Re: VPN PPTP problem

On 30 nov, 10:37, v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
wrote:
Hello David,

Thank you for your email.

The ISA Info which I gathered from you before including all ISA
configuration. So I had checked your ISA configuration at the beginning. I
did not find any issue in your ISA configuration.

From your description "But for GRE, I choose protocol IP, level 47 -> and
for that there is NOT a "NAT" button, so I just allow the traffic to all
destination", I think you did not properly set the GRE 47 on the firebox. I
suppose the firebox will show you a PPTP service to publish. The PPTP
service will include TCP 1723 and GRE 47. I strongly suggest you contact
your firebox support to confirm how to publish internal PPTP service to
Internet.

To confirm whether the SBS is configured properly for VPN, we can do the
following test:

a. On one internal XP client, click Start , click Control Panel , click
Network and Internet Connections , and then click Network Connections .
b. Click Create a new connection , and then click Next .
c. Click Connect to the network at my workplace , and then click Next .
d. Click Virtual Private Network connection , and then click Next .
e. Type a descriptive name for your company, and then click Next .
f. Click Do not dial the initial connection , and then click Next.
g. Type the SBS internal IP address, and then click Next .
h. Use one of the following methods:

a) Click Anyone's use if you want to share the connection with all users.
b) Click My use only if you do not want to share the connection.

i. Click Next , and then click Finish .
j. The dial in window will appear after you click Finish. Input the domain
user name and password, click Connect button.

Does the VPN establish success? If yes, the SBS is configured properly.

Hope the steps will help you to narrow down this issue.

Thanks and have a nice day.

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! -www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
checkhttp://support.microsoft.comfor regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Newsgroups: microsoft.public.windows.server.sbs
| From: v-ter...@xxxxxxxxxxxxxxxxxxxx (Terence Liu [MSFT])
| Organization: Microsoft
| Date: Fri, 30 Nov 2007 09:36:42 GMT
| Subject: Re: VPN PPTP problem
| X-Tomcat-NG: microsoft.public.windows.server.sbs
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
|
| Email from customer:
| ======================
|
| Hello Terence,
|
| to answer to your questions of your last forum post,
| yes, after turned the PPTP filter OFF, I also tested a VPN connection,
and
| I recevied the error message 721.
|
| And during the "check username and password" step, into ISA 2004 Session
| table, I can see a SecureNAT session with the public IP of the client who
| tried a VPN connection.
|
| So for me, packets can reach the server, but there is a problem to
"allow"
| the connection, or authenticate the user, I don't know...
|
|
| In my last post, did you see that GRE packets are still NOT received on
the
| server, when I make a PPTP ping test.
| That's very strange !
|
| On firebox I created a forward rule to protocol 1723 to 192.168.9.10
| (external server nic) -> to do that with firebox parameters, there a
"NAT"
| button for that service, which allows me to fill the destination IP of
the
| forward.
|
| But for GRE, I choose protocol IP, level 47 -> and for that there is NOT
a
| "NAT" button, so I just allow the traffic to all destination.
|
|
|
| You will find in attachment an export file of my ISA configuration, maybe
| there is something wrong on it.
| the password to load it is : "terence1".
|
|
| I really want to find a solution for this issue to my own satisfaction
and
| to learn something, and I really appreciate your help, this makes my
| Microsoft opinion better !
| But like I said, we already use a lot of time for this problem, so if
with
| the single NIC solution i can use the firebox VPN, so maybe that's we
have
| to do.
|
|
| Thank you for your help,
|
|
| David
|

Hello Terrence,

A technical consultant came here, and he told that our firebox was not
PPTP passthrough.

So we decided to turn back to a single nic server configuration,
without ISA.
Like that, we are using the VPN of the firebox and it's at least
working!

Thanks for your help!

At the end, for me there are still un-clear points about this issue,
even if our firebox seems to not be "PPTP passthrough", i don't
understant why when i tested SBS VPN i was able to see pptp packets
and gre packets on server's interface, when i captured packets with
famous wireShark software.

Regards,

David
.