Forefront Edge Security Virtual Private Networks Forum

VPN client route over site to site vpn ISA 2006

Thu, 26 Nov 2009 17:22:23 Z

I have enabled VPN client access and created a site to site VPN (ipsec)
The VPN clients are on 10.10.20.x (RRAS assigned)
The ISA is on 10.10.10.x lan
The remote site is 147.89.x.x

How do I get the VPN clients to route to the remote network. Currently they just route over their normal default gateway.

We used to have this setup on a Cisco and it automatically placed an entry in the routing table of the clients for 147.89.x.x, but I can't see how to do it with ISA

Oracle NET v2 S2S VPN through ISA 2006

Fri, 13 Nov 2009 12:34:17 Z

Hi,

I hope somebody has come across this issue before, i'll try to keep it as breif as possible. We have a S2S VPN between and Juniper SSG and ISA 2006. The tunnel comes up fine and we are able to route between Enc-Domains no problems. We have a Oracle 10g DB server behind the ISA server which is monitored using SQLNet v2 over the VPN from behind the Juniper. Connecting to the DB is no problem on port 1521, we can see the connections passing through the ISA when telnetting on 1521 the policy is 'ANY tcp/udp' traffic, when telnetting the connection is made in the telnet session. However because of the way that SQLNetV2 (used in Oracle 8 onwards) handles connections in - apparently requesting the client to connect in on another port than 1521 I think that this is failing despite the ANY flag, see following link.

http://www.orafaq.com/maillist/oracle-l/2000/07/21/0173.htm

Now from experience Juniper and Checkpoint firewalls have a specified SQLNetv1 and V2 service profiles that must in some way allow for this type of connection. Can anyone tell me if ISA has allowed for this and if not can this custom service be created. Has anyone else experienced and overcome this problem?

Thank You.

Isa 2006. IPSec VPN vs. Kerberos, LDAP

Wed, 11 Nov 2009 14:20:47 Z

Good day.
Our config: DC <- Cisco 851 <- Site-to-Site IPSec -> ISA 2006 Standard -> DC
Few days ago we find replication between this DC`s dont work.
In ISA Monitoring list of different errors - isa blocs Kerberos-SEC (TCP), LDAP, Unidentified IP Traffic (diff. ports). All this errors comes with empty Rule field.
All other traffic work perfect.
We enable IPSec Logging on ISA and this is the events:
Event Type: Information Event Source: IPSec Event Category: None Event ID: 4291 Date: 11.11.2009 Time: 12:51:48 User: N/A Computer: ХХХ Description: The IPSec driver has dropped the following outbound packet: Source IP Address: Х.Х.Х.Х Destination IP Address: У.У.У.У Protocol: 6 Source Port: 35278 Destination Port: 88 Offset for IPSec status code: 0x14 Offset for Offload status code: 0x10 Offset for Offload flags: 0x20 Offset for packet start: 0x28 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 2a 00 06 00 76 00 ..*...v. 0008: 00 00 00 00 c3 10 00 40 ....Ã..@ 0010: 00 00 00 00 01 00 00 c0 .......À 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 00 00 00 00 00 00 00 ........ 0028: 45 00 05 dc 7f c7 40 00 E..ÜÇ@. 0030: 7f 06 d2 25 ac 10 04 04 .Ò%¬... 0038: ac 10 48 0a 89 ce 00 58 ¬.H.‰Î.X 0040: da 6c f6 a2 f6 a5 b2 07 Úlö¢ö¥². 0048: 50 10 ff ff 36 f3 00 00 P.ÿÿ6ó.. 0050: 00 00 ..

Isa works on Windows Server 2003, reg value NoDefaultExempt=3

Thanks for any help.

Sonic Wall Global VPN client

Wed, 04 Nov 2009 14:01:08 Z

Hi, we have a ISA Server 2006 Standard. I'm trying to setup a SonicWall Global VPN client from a PC internally to access an external network. Following this article http://www.isaserver.org/articles/IPSec_Passthrough.html
got me connected, but I'm not receiving an IP addr. It kept indicating "acquiring network address" and stays there forever. Can anyone help pls?

Issues with Outbound Cisco VPN Client connection through ISA 2004

Thu, 05 Nov 2009 00:04:42 Z

We have a few computers which need to be able to connect to a database on a server inside an external network. From these computers a VPN tunnel is created to the VPN Server in the external network using the Cisco VPN Client with IKE Client - UDP port 500 and IPSec NAT-T Client - UDP port 4500. I have created a rule on our ISA 2004 server which allows these Protocols between the IP addresses of our computers and the external VPN Server.

On the computers, the VPN connection shows that it has been connected and the ISA logs confirm this. However, no traffic is actually passed through the VPN tunnel with the Firewall Client installed on the computers. Immediately, I can see DNS traffic bound for the external network in the ISA logs, traffic which should be passing through the VPN tunnel. The same is true for the SQL traffic when attempting to create the ODBC connection, no connection can be established.

With the firewall client uninstalled, the ISA logs show the connection of the VPN Tunnel and then nothing else as the DNS and SQL traffic are passed through the VPN Tunnel and connection to the database is established.

What do I need to do for the traffic to be passed through the VPN Tunnel, with the Firewall Client installed on the computers?

IAS Error

Fri, 30 Oct 2009 08:30:39 Z

Hi We have a WIn2003 R2 Domain controller that is also running RRAS and we are getting this error everytime a user logs in through VPN to our system. It onlys happens once in the day for that user even if the user logs in and out numerous times that day. If he logs in again next day we get the error again. The error we get is

Event Source:    IAS
Event Category:    None
Event ID:    5052
Date:        8/17/2009
Time:        12:53:26 PM
User:        N/A
Computer:    SERVERNAME
Description:
The description for Event ID ( 5052 ) in Source ( IAS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: DOMAIN.LOCAL."

Thanks for your help.

Forgot to mention that we do not use IAS as part of our VPN

how connect 2 networks with VPN

Fri, 16 Oct 2009 21:58:37 Z

Hello people,

I am probably going to ask something common, but I haven't figured this one completely.
A customer has a small network installed with SBS 2003 server.
Now he has opened another office and from the second office we can connect to the head office with VPN.
This works quite well, but now I want to merge the second office with the head office, so we would have only one network.
The reason is that it would be much easier to manage and we can share resources.
I know there are VPN routers that can do the job, but is there an alternative on how to connect the 2 networks?

Regards,
Erdal

ISA 2006 VPN with a WIN XP SP2

Tue, 13 Oct 2009 12:51:16 Z

Hi,
My corporate network uses a ISA 2006 FW. The admin created a new VPN connection on my XP laptop and I was able to connect to the shared resources on our LAN once I established the VPN.

So, last week, I purchased a new wireless N router and at the same time, my XP laptop died and I had the admin replace the HD.

Now, I just reinstalled all of my programs and I had the admin recreate the VPN connection and at the same time, we installed my new Wireless N router at my home.

Issue: I can successfully establish the VPN, but I cannot access any network resources in the corporate office. I cannot PING by IP or hostname, RDP, or cannot even access shared files.
I can do a IPCONFIG, and my laptop does pull an IP address properly from the ISA FW.

I have disabled my firewalls and AV programs.

So, Ive come to conclude that two things have changed. I installed a new router, and I had to have my laptop reformatted.
The admin says there is nothing he has to do on his end to accept the new VPN connection.
Could it be something in my new wireless router that is blocking shared resources? Since I can connect to the VPN, but not shared resources, to me, it seems that the VPN is working.

Any help would be very appreciated.

Wake on LAN through Site to Site VPN

Fri, 25 Sep 2009 01:35:36 Z

I'm having trouble getting Wake on LAN to work across an ISA 2006 site to site VPN. Attemping this using unicast packets. I can see the traffic on both sides of the vpn link. Logs below. Still, the target machine doesn't wake up. When I send the same WoL packet on the local subnet it works fine. Any ideas?

Initiated Connection
Log type: Firewall service
Status:
Rule: Allow Wake on LAN to Branch
Source: Internal (xxx.xxx.xxx.xxx:4786)
Destination: Branch1 (yyy.yyy.yyy.yyy:9)
Protocol: Wake on LAN
Result Code: 0x0 ERROR_SUCCESS

Closed Connection
Log type: Firewall service
Status:
Rule: Allow Wake on LAN to Branch
Source: Internal (xxx.xxx.xxx.xxx:4786)
Destination: Branch1 (yyy.yyy.yyy.yyy:9)
Protocol: Wake on LAN
Result Code: 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN

After Cisco VPN client uninstalled, Internet Connection Sharing is f*cked up

Fri, 18 Sep 2009 16:03:58 Z

I've installed a recent Cisco VPN clientin Windows XP SP3, fully patched.
And uninstalled it again after a succesful test connecting to work.
But now the other computers on my LAN cannot use Internet Conection Sharing (ICS) _completely_.
DNS works and *some* HTTP pages load, but others don't.
F.e. google.com and imdb.com work, but microsoft.com does not work.

Can anyone help please please? I've tried all kinds of firewall changes / reset but nothing changes.

Thanks in advance,
Richard

BTW: Looking arounf the internet I see that the "Cisico VPN client" has caused a million hours of grief already. Grrr.

Forefront TMG MBE - Remote VPN - RSA SecureID

Fri, 18 Sep 2009 14:17:13 Z

I have built a new Forefront Threat Management Gateway MBE server running RSA Authentication manager 6.3.1 on a Windows 2008 Server. Additionally I am running RSA SecureID 6.1.3 Server on Windows 2003 hyperv machine. Running a test authentication from the TMG to RSA is successful.
Configuration as per http://technet.microsoft.com/en-us/library/cc441545.aspx

But how do I actually configure my PPTP VPN connection to require SecureID Details? Currently when I connect via vpn it connects without prompting for my RSA details just my username and password.

Any help would be much appreciated.

Outbount VPN connection on ISA Server 2004

Mon, 31 Aug 2009 13:33:27 Z

Hello,

I have ISA Server 2004 and several Site-to-Site VPN connections. All connections works fine.

I have problem with one connection, where I cannot make VPN connection. It is PPTP connection and I got an error on ISA Server.
I also got an error if I tried to establish connection from client behind the ISA server. I got an error 619.
If I connect this client directly to the Internet, I can establish the connection.
I also tried to established VPN connection to several destination and all gone fine.

I also tried to turn off ISA server and set up the same IP to my client and I succeed to establish connection.

Is there any idea, what can cause problem to only one VPN connection?

Regards,
Lovro

ISA 2006 EE VPN for users from trusted domain

Tue, 21 Jul 2009 08:38:00 Z

Hi,

is it possible to authenticate PPTP VPN users from Windows Server 2008 R2 RC Domain A which is trusted by Windows Server 2003 R2 Domain B (validated ONE way trust) on NLB of ISA Servers 2006 Enterprise SP1? Please, give me some hints or helpful links 'cos I'm desperate.

Thanx,
Dawid

Event ID ( 5052 ) in Source ( IAS )

Mon, 17 Aug 2009 17:06:57 Z

I recently migrated from an NT4 domain to a Server 2003 With Active Directory domain. Following the instructions in Article 884452 I implemented a Small Business Server into an existing Active Directory domain. The SBS server is the Primary Domain controller. The other DCs are configured as backup DCs. (2 of them)

Today I was trying to install Exchange Server 2003. SBS had me run through an internet connection wizard. As well as forest prep and domain prep. Ever since these events happened my remote workers can no longer connect to our RRAS server (on another server entirely). They are receiving a 691 error.

When I check in the event viewer, I am getting the following error message: "Event Type:    Error
Event Source:    IAS
Event Category:    None
Event ID:    5052
Date:        8/17/2009
Time:        12:53:26 PM
User:        N/A
Computer:    SERVERNAME
Description:
The description for Event ID ( 5052 ) in Source ( IAS ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: DOMAIN.LOCAL."

Can someone please advise what I need to do to allow remote connectivity again. I am not running ISA (AFAIK).

Thanks in advance

PUblishing to specific private IP for an IPSEC VPN partner

Sun, 16 Aug 2009 21:01:18 Z

I have an edge only two member load balanced ISA 2004 EE array with only internal and external interfaces. I have a partner site that I need to create an IPSEC VPN tunnel with. They route to a network that has the same IP scheme that I have on my internal LAN, so we will need to NAT to each other. He is going to NAT his side behind a 150.30.0.0/16 and needs me to NAT behind 10.163.195.16/29 (this range works for me).

I've created many IPSEC VPNs before but none where the other side routed to a network with the same IP scheme as ours. I've never published a server to a private IP address. The only thing I've published was my e-mail server to a public address.

How do I publish an internal server to a specific private IP address for an IPSEC VPN partner site to access? I'm assuming I will need to add an IP address to one of the NICs? If so which one, the external or internal? I guess I'll need to set up a NAT route rule between the VPN network and my internal?

Any help would be appreciated.

Oh, I forgot to mention; this is not a web publishing rule, but needs to be a server publishing rule for a protocol that I will define.

Leonard McCoy

Random IP requesting and making successful connections ... should only have host and private vpn IP's requesting connections.

Thu, 13 Aug 2009 18:21:14 Z

ISA Server 2006
Users connect through VPN and get assigned a 10.10.10.x IP address.

Looking through the logs, under "C_IP" (IP of requesting client) I see some IP addresses of the host (for updates and such, makes sense) and some private IP addresses of clients connecting through the VPN (10.10.10.x) but then I also see some random IP addresses. WHAT ARE THESE??

A whois does not give me much information at all... It shows they are are using HTTP to access websites... and they are being provided the service by my host IP address.

No one else should be connecting other than the host connections and the vpn users with the private IPs, so where are these coming from????

THANKS.

Getting rid of red x's.

Mon, 10 Aug 2009 19:09:11 Z

How do I get rid of the red x's that come up on my web pages instead how what should be there?

And how can I work on web pages that don't work with Explorer 8?

LDAP Integration Setup

Mon, 27 Jul 2009 21:30:33 Z

We are trying to setup a new ISA server in our DMZ that will not be a domain member, but rather will authenticate VPN users against the domain via LDAP. I believe we have all of the LDAP settings correct, and have verified connectivity to the domain server using LDP.exe (as well as a connectivity verifier). However, when we go to the Groups tab in the VPN Client Properties dialouge box and try to add a new group from the domain, we are only given the choice to add groups from the local machine...as if it does not see the domain server.

Does anyone have any setup or troubleshooting tips around this problem?

Thanks in advance.

Stephen

Stephen Stark

ISA server

Tue, 14 Jul 2009 07:48:03 Z

In virtual lab i have configured One web server in internal network and one client in external. I published two websites www.deny.com and www.access.com in internal web server. I tried to redirect the web site if user from client want to access www.deny.com but i can't redirect it

RAS VPN problem following windows updates

Thu, 16 Jul 2009 08:09:34 Z

We run ISA 2006 SP1 on Windows 2003 Std. SP2. It's a Celestix firewall appliance. Everything was running perfectly until recently when we applied a raft of Windows critical and security updates (about 30+). Since then if you restart the firewall PPTP MS VPN clients cant connect. Restarting the RAS service within ISA Manager doesn't clear the problem, if you restart the firewall service, then RAS it all works again and is stable.

I need to find out which Windows update has messed the VPN up but removing each of the 30 updates one by one and restarting will be a pain. Can anyone suggest any updates that might be at fault here post Server 2003 SP2?

I was wondering if I would have claim to a free support issue from Microsoft on this, given the circumstances.

Any help appreciated.

Paul

Site to Site VPN Connection problems

Wed, 08 Jul 2009 23:39:58 Z

I am adding a 4th Branch office to our network via VPN. Currently, 3 branch offices are running ISA 2006 Std with ISA 2006 EE at the Main office. I would like to set up the 4th office using a Netgear FVS318 VPN router.
    I set up the Site to Site vpn using IPSec ( recomended in the setup with 3rd party VPN ) rather than the L2TP that the other branches are set with. With all the settings checked and double checked I have no connectivity with the Netgear router.
    I can ping the Ext. IP address of the router but not the lan ip address
    The ISA EE connectivity verifiers report Time Out errors
    The Netgear router has access to the Internet
I feel that I am missing something , but I had this issue before with a Linksys vpn router and was not able to configure it.
Any suggestions?

IPSec L2TP site-to-site VPN from ISA 2004 on SBS to Windows 2003 - no longer working

Tue, 09 Jun 2009 03:22:40 Z

As of today the remote office Windows 2003 Server was no longer able to connect in our site-to-site VPN. There were no changes to either server.

We have since tried anything we could think of. We are using pre-shared key rather than certificates so the pre-shared keys were re-entered, we rechecked the AD VPN user's to make sure they were active, IPSec and RRAS services were restarted at both locations. And we checked event logs (more on that below). Client's connecting through PPTP are still able to connect.

Event log: Error 20111 from RemoteAccess "A Demand Dial connection to the remote interface VPN_*HEADOFFICE* on port VPN3-127 was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security negotiation timed out.

Prior to that error, however, there are two events 20186 "Interface VPN_*HEADOFFICE* is now reachable." and 20180 "Interface VPN_*HEADOFFICE* is unreachable because the connection attempt failed."

So it appears to make a connection, but then drops the connection. I've also looked into the Oakley logs and found the following:

- - - - 6-08: 22:20:13:367:c04 MatchMMFilter failed 13013
      - 6-08: 22:20:13:367:c04 Responding with new SA 0
      - 6-08: 22:20:13:367:c04 HandleFirstPacketResponder failed 3601

I wasn't able to locate any information that would resolve this issue based on the highlighted items. There are other people reporting similar issues, but no one with a resolution.

I also noticed that the "Receive: (get) SA" value was "0x00000000" for transmissions from the Remote office VPN. Obviously those should be filled with a real value. When I looked at the oakley log in more detail I was able to find SA values but they would then be followed by other transmissions where the SA was reset back to 0. I wasn't able to find any information about the cause of this.

Finally, I found this in the log:

- - - - Sending: SA = 0x07DB3BC8 to xxx.xxx.xxx.xxx:Type 2.500
      - sadb_schedule_kill_oldPolicy_sas
      - isadb_set_status sa:07DB3BC8 centry:00000000 status 3619
      - New policy invalidated SAs formed with old policy
      - Sent first (SA) payload Initiator. Delta Time 30 0x0 0x0
      - constructing ISAKMP Header
      - constructing DELETE. MM 07DB3BC8
      - 6-08: 22:49:27:874:c04

What that appears to be saying is that a new policy is invalidating and destroying the old policy (the old SA?). However, we did not implement any new policy?! No changes were made until after the VPN broke and I have kept notes of those changes (the most significant being the change in the shared key).

Ideas anyone?

Site to Site VPN not passing traffic on port 80

Fri, 05 Jun 2009 15:48:14 Z

Hi,

I currently have configured a site to site VPN to a 3rd party hosting some web servers for us

Although i have configured ISA to pass all traffic types across the VPN tunnel ISA does not appear to pass traffic on port 80 ( although i can connect to a telnet session on port 80 )

All other traffic types appear to route correctly ( ie 443 )

I have followed advice with regards to setting up a 2nd HTTP protocol that does not apply the Web proxy filter and denied the use of the original HTTP protocol for this firewall rule

Although this does not seem to have had the desired effect

ISA returns an error 10065 A socket operation was attempted to an unreachable host on monitoring with the additional information below :

Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 62969 ms
MIME type:

can anyone advise ? .. has anyone seen this in thier environment?

Kind Regards

ISA ipsec site-to-site VPN limit proposed addresses

Fri, 15 May 2009 14:21:43 Z

We've got a few ISA 2004 servers in-place, and a relatively complex network (multiple subnets with rules controlling traffic between them). We support a few VPN connections, and we're attempting to create another one.
What makes the new one interesting is that it is a simple IPSEC connection to a Cisco router owned by an external entity. I've created the remote site, an appropriate network rule (only two of our subnets need to access the remote site), and the appropriate firewall rules. All should be well.
However, I've hit a stumbling block. Although I can easily restrict (using network rules) which local networks can use the new VPN, and (using firewall rules) what traffic to allow, the IPSEC proposal still includes ALL of my internal networks (well, all of the ones that this particular ISA box uses). I haven't been able to find anywhere in the GUI that lets me limit that. I'd be happy to do it from a command-line as well, but I'm not even sure that I can see a way to do that, either. In essence, I want to make the IPSEC proposal include ONLY the appropriate subnets, and not ALL of our networks. Including all of them will automatically make the VPN connection fail, as I'm sure some of our internal (private IP-range) networks overlap with the ones used by the remote site.
Any help that anyone can supply would be very much appreciated. Thanks!

Problem with Site to Site vpn with ISA 2004 and SBS2003

Tue, 02 Jun 2009 11:48:20 Z

I recently configured a site to site VPn from our branch to main office.
After 10 days continuesly work, it stops today.

On the main site it says :

A Demand Dial connection to the remote interface xxxx_be_sts_vpn on port VPN4-2 was successfully initiated but failed to complete successfully because of the following error: Access was denied because the username and/or password was invalid on the domain

To be sure I changed the credentials in both servers to meet the same passwords....in User in AD, but also in ISA and RAS.

How to find out what the problem is...nothing changed on hardware or IP side.

Site to Site VPN for remote access

Fri, 05 Jun 2009 08:32:51 Z

I have been asked to setup a site to site VPN for one of our customers. We normally support our customers using webex but this customer wants to use a vpn for remote access. I've received the info from our customer but have a couple of questions before I implement it (I've never set this up before) We are using SBS2003 with ISA 2004

1. They have specified AES256 as the encryption but I can only see DES/3DES in ISA2004, is AES256 possible for IPSEC in ISA2004?
2. Once the VPN is established will all outgoing traffic try to route over the VPN?
3. If it will, can I set the VPN so it only routes RDP traffic for one IP address

Thanks.

ISA Server 2006 Branch office array unable to connect to the CSS in main office

Thu, 04 Jun 2009 13:39:49 Z

Hello,

I have set up a lab using ISA 2006 Enterprise Edition consisting of a single Enterprise with two arrays to simulate a main office/branch office site to site VPN scenario. I have configured the CSS in the main office to be located on the same box that is running ISA 2006 EE. No replica CSS has been deployed in the branch office and therefore the array member in the branch office is configured to connect to the CSS/ISA in the main office. The VPN connection is active and the branch ISA can communicate with a DC at the main office.

The problem that I'm experiencing is that the ISA 2006 EE array member in the branch office array is unable to connect to the configuration storage server in Main office. Also, the main office CSS/ISA is failing to connect to the branch office array member as the mgmt console of the ISA/CSS shows that it's unable to retrieve information from the server in the branch array.

When the branch office ISA tries to connect to the main office CSS/ISA, the logs on the main office array show that connections are being denied for the MS Firewall Storage and Control protocols. The source address is shown as the Branch ISA IP address assigned from the DHCP server on the main office internal network and the destination is the internal IP address of the CSS/ISA. When the main office CSS/ISA tries to retrieve information from the branch office array member, the logs show that connections are being denied to 'RPC (All Interfaces)'. In this case, the main office array logs show that the source address is the main office CSS/ISA IP address assigned from a static address pool configured on the branch ISA and the destination address is the internal IP address of the branch ISA.

Can anybody please help?

Thanks in advance.

Mac OS X 10.5 Client to ISA 2006 VPN via L2TP/IPsec

Wed, 03 Jun 2009 17:50:26 Z

I have been working diligently with our network engineer to get a Mac OS X 10.5 client to connect to our ISA 2006 VPN via L2TP/IPsec. I have searched high and low all over the place for information on this and I can't find much (not even "it doesn't work") so there is room for hope here... I know a lot of people are interested in getting it to work, but may not have the resources to really solve it -- I do, and am willing to try, but need help from someone besides the two of us here...

Here's the facts so far to cover where we are...

- ISA 2006 configured for VPN access via L2TP/IPsec.

- Confirmed configuration and accessibility; XP clients, even through NAT'ed home connections, either with PSKs or Certs can connect.

- Testing environment has been set up in the server room behind the external firewall to eliminate that variable (despite knowing Windows clients are OK though it). We are connected directly to the external interface of the ISA 2006 server so we are as hardwired as we can be to eliminate variables.

- Mac OS X 10.5 is the client in question. There have been older internet posts on 10.4 and prior, but that is not useful. PPTP works fine but is not viable for our needs. L2TP/IPsec is a MUST. Also, old posts alluded to a problem with MS-CHAPv2 -- we've tested with all auth methods enabled, but under 10.5, MS-CHAPv2 is supported (but I don't think we're even getting that far).

- Additional debug logging has been enabled for the OS X client (beyond it's publicly accessible setting of 'verbose'); We see it is failing at the end of Phase-1 negotiation. It appears that the proposals are being accepted by ISA (3DES, SHA1, etc) so we don't seem to have a problem with that part of it...

- The failure comes after the OS X client appears to send a Phase-1 packet, assumedly to complete that part of the process, and it does not digest what it gets back from the ISA server. It repeats this a handful of times until the connection timeout cuts us off. The timeout can be extended, but given the negotiation (on Windows) takes mere seconds, that doesn't seem to be the problem.

- Attempting to use a pure IPsec connection (using a 3rd party tool) gets through Phase-1 in its attempt, but dies in Phase-2 (assumedly since the tunnel isn't under L2TP so it fails with bad ID information). Regardless, this doesn't help much but assumedly tell us we can get farther than we are getting, so worth the mention.

We have pretty extensive knowledge of both pieces of the puzzle (OS X and ISA) and have a solid test environment -- what I am hoping is that someone out there has the secret sauce or has some new ideas since we are pretty much deadlocked at this point. I'll take anything...

PS> I can post log/config info if needed...

Vpn connection on a second domain

Tue, 19 May 2009 22:09:24 Z

Hi,

I've a problem with my vpn client.

My Isaserver (ISA 2006 SP1 on Windows 2003 Server R2 SP1) was on my first domain and i've two domain with relashonship.

When i want to connect a VPN client on my isa when is account is on the
second domain, i've a 691 error on the client.

I've insert the dns of the second domain on isaserver, i've add the client
group on isaserver but it doesn't work.

Thank's you for your help.

troubleshoot isa 2004 site to site vpn

Thu, 14 May 2009 08:28:24 Z

Hello,

I need to create a site to site vpn using an isa 2004 set on a 2003 box on my side and a netasq firewall on the other. I am not able to get the tunnel.

This isa is already used for an other vpn which is working.

The vpn uses a preshared key, and, as far as I can see, the parameters set on both sides are the same.
The phase I completes but I never get the Phase II
I have enabled auditing and oakley log to have information but they are not as usefull as I could hope :

The security events are :

IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)

Filter:
Source IP Address 217.167.*.*
Source IP Address Mask 255.255.255.255
Destination IP Address 10.32.*.*
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 217.167.*.*
IKE Peer Addr 84.96.*.*
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Preshared key ID.
Peer IP Address: 84.96.*.*

Failure Point:
Me

Failure Reason:
IKE SA deleted before establishment completed

Extra Status:
Processed third (ID) payload
Initiator. Delta Time 64
0x0 0x0

On the Other side the logs for the netasq are :

16:33:48.322662 FW_AC2i.isakmp > Firewall_Externe.isakmp: isakmp: phase 1 I ident[E]: [encrypted id]
16:33:48.324747 Firewall_Externe.isakmp > FW_AC2i.isakmp: isakmp: phase 1 R ident[E]: [encrypted id]
16:33:48.573812 FW_AC2i.isakmp > Firewall_Externe.isakmp: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]
16:33:49.489603 FW_AC2i.isakmp > Firewall_Externe.isakmp: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash] 16:33:51.476120 FW_AC2i.isakmp > Firewall_Externe.isakmp: isakmp: phase 2/others I oakley-quick[E]: [encrypted hash]

We have tried to the parameters but we have never have any success with it.

Could someone see what goes wrong or what I could do to get some more accurate details ?

Best regards,

--
BG

Site-to-site vpn only works from ISA Server machine

Thu, 23 Apr 2009 08:58:59 Z

I am trying to get a site-to-site VPN to work between two sites. One is running ISA 2006 standard (the main site) and the remote site is running RRAS on Server 2003. I have looked at probably 20 different guides to setting up this kind of scenario, but it just will not work. Current, for testing, I have only tried to set it up using PPTP (not LT2P/IPSec) as I suspected it wouldn't work first go.

The demand dial connections in RRAS successfully connect on both machines, and from the ISA server machine I can ping the remote network (172.16.0.0/24). From the single machine on the remote network (running RRAS), I can also ping the ISA server (192.168.0.0/24).

*However*, from any other machine on the main network, I can't ping the remote site. And from the remote site, I also can't ping any other machine on the main network except the ISA server.

There is a route relationship network rule in ISA with Source=Main Network (internal) and Destination=Remote Network, and there are two separate access rules to allow all outbound traffic both ways between the remote site and main network, and vice versa.

Bizzarely, I can also ping the address on the VPN subnet (e.g. 172.16.0.2) that ISA gets assigned from the other machines on the main network, so I think it's safe to assume the routing is OK on those machines? It seems that ISA is just refusing the pass the data.

The only information that appears in the ISA live log when you try to ping the remote site from another machine is "connection closed" with the system policy ICMP rule, nothing else, and it only shows up in the logs intermittently.

Any ideas on what could be wrong with this config? I would like to stress that the pings work from the ISA machine to the remote site, and from the remote site to the ISA machine, but not from any other machines on the main network to the remote site.

User is not prompted to change password when using VPN at logon time

Mon, 30 Mar 2009 13:28:23 Z

We are using Windows Vista SP1 VPN with RSA Authentication Agent for Windows v. 6.1.2 to connect to a Microsoft ISA 2006 Server with RSA Authentication Manager v. 6.1.2. We are using EAP with secure ID tokens. We have no problem in establishing the VPN connection and getting access to internal network resources!

The problem arise when an administrator enables "User must change password at next logon" on the users domain account or when the users password expires. When the user then establishes the VPN connection at logon time, the user is not prompted by Vista for changing password (as it would if the user was directly on the company LAN)??? However since the domain require that the password must be changed, is seems that the user is not allowed access to the PC and the user is returned to the login screen!? The result is that the user is not able to login to his PC.

Anyone seen this before? Is there a solution somewhere??

Best regards
Bobo

2 WAN adapters and VPN access.

Fri, 24 Apr 2009 10:53:03 Z

Hi.
I have ISA 2006 Std. Usually we connect to Internet through our superior organisation's proxy (let's call it Proxy1 for short), which is configured on ISA as a gateway(WAN1). Now we need a possibility to create a VPN connection directly to our ISA server, bypassing that Proxy1. We've installed another NIC and configured a static direct IP on it, provided by ISP (WAN2).
So, if i configure gateways on both of our WAN cards, the internet connection go nuts (which is understandible). But it seems, i have to configure a gateway on WAN2, if i want to use it for VPN connections. Is there a way i can configure my server to use WAN2 for VPN, and WAN1 for Internet access? It's even possible to use WAN2 as internet access, but we steel need to be able to access Proxy1.

I was thinking about removing a gateway on WAN1, leaving only WAN2, and configuring a static route to allow internal usert to access Proxy1.

ISA 2004 SP3: Any active directory user can connect trough VPN

Fri, 10 Apr 2009 12:28:52 Z

Hello all

I am working trough the ISA server 2004 self-paced training kit for Microsoft exam 70-350 and during my testing I hit the following problem:

I configured the ISA server to accept connections from the external network with a active directory group "testusers1" configured in the remote-access permissions list.

When trying to connect from a windows XP machine on the external network the connection succeeds for any user that has the "Remote access permission (Dial-in or VPN)" set to "Allow Access" in the user account properties of the active directory user profile. It seems it does not matter what active directory groups I allow to connect on the ISA server, the connection always succeeds. Even when I remove the "testusers1" group from the remote-access permissions list in ISA server, the connections still succeed.

What does work are the firewall rules, for instance:
A member of the "Testusers1" group has HTTP access from the "VPN Clients" network to the external network. The rules here apply as intended, a VPN user who is not part of the "testusers1" group can not use the internet while connected trough VPN.

It seems to me the group membership of a user is not taken into account when the user connects to the ISA server trough VPN. I also tried RADIUS authentication but this has the same results.

I'm quite sure this is due to a configuration issue on my part but I'm not sure where to look.

Let me know if you need more information.

Thanks in advance

Regards

ISA 2006: How to set up IPSec VPN access with remote Windows XP / Vista clients

Thu, 26 Mar 2009 11:38:16 Z

I'm having serious trouble setting up an IPSec VPN connection between WinXP / Vista clients and my test rig ISA 2006 Enterprise server.

PPTP works perfectly fine.
ISA server is domain member
There is a 2008 enterprise CA in place
All Servers / Clients are fully up-to-date

Please somebody explain to me the following for starters:

I have issued an IPSec certificate from my CA and installed it on the ISA server's Local Computer Personal certificate store. Is this right? I had to do this manually, as the Active Directory Certificate Services web console issues certificates only to the user
Do I need to issue some kind of certificate from the same CA to the client PCs?? If so, how ?
Can IPSec VPN work without a RADIUS server? Can I use IPSec with authentication from the Windows Domain namespace?
Do you know of a definitive step-by-step guide for such an installation

Many thanks in advance

Andreas

VPN selective restriction to internal resources

Wed, 01 Apr 2009 13:20:05 Z

Hi all,
In Cisco FW (PIX or ASA) I have the possibility to create several resource IP address pools assigned to a VPN Client configuration (IPSec Client with shared passfrase) and then restrict those IP pools to selected network resources (ip / services) using access rules.
In Stonesoft Stonegate FW I have the possibility to create more or less the same has with cisco but now I can also restrict access to network resources (IP / services) using access rules that are granular to an ldap user / group (AD also).
In Microsoft ISA (don't know about TMG) the VPN configuration is global and I don't know how to replicate these other firewals behavior.
http://social.technet.microsoft.com/forums/en-US/ForefrontedgeVPN/thread/8681d6bc-bb8a-4454-9e7e-7f4c7a1e4f50/ seems to explain a work around but...
The Issue is:

I have several support external companies that I want to give access to selective internal resources
ex: Company A needs RDP access to Server1 and Server2 and nothing else
ex: Company B needs SSH access to Server5 and nothing else
These company support people do not have their machines in my company Domain nor they have ISA firewall client installed (So they can not authenticate with a AD user of mine, I think!)
I have a L2TP shared passfrase ISA2006 VPN configuration in place with a dedicated IP address pool

How can I acomplish this using ISA 2006 (or even with TMG, is there any new ways to do this in TMG?)
Thanks

Client DNS

Sat, 06 Sep 2008 16:46:26 Z

Hiya,

Got VPN client access all working hunky dorey. Only thing missing is the DNS suffix is not being pushed out to VPN clients, so cannot ping by host name, only IP or FQDN.

I have a 2 member array so DHCP VPN IP assignment is not possible.

Any ideas?

Thanks

vpn users do not disconnect their sessions

Fri, 13 Mar 2009 08:46:54 Z

hello all.

I have multiple users who connect to our ISA server through vpn and they do not disconnect their sessions, and each time I get called from others remote users that they are not able to connect to our ISA Server through VPN, I go and check ISA Server and see that there are 10 sessions currently open. I call the users that are connected and find out that they left their pcs long time ago.

I do not wish to go each time to isa server and disconnect these session manualy, I need a script or something to check who is active or not.

When connected throught vpn need to use fully qualified dns name

Wed, 18 Feb 2009 16:26:54 Z

We have TMG with windows essential server installed. We use pptp for vpn.
When we connect to network through vpn, we need to use fully qualified dns name. What can i change to get it working withought fully qualified name?

For example:
Server Name: qabox1
within network i can use qabox1
but when connected through vpn it can't resolve qabox1, need to use qabox1.hq.bubba.com

Any help is appreciated.

VPN Clients SMB Disconnects

Sun, 01 Feb 2009 22:19:28 Z

I've been working through a real head-scratcher, here... hope someone can help me. Users connect to the VPN and everything seems to work OK, but we're having troubles with file transfers (SMB / CIFS) erring out.

User connects to VPN
User copies files to/from shared drive, (ex: \\fileserver1\share\)
File transfer begins
File transfer stops with error message "The specified network name is no longer available"

ISA 2004 Server details:
- Windows Server 2003 Enterprise w/SP1 (x86 of course)
- ISA 2004 Enterprise w/SP3
- Single NIC
- VPN clients are NAT'd to internal net

Details:
This problem is 100% reproducible. As a vpn client, begin a file transfer to/from \\fileserver1. On the ISA 2004 server, open any share on \\fileserver1. VPN client will receive error message in #4 above.

Verbose details from Packet sniff:
1. VPN Client opens \\fileserver1\share

Client IP: <ISA Server IP>
Source port: 6798
Destination IP: 192.168.252.252
Destination Port: 445
Session Setup AndX Request, NTLMSSP_NEGOTIATE

2. Packet sniff shows successful connection, VPN client can see files.
3. Second VPN client opens any share on same file server:

Client IP: <ISA Server IP>
Source Port: 6291
Destination IP: 192.168.252.252
Destination Port: 445
Session Setup AndX Request, NTLMSSP_NEGOTIATE

Client IP: 192.168.252.252
Source Port: 445
Destination IP: <ISA Server IP>
Destination Port: 6798
[RST, ACK]

4. First VPN client sees error message and transfer fails, second VPN Client's session works OK.

I've successfully reproduced the error on file servers running:
- Windows 2003 w/SP1 - x86
- Windows 2003 w/SP2 - x86 and x64
- Windows 2008 - x86 and x64

Instead of writing out the thirty pages of details on what I've tried, I'm reaching out and hoping someone can help me figure this out. :) Any and all suggestions are welcome. Thanks!