Re: Site-to-Site with ISA 2004
- From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
- Date: Thu, 12 Apr 2007 10:28:32 GMT
Hi,
Thanks for updating and also for Jim's input.
Please check if you entered the IP address on the external interface of the
Remote Site Network's firewall so that Web Proxy clients will be able to
access the network. You can see the detail steps at step 7 of the following
article:
Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004 Firewalls
http://www.isaserver.org/tutorials/2004ipsectunnelmode.html
Also, since we are not familiar CHECKPOINT router, the problem may also
related to the hardware router.
Some firewalls may reject network traffic that originates from Windows
Server 2003 Service Pack 1-based or Windows Vista-based computers
http://support.microsoft.com/kb/899148
If you problem still exists, please kindly help me collect ISA log and info
as I required in first reply for deep research.
I am looking forward to hear from you.
If you need further assistance, please don't hesitate to let me know
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<From: Jim Behning SBS MVP <jimbehning@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Subject: Re: Site-to-Site with ISA 2004
<Message-ID: <q17r13925ktuhtlvt2euvin5rv2i8314eb@xxxxxxx>
<References: <1176133156.465792.73900@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<WmbRUs1eHHA.6068@xxxxxxxxxxxxxxxxxxxxxx>
<1176273235.092008.166600@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
<1blp13hrn7fktimfv4l0i2bn0jvjblc89u@xxxxxxx>
<1176314853.736580.277450@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<eavq13l7df51cd1eb4jriof7lfcp1glnrq@xxxxxxx>
<1176341334.917911.153240@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<X-Newsreader: Forte Agent 4.2/32.1117
<MIME-Version: 1.0
<Content-Type: text/plain; charset=ISO-8859-1
<Content-Transfer-Encoding: 8bit
<X-Antivirus: avast! (VPS 000733-0, 04/11/2007), Outbound message
<X-Antivirus-Status: Clean
<Lines: 262
<Date: Thu, 12 Apr 2007 02:46:30 GMT
<NNTP-Posting-Host: 66.32.193.198
<X-Complaints-To: abuse@xxxxxxxxxxxxx
<X-Trace: newsread2.news.pas.earthlink.net 1176345990 66.32.193.198 (Wed,
11 Apr 2007 19:46:30 PDT)
<NNTP-Posting-Date: Wed, 11 Apr 2007 19:46:30 PDT
<Organization: EarthLink Inc. -- http://www.EarthLink.net
<Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!news-out.
cwix.com!newsfeed.cwix.com!newscon02.news.prodigy.net!prodigy.net!wn13feed!w
orldnet.att.net!207.217.77.102!elnk-nf2-pas!newsfeed.earthlink.net!stamper.n
ews.pas.earthlink.net!newsread2.news.pas.earthlink.net.POSTED!f526e822!not-f
or-mail
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:29395
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<On 11 Apr 2007 18:28:54 -0700, "Dan24" <dliberty@xxxxxxxxx> wrote:
<
<>On Apr 12, 3:34 am, Jim Behning SBS MVP
<><jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
<>> On 11 Apr 2007 11:07:33 -0700, "Dan24" <dlibe...@xxxxxxxxx> wrote:
<>>
<>> >On Apr 11, 3:38 pm, Jim Behning SBS MVP
<>> ><jimbehn...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
<>> >> On 10 Apr 2007 23:33:55 -0700, "Dan24" <dlibe...@xxxxxxxxx> wrote:
<>>
<>> >> >On Apr 10, 1:29 pm, v-rob...@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
<>> >> >wrote:
<>> >> >> Hi Danny,
<>>
<>> >> >> Thanks for posting in our newsgroup.
<>>
<>> >> >> From your description, I know that set up a site-to-site VPN
between SBS
<>> >> >> server and client's office. When you try connecting to the remote
office on
<>> >> >> SBS server, the VPN doesn't work. If I am off-base, please don't
hesitate
<>> >> >> to let me know.
<>>
<>> >> >> Please let me know the following to make the situation more
clearly:
<>>
<>> >> >> Which device is used at your client's office side, ISA server or
third
<>> >> >> party router? If you use third party router, the problem may also
be caused
<>> >> >> by the third party router and you can contact the hardware
manufacture for
<>> >> >> more help.
<>>
<>> >> >> First please make sure you strictly followed this document to
create
<>> >> >> site-to-site VPN.
<>>
<>> >> >> Creating IPSec Tunnel Mode Site to Site VPNs with ISA Server 2004
Firewallshttp://www.isaserver.org/tutorials/2004ipsectunnelmode.html
<>>
<>> >> >> Suppose you created an access rule from SBS server to client's
office named
<>> >> >> Main to Branch, please check the following access rule:
<>>
<>> >> >> Main to Branch:
<>>
<>> >> >> From: Internal
<>> >> >> To: Branch
<>> >> >> Action: Allow
<>> >> >> Protocol: All Outbound Traffic
<>> >> >> Schedule: Always
<>> >> >> Users: All users
<>>
<>> >> >> If you are using third party router, please check according to the
<>> >> >> following articles:
<>>
<>> >> >> Configuring IPSec Site-to-Site Connections Between ISA Server
2004 and
<>> >> >> Third-Party
Gatewayshttp://www.microsoft.com/technet/isa/2004/plan/sitetositeipsec.mspx
<>>
<>> >> >> Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and
Cisco PIX
<>> >> >> v6.3.1http://www.microsoft.com/technet/isa/2004/plan/ipsecvpn.mspx
<>>
<>> >> >> If the problem persists, please help me collect the following
information
<>> >> >> for further research:
<>>
<>> >> >> 1. Please help to gather the ISA Info:
<>>
<>> >> >> 1) Download the file from the following
<>> >> >> URL:http://www.isatools.org/isainfo/ISAInfo.zip
<>> >> >> 2) Extract all files to a folder on ISA server.
<>> >> >> 3) Double click Isainfo.js. This will generate 2 files
<>> >> >> ISAInfo2004-<computer-name>.log and
ISAInfo2004-<computer-name>.xml in the
<>> >> >> current folder.
<>> >> >> 4) Please send these files to me.
<>>
<>> >> >> 2. Please also help to gather the ISA logs:
<>>
<>> >> >> 1) Schedule a down time.
<>> >> >> 2) Open ISA 2004 management console.
<>> >> >> 3) Expand the server node and highlight 'Monitoring'.
<>> >> >> 4) In the right pane, switch to the 'Logging' tab, make sure the
'Task
<>> >> >> Pane' is showed there.
<>> >> >> 5) In the 'Task Pane', click 'Configure Firewall Logging' under
'Logging
<>> >> >> Tasks', and then switch the 'log storage format' from 'MSDE
database'
<>> >> >> (default) to 'File'.
<>> >> >> 6) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
<>> >> >> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
'Logging
<>> >> >> Tasks', and then switch the 'log storage format' from 'MSDE
database'
<>> >> >> (default) to 'File'.
<>> >> >> 8) Switch to the 'Fields' tab, click 'Select All', and then click
OK.
<>> >> >> 9) Click 'Apply' to save changes and update the configuration.
<>> >> >> 10) Temporarily disable the Firewall service.To do that, please
click
<>> >> >> Monitoring | Services tab, and then right click 'Microsoft
Firewall' to
<>> >> >> choose 'Stop'.
<>> >> >> 11) Clear the current existing W3C logs. To do that, go to the
log saving
<>> >> >> directory and clean any existing .W3C logs. By default, the logs
will be
<>> >> >> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'.
(Some MDF
<>> >> >> may not be able to deleted, that's normal.) You may backup them
first and
<>> >> >> then delete them.
<>> >> >> 12) Go back to the ISA 2004 management console, and then start
the stopped
<>> >> >> 'Microsoft Firewall' service.
<>> >> >> 13) Reproduce the problem, stop the service, and then gather the
resulting
<>> >> >> W3C files to me for analysis.
<>>
<>> >> >> Please send the information to v-rob...@xxxxxxxxxxxxx with
subject:
<>> >> >> 38684558-Site-to-Site with ISA 2004.
<>>
<>> >> >> I am looking forward to hear from you.
<>>
<>> >> >> If you need further assistance, please don't hesitate to let me
know.
<>>
<>> >> >> Best regards,
<>>
<>> >> >> Robert Li(MSFT)
<>>
<>> >> >> Microsoft CSS Online Newsgroup Support
<>>
<>> >> >> Get Secure! -www.microsoft.com/security
<>>
<>> >> >> =====================================================
<>>
<>> >> >> This newsgroup only focuses on SBS technical issues. If you have
issues
<>> >> >> regarding other Microsoft products, you'd better post in the
corresponding
<>> >> >> newsgroups so that they can be resolved in an efficient and
timely manner.
<>> >> >> You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>>
<>> >> >> When opening a new thread via the web interface, we recommend you
check the
<>> >> >> "Notify me of replies" box to receive e-mail notifications when
there are
<>> >> >> any updates in your thread. When responding to posts via your
newsreader,
<>> >> >> please "Reply to Group" so that others may learn and benefit from
your
<>> >> >> issue.
<>>
<>> >> >> Microsoft engineers can only focus on one issue per thread.
Although we
<>> >> >> provide other information for your reference, we recommend you
post
<>> >> >> different incidents in different threads to keep the thread
clean. In doing
<>> >> >> so, it will ensure your issues are resolved in a timely manner.
<>>
<>> >> >> For urgent issues, you may want to contact Microsoft CSS
directly. Please
<>> >> >> checkhttp://support.microsoft.comforregionalsupport phone numbers.
<>>
<>> >> >> Any input or comments in this thread are highly appreciated.
<>>
<>> >> >> =====================================================
<>>
<>> >> >> This posting is provided "AS IS" with no warranties, and confers
no rights.
<>>
<>> >> >> --------------------
<>> >> >> <From: "Dan24" <dlibe...@xxxxxxxxx>
<>> >> >> <Newsgroups: microsoft.public.windows.server.sbs
<>> >> >> <Subject: Site-to-Site with ISA 2004
<>> >> >> <Date: 9 Apr 2007 08:39:16 -0700
<>> >> >> <Organization:http://groups.google.com
<>> >> >> <Lines: 20
<>> >> >> <Message-ID:
<1176133156.465792.73...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<>> >> >> <NNTP-Posting-Host: 80.179.28.118
<>> >> >> <Mime-Version: 1.0
<>> >> >> <Content-Type: text/plain; charset="iso-8859-1"
<>> >> >> <X-Trace: posting.google.com 1176133157 7567 127.0.0.1 (9 Apr
2007 15:39:17
<>> >> >> GMT)
<>> >> >> <X-Complaints-To: groups-ab...@xxxxxxxxxx
<>> >> >> <NNTP-Posting-Date: Mon, 9 Apr 2007 15:39:17 +0000 (UTC)
<>> >> >> <User-Agent: G2/1.0
<>> >> >> <X-HTTP-UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.2; .NET
<>> >> >> CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR
2.0.50727),gzip(gfe),gzip(gfe)
<>> >> >> <X-HTTP-Via: 1.1 GALR-SRVR
<>> >> >> <Complaints-To: groups-ab...@xxxxxxxxxx
<>> >> >> <Injection-Info: y80g2000hsf.googlegroups.com;
posting-host=80.179.28.118;
<>> >> >> < posting-account=u8AvCA0AAAD1liAqRATfkseTNIBPzfpY
<>> >> >> <Path:
<>> >> >>
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed
0
<>> >> >>
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!y80g2000hs
f
<>> >> >> .googlegroups.com!not-for-mail
<>> >> >> <Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.sbs:28583
<>> >> >> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<>> >> >> <
<>> >> >> <Hi,
<>> >> >> <
<>> >> >> <I am trying to set up a simple site-to-site VPN from my SBS 2003
<>> >> >> <running ISA 2004 to a client's office. Our internal subnet is:
<>> >> >> <192.168.16.X and the server internal IP is 192.168.16.2
<>> >> >> <The client has defined an IPsec tunnel, defining 192.168.16.X as
the
<>> >> >> <remote subnet.
<>> >> >> <Now it seems like the tunnel is working since if I use one of the
<>> >> >> <machines on the network I am able to connect to the client's
office.
<>> >> >> <But when I try to connect from the server itself the VPN does not
<>> >> >> <work. I can see in ISA monitoring that the request to connect to
the
<>> >> >> <remote network is coming from the external IP of the server and
not
<>> >> >> <the internal address, and I can assume this is the problem.
<>> >> >> <
<>> >> >> <How can I solve this issue?
<>> >> >> <
<>> >> >> <Thanks in advance!
<>> >> >> <
<>> >> >> <Danny
<>> >> >> <
<>> >> >> <
<>>
<>> >> >I think it's even simpler than that, but I'm not sure how to fix it.
<>> >> >When I try to connect to the remote network from the server (running
<>> >> >ISA), it automatically uses the External network adapter since the
<>> >> >Internal network adapter does not have a gateway defined and is only
<>> >> >used to access the internal network. Therefore, the source IP sent
to
<>> >> >the remote site is the external IP of the server, and not the
internal
<>> >> >as I would like it to be.
<>> >> >What I want to achieve is to have the SBS server computer behave
like
<>> >> >any standard client computer on the network, and always use the
<>> >> >Internal network adapter for outbound access. Perhaps defining it's
<>> >> >own IP in the internal network adapter gateway can solve the
problem,
<>> >> >but none of the configurations I've seen utilize this method.
<>>
<>> >> You state that the remote site tunnel is on 192.168.16.x. The same
<>> >> network as your SBS. SBS cannot know how to get there I would guess.
<>> >> That is not the way I set up remote sites. The remote site is on its
<>> >> own network like 192.168.15.x. I might add the command route add -p
<>> >> 192.168.15.0 mask 255.255.255.0 192.168.16.1 if the hardware vpn
<>> >> router is at 192.168.16.1. I have only used hardware vpn routers for
<>> >> site to site vpns.
<>>
<>> >> Note that any network in the 192.168.x.x is private meaning
<>> >> non-routable. Routes that can only be used for private stuff. They
are
<>> >> not used in the real world. Trying to obfuscate just makes making
<>> >> sense of things more challenging.- Hide quoted text -
<>>
<>> >> - Show quoted text -
<>>
<>> >You must have misunderstood me.
<>> >The remote site is not my subnet.
<>>
<>> I was just restating what I read.
<>>
<>> "I am trying to set up a simple site-to-site VPN from my SBS 2003
<>> running ISA 2004 to a client's office. Our internal subnet is:
<>> 192.168.16.X and the server internal IP is 192.168.16.2 The client has
<>> defined an IPsec tunnel, defining 192.168.16.X as the remote subnet."
<>>
<>> So is this a software vpn? No routers involved? I never saw the answer
<>> to the question what is the ip scheme is on the remote office?
<>
<>Sorry for the misunderstanding. Here are some more details, maybe this
<>will clarify:
<>The remote office is using a hardware router, I'm not even sure which.
<>The admin there says the IPSec tunnel is configured for an IP to IP
<>VPN (as opposed to using subnets). The server which I need access to
<>is: 193.254.206.38 (start address = end address in this case) and the
<>remote VPN gateway address is: 193.254.206.6. I set up the remote site
<>accordingly.
<>He also configured the remote security group to a single IP, that is
<>our server's internal IP (192.168.16.2). This is ok since only the
<>server needs access to the remote site.
<>Again, this is somewhat different from the typical scenario in which a
<>tunnel is defined between 2 class C subnets (255.255.255.0 / 24).
<>
<>The cause of the problem is simple: the server has 2 NICs, and since
<>the internal NIC has no gateway defined, when I try to access
<>193.254.206.38 it goes through the external NIC. As a result, the VPN
<>device at the remote site detects the source address is incorrect (it
<>was expecting the internal local address - 192.168.16.2).
<>I can assume this problem occurs due to the nature of an SBS
<>deployment: the ISA is not installed on a seperate server and thus
<>when creating site-to-site VPNs there is most often a requirement for
<>the server running ISA to access the VPN (and not only internal
<>clients in the network).
<>
<>Any thoughts?
<Isn't that sort of dangerous ip scheme at the remote site? I don't
<know as I deal with non-routable ips at remote offices.
<
<Can't the guy add the external ip of your SBS as an acceptable ip?
<
<http://www.easydesksoftware.com/news/news28.htm
<
.
- References:
- Site-to-Site with ISA 2004
- From: Dan24
- RE: Site-to-Site with ISA 2004
- From: Robert Li [MSFT]
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP
- Re: Site-to-Site with ISA 2004
- From: Dan24
- Re: Site-to-Site with ISA 2004
- From: Jim Behning SBS MVP
- Site-to-Site with ISA 2004
- Prev by Date: Re: Problems with Printer and Vista in SBS 2003 enviromment
- Next by Date: RE: IIS - use SSL 3.0 only
- Previous by thread: Re: Site-to-Site with ISA 2004
- Next by thread: Re: Site-to-Site with ISA 2004
- Index(es):
Relevant Pages
|
