Re: Outbound VPN
- From: v-gzwang@xxxxxxxxxxxxxxxxxxxx (Guozhen Wang[MSFT])
- Date: Wed, 28 May 2008 09:15:48 GMT
Hello Anthony,
Thank you for your post and also thanks for Joe and Dave's great help.
My name is Gary Wang, and it is my pleasure to work with you on this issue!
Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:
Your SBS client cannot establish PPTP VPN through ISA 2004.
If I have misunderstood your concerns please feel free to let me know.
Suggestion :
==============
I would like to suggest that you check the following:
1. If you had followed the KB923836 to create a new policy for PPTP VPN,
please note that a rule might be configured so that it blocks certain
traffic before your rule permits that traffic. In this scenario, you must
modify the rule hierarchy. To move a rule up in the rule hierarchy,
right-click that rule, and then click Move Up. When you are finished
modifying the rule hierarchy, click Apply to update the firewall policy,
and then click OK. Also, do not forget to click Apply on the top after rule
was created. Also you may like to refer to the following article:
Note: Move the new rule above the "SBS Internet Access Rule", or move to
top.
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe8
76f06/isa2004se_vpnkit-rev%201%2004.doc
Chapter 6: ISA Server 2004 VPN Deployment Kit: Configuring the ISA Server
2004 Firewall for Outbound PPTP and L2TP/IPSec Access
Also while creating the PPTP rule, you may like to include the protocols:
IKE Client, IPSec ESP, IPSec NAT-T client and PPTP with allow for all users
as a test.
2. Refer to Dave's inputs, please double confirm with the remote VPN
device's manufacturer for whether it supporting PPTP pass through.
3. Make sure the port 1723 and IP protocol 47(GRE) are opened on remote
device.
4. Make sure your SBS network and remote site were not in the same subnet .
5. Refer to the following link to run Configure Remote Access to enable
PPTP access.
You receive an "Unable to establish the VPN connection" error message when
your Windows Small Business Server 2003-based client computer try to make
an outgoing PPTP connection
http://support.microsoft.com/kb/886621
6. Turn off ISA client firewall on the client as a test. Also, please refer
to the below article to check whether client had set default gateway to
SBS's internal IP address:
When you use the ISA Server 2006 or ISA Server 2004 Firewall Client
program, you cannot make a PPTP-based VPN connection
http://support.microsoft.com/kb/887006
7. If you had applied Windows Server 2003 SP2 on your SBS server, please
refer to the following link:
You may experience network-related problems after you install Windows
Server 2003 SP2 or the Scalable Networking Pack on a Windows Small Business
Server 2003-based computer that has an advanced network adapter
http://support.microsoft.com/kb/936594/en-us
8. Please try that connect one client direct to the ADSL NAT router and
test VPN connection. By this way, we can bypass SBS to narrow down this
root cause. Also, you need to setup correct IP address for client to
connect to internet.
If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:
Information Need
==============
1. Check event viewer for related information, if there are any, please
help save it to *.evt and send to me.
2. Run command "ipconfig /all > c:\ipconfig_sbs.txt" and "route print >
c:\route_sbs.txt" on SBS, send the files c:\ipconfig_sbs.txt and
c:\route_sbs.txt to me.
3. Run command "ipconfig /all > c:\ipconfig_client.txt" and "route print >
c:\route_client.txt" on problematic client, send the files
c:\ipconfig_client.txt and c:\route_client.txt to me
4. Please try the VPN connection from another remote client who connect
from another ISP. Does the issue reoccur?
5. Please capture screenshots on the client error messages and send the
pictures to me.
6. Please help to gather the ISA Info:
1) Download the file from the following URL:
http://www.isatools.org/tools/isainfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.
7. Please also help to gather the ISA logs:
1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.
12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.
14) Please also let me know the IP address of the testing clients so that I
can filter the data.
My email address is v-gzwang@xxxxxxxxxxxxxx
I look forward to your reply. Also, if you have any questions or concerns,
please do not hesitate to let me know. I am happy to help. :-)
Thank you for your time and cooperation!
Best regards,
Gary Wang(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
| References: <0DEAEDC8-5B86-4973-926B-86A94042535E@xxxxxxxxxxxxx>
| In-Reply-To: <0DEAEDC8-5B86-4973-926B-86A94042535E@xxxxxxxxxxxxx>
| Subject: Re: Outbound VPN
| Date: Tue, 27 May 2008 15:29:31 -0400
| Lines: 31
| Message-ID: <7281F275-4119-422A-AA29-B490674A5F61@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="Utf-8";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18000
| X-MS-CommunityGroup-PostID: {7281F275-4119-422A-AA29-B490674A5F61}
| X-MS-CommunityGroup-ThreadID: 0DEAEDC8-5B86-4973-926B-86A94042535E
| X-MS-CommunityGroup-ParentID: 0DEAEDC8-5B86-4973-926B-86A94042535E
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:109595
| NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| This is often an issue with settings on the router or the firewall at the
| remote end. You have to make sure that Protocol (not port) 47 is enabled
| throughout - it could be called GRE, PPTP pass-through, or something
| similar. And port 1723 needs to be open. Lastly, the two networks need
to
| be on different subnets - if they're both 192.168.1.x, for example,
routing
| between the networks will fail.
|
| Not sure what's running on the remote side, but many firewalls disable
PPTP
| by default. That includes the built-in Vista firewall and WLOC.
|
|
| "Anthony from Solution One Ltd."
| <AnthonyfromSolutionOneLtd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| news:0DEAEDC8-5B86-4973-926B-86A94042535E@xxxxxxxxxxxxxxxx
| > Hi, I am managing a SBS 2003 Premium server with 2 NIC's and ISA 2004
| > (SP3)
| >
| > the PC's connected to the network are unable to make PPTN vpn
connections
| > to
| > other sites, I have followed the steps in this KB
| > (http://support.microsoft.com/?kbid=923836) to know avail.
| >
| > I believe it is an issue with NAT, as the server external NIC is
connected
| > to a router with NAT to connect to the internet through a ADSL
connection,
| > but the knowledge base article does not suggest that this will be an
| > issue.
| >
| > can anybody confirm this, or possibly suggest a fix.
| >
| > thanks in advance.
|
|
.
- References:
- Re: Outbound VPN
- From: Dave Nickason [SBS MVP]
- Re: Outbound VPN
- Prev by Date: Re: SBS 2003 / ISA / IIS / DNS - works sometimes?
- Next by Date: RE: Unable to retrieve message from exchange mailbox
- Previous by thread: Re: Outbound VPN
- Next by thread: Re: mail server setup
- Index(es):
Relevant Pages
|
