Re: VPN PPTP problem
- From: david.monticelli@xxxxxxxxx
- Date: Thu, 29 Nov 2007 02:26:20 -0800 (PST)
On 29 nov, 06:34, v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
wrote:
Hello David,
Thank you for update.
I completely understand your situation and I'm sorry I do not help you to
find out the resolution till now.
Please note the newsgroups are staffed weekdays by Microsoft Support
professionals. Our goal is to provide a one business day response to posts..
For time critical issues (not business down), we encourage you to contact
CSS directly for more immediate assistance:
International Support (non-US/Canada):http://support.microsoft.com/common/international.aspx
US and Canada:http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone
However I will do my best to be of assistance if you still want to continue
here.
Based on my research on our lab SBS server, the PPTP filter is enabled for
the "Allow VPN client traffic to ISA Server" rule (this is a system rule).
Since the PPTP ping can pass the test when you turn off the PPTP filter, do
you test the VPN connection when you turn off the PPTP filter? What's the
result?
I have following suggestions for this issue:
Suggestion 1. If you think this is a ISA server 2004 issue, you can try to
uninstall the ISA server 2004 from Add or Remove Program, rerun the CEICW
and Remote Access Wizard. Then, test the VPN connection.
Suggestion 2. As you mentioned, we can make the SBS work in single NIC.
Please disable the SBS external NIC, and rerun the CEICW and Remote Access
Wizard. Then, test the VPN connection. The single NIC will not bring
security risks to your network. Many customers use this network topology.
Note: When you change the SBS to single NIC, you need to change the firebox
internal NIC IP scheme. To make it work in same subnet of SBS IP.
Suggestion 3. If the suggestion 2# still cannot resolve this issue, you can
use the firebox as VPN server, but not SBS. In this suggestion, you need to
create use account in firebox, and the VPN clients do authentication with
firebox. After the VPN established, the VPN clients can access the internal
resource. For detail steps, please contact the firebox support.
I hope these steps will give you some help.
If there's anything else I can do for you, please do not hesitate to let me
know.
Thanks and have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! -www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
checkhttp://support.microsoft.comfor regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights..
--------------------
| From: david.montice...@xxxxxxxxx
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: Re: VPN PPTP problem
| Date: Wed, 28 Nov 2007 06:31:04 -0800 (PST)
| Organization:http://groups.google.com
| Lines: 129
| Message-ID:
<b5b8361d-644f-4f4e-8890-9549bac9b...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <e8s6UDbLIHA.4...@xxxxxxxxxxxxxxxxxxxxxx>
<PJn0AJbLIHA.6...@xxxxxxxxxxxxxxxxxxxxxx>
| NNTP-Posting-Host: 81.83.0.31
| Mime-Version: 1.0
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Trace: posting.google.com 1196260265 4704 127.0.0.1 (28 Nov 2007
14:31:05 GMT)
| X-Complaints-To: groups-ab...@xxxxxxxxxx
| NNTP-Posting-Date: Wed, 28 Nov 2007 14:31:05 +0000 (UTC)
| Complaints-To: groups-ab...@xxxxxxxxxx
| Injection-Info: j44g2000hsj.googlegroups.com; posting-host=81.83.0.31;
| posting-account=2Q43wAoAAABaRldeisn2qGTOfTD7t6VD
| User-Agent: G2/1.0
| X-HTTP-UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr;
rv:1.8.1.10)
| Gecko/20071115 Firefox/2.0.0.10,gzip(gfe),gzip(gfe)
| Content-Disposition: inline
| Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS02.phx.gbl!newsfeed0
0.sul.t-online.de!t-online.de!news.glorb.com!postnews.google.com!j44g2000hsj
.googlegroups.com!not-for-mail
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:78556
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| On 23 nov, 10:12, v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])| wrote:
| > Hello David,
| >
| > Thank you for your reply.
| >
| > If you plan to change the SBS external NIC IP scheme from 192.168.1.10
to
| > 192.168.9.10, we also need to change the internal NIC IP of your Firebox
| > from 192.168.1.2 to 192.168.9.2. Then, the default gateway of the SBS
| > external NIC should point to the Firebox internal NIC IP. Like this:
| >
| > IP Address. . . . . . . . . . . . : 192.168.9.10
| > Subnet Mask . . . . . . . . . . . : 255.255.255.0
| > Default Gateway . . . . . . . . . : 192.168.9.2
| > DNS Servers . . . . . . . . . . . : 192.168.2.5
| > Primary WINS Server . . . . . . . : 192.168.2.5
| > NetBIOS over Tcpip. . . . . . . . : Disabled
| >
| > I suggest we change the Firebox internal NIC IP first, then we need to
run
| > the CEICW to change the SBS external NIC IP. At the end, we need to
change
| > the Firebox port forwarding rules, to ensure it forward VPN necessary
ports
| > to the SBS external new IP address.
| >
| > Additional, the server packets capture log is not our SBS log, I unable
| > analyze it for you. As a whole, if you set the same IP scheme in the
router
| > link, you may experience many IP router issue. Therefore, change the IP
| > scheme is recommended.
| >
| > I hope the information will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! -www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup
here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > checkhttp://support.microsoft.comforregional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | From: v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| > | Organization: Microsoft
| > | Date: Fri, 23 Nov 2007 09:11:21 GMT
| > | Subject: Re: VPN PPTP problem
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | MIME-Version: 1.0
| > | Content-Type: text/plain
| > | Content-Transfer-Encoding: 7bit
| > |
| > | Email from customer:
| > | ========================
| > |
| > | Hi again Terrence,
| > |
| > | if i will plan to change the ip scheme of the external nic from
| > | 192.168.1.10 to 192.168.9.10 for example,
| > | do you confirm that i also need to change the ip address of our
firebox
| > | (which is a firewall/router place between the modem and our server)
from
| > | 192.168.1.2 to 192.168.9.2 ?
| > |
| > |
| > | David
| > |
|
| Hello Terrence,
|
| many tests later, the issue is not yet solved!
|
| I noticed something: from ISA2004 access rules, for the rule which
| allow PPTP traffic if the PPTP filter is activated into the protocol
| option, when I make a PPTP ping test, on server side nothing happends
| except the socket connection.
|
| When I turn that PPTP filter OFF, when I make a PPTP ping test, on
| server side, the string test is received by the server !
|
| Is there an other filter / option to let ISA2004 allow GRE packets?
|
|
| Another question, because we already works a lot of hours on this
| issue and also because my boss is actually abroad and thus he wants a
| VPN access;
|
| I would like your opinion if I put our server on a Single Nic server
| configuration.
| Because I remember you that with our previous server which has a
| single nic, firebox's VPN worked perfectly, and maybe i can also
| easily use SBS VPN in that case.
|
| But I don't know the security risks with that configuration (I'm not
| Microsoft Certified).
|
| We are little company of 15-20 users, if I branch the firebox to LAN
| switch and the server (without ...
plus de détails >>
Hello Terrence,
I will reply to your mail because I will send you a file.
Regards,
David
.
- Follow-Ups:
- Re: VPN PPTP problem
- From: Terence Liu [MSFT]
- Re: VPN PPTP problem
- References:
- Re: VPN PPTP problem
- From: Terence Liu [MSFT]
- Re: VPN PPTP problem
- From: Terence Liu [MSFT]
- Re: VPN PPTP problem
- From: david . monticelli
- Re: VPN PPTP problem
- From: Terence Liu [MSFT]
- Re: VPN PPTP problem
- Prev by Date: Re: Access Denied error when Sync offline files
- Next by Date: Re: Removing primary email domain?
- Previous by thread: Re: VPN PPTP problem
- Next by thread: Re: VPN PPTP problem
- Index(es):
Relevant Pages
|
