10 Apr 2007 23:33:55 -0700, "Dan24" <dlibe...@xxxxxxxxx> wrote:
On Apr 10, 1:29 pm, v-rob...@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
wrote:
Hi Danny,
Thanks for posting in our newsgroup.
From your description, I know that set up a site-to-site VPN between SBS
server and client's office. When you try connecting to the remote office on
SBS server, the VPN doesn't work. If I am off-base, please don't hesitate
to let me know.
Please let me know the following to make the situation more clearly:
Which device is used at your client's office side, ISA server or third
party router? If you use third party router, the problem may also be caused
by the third party router and you can contact the hardware manufacture for
more help.
First please make sure you strictly followed this document to create
site-to-site VPN.
Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004 Firewallshttp://www.isaserver.org/tutorials/2004ipsectunnelmode.html
Suppose you created an access rule from SBS server to client's office named
Main to Branch, please check the following access rule:
Main to Branch:
From: Internal
To: Branch
Action: Allow
Protocol: All Outbound Traffic
Schedule: Always
Users: All users
If you are using third party router, please check according to the
following articles:
Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and
Third-Party Gatewayshttp://www.microsoft.com/technet/isa/2004/plan/sitetositeipsec.mspx
Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX
v6.3.1http://www.microsoft.com/technet/isa/2004/plan/ipsecvpn.mspx
If the problem persists, please help me collect the following information
for further research:
1. Please help to gather the ISA Info:
1) Download the file from the following
URL:http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
2. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service.To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
may not be able to deleted, that's normal.) You may backup them first and
then delete them.
12) Go back to the ISA 2004 management console, and then start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
Please send the information to v-rob...@xxxxxxxxxxxxx with subject:
38684558-Site-to-Site with ISA 2004.
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! -www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
checkhttp://support.microsoft.comforregionalsupport phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<From: "Dan24" <dlibe...@xxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Site-to-Site with ISA 2004
<Date: 9 Apr 2007 08:39:16 -0700
<Organization:http://groups.google.com
<Lines: 20
<Message-ID: <1176133156.465792.73...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<NNTP-Posting-Host: 80.179.28.118
<Mime-Version: 1.0
<Content-Type: text/plain; charset="iso-8859-1"
<X-Trace: posting.google.com 1176133157 7567 127.0.0.1 (9 Apr 2007 15:39:17
GMT)
<X-Complaints-To: groups-ab...@xxxxxxxxxx
<NNTP-Posting-Date: Mon, 9 Apr 2007 15:39:17 +0000 (UTC)
<User-Agent: G2/1.0
<X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET
CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727),gzip(gfe),gzip(gfe)
<X-HTTP-Via: 1.1 GALR-SRVR
<Complaints-To: groups-ab...@xxxxxxxxxx
<Injection-Info: y80g2000hsf.googlegroups.com; posting-host=80.179.28.118;
< posting-account=u8AvCA0AAAD1liAqRATfkseTNIBPzfpY
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!y80g2000hsf
.googlegroups.com!not-for-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:28583
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi,
<
<I am trying to set up a simple site-to-site VPN from my SBS 2003
<running ISA 2004 to a client's office. Our internal subnet is:
<192.168.16.X and the server internal IP is 192.168.16.2
<The client has defined an IPsec tunnel, defining 192.168.16.X as the
<remote subnet.
<Now it seems like the tunnel is working since if I use one of the
<machines on the network I am able to connect to the client's office.
<But when I try to connect from the server itself the VPN does not
<work. I can see in ISA monitoring that the request to connect to the
<remote network is coming from the external IP of the server and not
<the internal address, and I can assume this is the problem.
<
<How can I solve this issue?
<
<Thanks in advance!
<
<Danny
<
<
I think it's even simpler than that, but I'm not sure how to fix it.
When I try to connect to the remote network from the server (running
ISA), it automatically uses the External network adapter since the
Internal network adapter does not have a gateway defined and is only
used to access the internal network. Therefore, the source IP sent to
the remote site is the external IP of the server, and not the internal
as I would like it to be.
What I want to achieve is to have the SBS server computer behave like
any standard client computer on the network, and always use the
Internal network adapter for outbound access. Perhaps defining it's
own IP in the internal network adapter gateway can solve the problem,
but none of the configurations I've seen utilize this method.
You state that the remote site tunnel is on 192.168.16.x. The same
network as your SBS. SBS cannot know how to get there I would guess.
That is not the way I set up remote sites. The remote site is on its
own network like 192.168.15.x. I might add the command route add -p
192.168.15.0 mask 255.255.255.0 192.168.16.1 if the hardware vpn
router is at 192.168.16.1. I have only used hardware vpn routers for
site to site vpns.
Note that any network in the 192.168.x.x is private meaning
non-routable. Routes that can only be used for private stuff. They are
not used in the real world. Trying to obfuscate just makes making
sense of things more challenging.- Hide quoted text -
- Show quoted text -
You must have misunderstood me.
The remote site is not my subnet.
I was just restating what I read.
"I am trying to set up a simple site-to-site VPN from my SBS 2003
running ISA 2004 to a client's office. Our internal subnet is:
192.168.16.X and the server internal IP is 192.168.16.2 The client has
defined an IPsec tunnel, defining 192.168.16.X as the remote subnet."
So is this a software vpn? No routers involved? I never saw the answer
to the question what is the ip scheme is on the remote office?
Sorry for the misunderstanding. Here are some more details, maybe this
will clarify:
The remote office is using a hardware router, I'm not even sure which.
The admin there says the IPSec tunnel is configured for an IP to IP
VPN (as opposed to using subnets). The server which I need access to
is: 193.254.206.38 (start address = end address in this case) and the
remote VPN gateway address is: 193.254.206.6. I set up the remote site
accordingly.
He also configured the remote security group to a single IP, that is
our server's internal IP (192.168.16.2). This is ok since only the
server needs access to the remote site.
Again, this is somewhat different from the typical scenario in which a
tunnel is defined between 2 class C subnets (255.255.255.0 / 24).
The cause of the problem is simple: the server has 2 NICs, and since
the internal NIC has no gateway defined, when I try to access
193.254.206.38 it goes through the external NIC. As a result, the VPN
device at the remote site detects the source address is incorrect (it
was expecting the internal local address - 192.168.16.2).
I can assume this problem occurs due to the nature of an SBS
deployment: the ISA is not installed on a seperate server and thus
when creating site-to-site VPNs there is most often a requirement for
the server running ISA to access the VPN (and not only internal
clients in the network).
Any thoughts?
know as I deal with non-routable ips at remote offices.
Can't the guy add the external ip of your SBS as an acceptable ip?
http://www.easydesksoftware.com/news/news28.htm
.
- Follow-Ups:
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Robert Li [MSFT]
- Re: Site-to-Site with ISA 2004
- References:
- Site-to-Site with ISA 2004
- From: Dan24
- RE: Site-to-Site with ISA 2004
- From: Robert Li [MSFT]
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Site-to-Site with ISA 2004
- Prev by Date: Re: POP3 email problems
- Next by Date: Re: Forwarding mail externally
- Previous by thread: Re: Site-to-Site with ISA 2004
- Next by thread: Re: Site-to-Site with ISA 2004
- Index(es):
Relevant Pages
|
