Re: VPN with ISA
- From: v-mzhuan@xxxxxxxxxxxxxxxxxxxx (Manfred Zhuang [MSFT])
- Date: Tue, 29 Jan 2008 09:55:27 GMT
Hi Joe,
Thank you for posting here and also thank so Claus for the input.
From the description, I understand that when trying to use SBS connectutility to connect VPN, error 800 is received. However, the manually
created connection works.
Based on current situation, I suggest you access RWW on the external client
and download the latest SBS connection Manager and then install it on the
external client.
Please check if it works.
If it does not work, let's move on:
Before we go any further, I would like to suggest you re-configure the VPN
connection.
First, please re-run the CEICW Wizard, open Server Management console,
navigate to 'To Do List' and click 'Connect to the internet' in the right
panel. The wizard will help us automatically configure the internet
connection. You may refer to this step-by-step article to complete the
setup:
825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763
Then, please run the "Remote Access Wizard" to enable the VPN Server
feature:
1. On the SBS server, click To Do List in the left pane of the Server
Management console.
2. Under Network Tasks, click Configure Remote Access.
3. Click Next, click Enable Remote Access, click to select the VPN Access
check box, and then click Next.
4. Type the fully qualified public domain name (FQDN) of your server, click
Next, and then click Finish. (If you don't have a public FQDN, please
replace it with your public IP address)
5. When the wizard is completed, click Close.
Based on my experience, error 800 is caused by a router that has outdated
firmware in some cases. Please check this KB article to see if your
hardware router has applied the latest firmware. You may contact the vendor
of the hardware router for more detailed information.
Error Message: VPN Connection Error 800: Unable to Establish Connection
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q319108
To check if the VPN is blocked by the hardware router, we usually use the
PPTP Ping to test if 1723 port and GRE protocol are allowed to pass
through. To do so:
a. Please run Pptpsrv.exe on the server side.
b. Run Pptpclnt.exe [ServerNameorIPaddress] on remote client.
c. When prompted by Pptpclnt.exe, type some text to send to Pptpsrv.exe,
and then click Enter.
d. You will see the text received at the host running Pptpsrv.exe. Then you
will see five GRE packets sent from Pptpclnt.exe and received at
Pptpsrv.exe.
Provide me with the output for reference.
NOTE: PPTP Ping tools (Pptpclnt and Pptpsrv) exist in Windows XP support
tools. For your convenience, I have attached the file within this reply.
NOTE: You should stop the Routing and Remote Access service on the RRAS
(VPN) server so that PPTPSRV can bind to port 1723
Basically, we will use PPTP Ping utility to determine whether any hardware
router or firewall is blocking GRE Protocol 47. The router must be able to
pass Generic Route Encapsulation (GRE) protocol 47 for PPTP traffic to
connect correctly to use VPN. When a cable/DSL router cannot map GRE
protocol 47 to the Routing and Remote Access server, you cannot connect to
the server from the Internet.
If the problem persists, please help me gather the ISA info and ISA log:
1. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me at v-mzhuan@xxxxxxxxxxxxx
2. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
Hope the above information helps. Please feel free to let me know if there
is anything I can do for you.
Best regards,
Manfred Zhuang(MSFT)
Microsoft Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: VPN with ISA
| thread-index: AchgXUzeacDdTrZmQ6KIxjotHN9JSw==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?Sm9l?= <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <B95C9230-08C7-43BB-A6FD-322E7F2CA8B2@xxxxxxxxxxxxx>
<uKnmWn9XIHA.4476@xxxxxxxxxxxxxxxxxxxx>
<821481C7-79F6-4808-80ED-F391DAB8C65C@xxxxxxxxxxxxx>
<uutuAF#XIHA.2000@xxxxxxxxxxxxxxxxxxxx>
<5AEE8709-FD43-4BC7-8967-1CC083EC6BDB@xxxxxxxxxxxxx>
<#oqyVeCYIHA.4948@xxxxxxxxxxxxxxxxxxxx>
<41BC0FF3-4DD1-41A5-A9A1-A254AC476595@xxxxxxxxxxxxx>
<OsrJCXEYIHA.4740@xxxxxxxxxxxxxxxxxxxx>
| Subject: Re: VPN with ISA
| Date: Sat, 26 Jan 2008 12:52:01 -0800
| Lines: 152
| Message-ID: <B59309F2-738A-4B7C-BEFB-43EEC765ABB9@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:88865
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Will not be able to try that until next week when I will be onsite. I can
VPN
| from the shop providing I create a manual VPN connection. The SBS connect
| utility will still not work.
|
| "Claus" wrote:
|
| > That's good and to answer your question, yes, the CEICW will configure
| > everything for you if you select the VPN option.
| >
| > So did you try to VPN from the subnet of the SBS WAN? What is the
result?
| >
| > --
| > Claus
| > "Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| > news:41BC0FF3-4DD1-41A5-A9A1-A254AC476595@xxxxxxxxxxxxxxxx
| > > Clause, at the beginning of this post my question was "when I run the
| > > CEICW
| > > does it automatically configure port 1723 in ISA". I have since
verified
| > > this
| > > myself by examining the ISA rules as stated by my comment of port
1723
| > > being
| > > open for PPTP. I rairly make changes any other way unless microsoft
| > > recommends them.
| > >
| > > Joe
| > >
| > >
| > >
| > >
| > > pptp protocal
| > >
| > > "Claus" wrote:
| > >
| > >> The SBS box is a highly integrated and optimized selection of
servers. It
| > >> works great if you follow the rules but you can really mess it up if
you
| > >> don't follow the rules. The most important rule is to use the wizards
| > >> whenever possible.
| > >>
| > >> In your case, running the CEICW and selecting the VPN option will
set up
| > >> everything for you - including the settings for the connection
manager.
| > >> Unless you really know what you are doing you should not mess with
the
| > >> ISA
| > >> trying to set something up manually. But even then, as you learned,
| > >> certain
| > >> parts are not configured (the parameters for the connection manager).
| > >>
| > >> Do yourself a favor and change things back to the default. Then
rerun the
| > >> CEICW with all steps and try the connection from the subnet of the
SBS
| > >> WAN.
| > >>
| > >> --
| > >> Claus
| > >> "Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| > >> news:5AEE8709-FD43-4BC7-8967-1CC083EC6BDB@xxxxxxxxxxxxxxxx
| > >> > That would be an interesting experiment. I will try that. Right
now my
| > >> > external NIC is set to my public ip and all trafic is routed to
it, but
| > >> > That
| > >> > would be an interesting experiment.
| > >> >
| > >> > I have since gone into ISA and found port 1723 is inabled as pptp.
I
| > >> > was
| > >> > looking for something that would say VPN (which I now remember
uses
| > >> > pptp).
| > >> >
| > >> > I did set up a manual VPN connection and connected to the server.
The
| > >> > SBS
| > >> > "connect to SBS server" won't work however. It gives me and error
800.
| > >> > Dont
| > >> > yet know why one will work and not the other ?????
| > >> >
| > >> > Joe
| > >> >
| > >> > "Claus" wrote:
| > >> >
| > >> >> No further hardware would be required no matter how many IP
addresses
| > >> >> you
| > >> >> get. But depending on the hardware that has been put in place
there
| > >> >> could
| > >> >> be
| > >> >> some filtering. The easiest way to find out if your problem is
within
| > >> >> the
| > >> >> SBS or not is to plug a small switch between the ISP hardware and
your
| > >> >> SBS
| > >> >> box. Then plug in a laptop or workstation into that same switch,
| > >> >> assign
| > >> >> it
| > >> >> an IP address within the same subnet and then test the VPN. If the
| > >> >> connection works you know that your SBS box is configured
correctly.
| > >> >> If
| > >> >> you
| > >> >> have trouble figuring out what IP would work for the workstation,
post
| > >> >> an
| > >> >> ipconfig of your SBS WAN NIC.
| > >> >>
| > >> >> --
| > >> >> Claus
| > >> >> "Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| > >> >> news:821481C7-79F6-4808-80ED-F391DAB8C65C@xxxxxxxxxxxxxxxx
| > >> >> > Yes, that is correct. You have to have some hardware or you
can't
| > >> >> > have
| > >> >> > a
| > >> >> > T1
| > >> >> > data termination. But it is always provided by the service
provider.
| > >> >> > He
| > >> >> > assigns you a fixed IP or range of IP address to their one
ethernet
| > >> >> > jack.
| > >> >> > If
| > >> >> > you only need one IP address no furter hardware is required on
your
| > >> >> > part
| > >> >> > other than the Nic card on your server. An external router or
| > >> >> > firewall
| > >> >> > is
| > >> >> > optional on your part.
| > >> >> >
| > >> >> > "Claus" wrote:
| > >> >> >
| > >> >> >> There has to be some hardware between the T1 and the SBS WAN
NIC
| > >> >> >> otherwise
| > >> >> >> it wouldn't work.
| > >> >> >>
| > >> >> >> --
| > >> >> >> Claus
| > >> >> >> "Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| > >> >> >> news:B95C9230-08C7-43BB-A6FD-322E7F2CA8B2@xxxxxxxxxxxxxxxx
| > >> >> >> >I have a customer with a T1 that forwards our public IP
direct to
| > >> >> >> >the
| > >> >> >> > external NIC on the SBS2003 server running ISA 2004. When I
run
| > >> >> >> > the
| > >> >> >> > ceicw
| > >> >> >> > and
| > >> >> >> > enable VPN does it automatically configure port 1723 in ISA
to
| > >> >> >> > pass
| > >> >> >> > thru?
| > >> >> >> >
| > >> >> >> > So far I've had no luck getting in using the SBS connect
| > >> >> >> > executable.
| > >> >> >> > I
| > >> >> >> > always get the error 800 message on the client end.
| > >> >> >> >
| > >> >> >> > Joe
| > >> >> >>
| > >> >> >>
| > >> >> >>
| > >> >>
| > >> >>
| > >> >>
| > >>
| > >>
| > >>
| >
| >
| >
|
.
- References:
- Re: VPN with ISA
- From: Claus
- Re: VPN with ISA
- From: Joe
- Re: VPN with ISA
- From: Claus
- Re: VPN with ISA
- From: Joe
- Re: VPN with ISA
- From: Claus
- Re: VPN with ISA
- From: Joe
- Re: VPN with ISA
- From: Claus
- Re: VPN with ISA
- From: Joe
- Re: VPN with ISA
- Prev by Date: RE: unable to install anything on Server 2003 SBS SP2 (windows install
- Next by Date: Re: addressed before : exchange temp tables. server reboot, old mails sent.
- Previous by thread: Re: VPN with ISA
- Next by thread: Companyweb Restore Problem
- Index(es):
Relevant Pages
|
