locked
Cannot connect outbound PPTP VPN from behind TMG RRS feed

  • Question

  • About this issue, I have referred similar post at http://social.technet.microsoft.com/Forums/en-US/FTMGNext/thread/cdf5fa2a-6b3e-4530-b7e5-ec3cdc80a179 and some other similar post on Internet. Most probably it is caused by multiple NAT device. I open this post is to verify whether the cause and solution applied to my scenario.

    Location A and location B

    Location A:

    Internet <> ISP modem router <> ISA 2004 SP3 <> Internal

    Previosuly, it was fine for incoming and outgoing VPN connection

    After changed the ISP modem/router due to upgrade of internet service package, incoming VPN fine but outgoing vpn error 691.

    The modem/router configuration 176.140..65.172 netmask 255.255.255.252

    The ISA external NIC 172.140.65.173 netmask 255.255.255.252 and the internal NIC 192.168.10.254/24

    Location B:

    Internet  <> ISP modem router <> TMG server <> Internal

    It is a new setup. Before install the TMG server and connect directly to ISP modem/router, outgoing VPN to location A or other location is fine.

    After installed the TMG server and formed the Internet  <> ISP modem router <> TMG server <> Internal setup, outgoing VPN error 691.

    The router/modem configuration 174.143.50.172 netmask 255.255.255.252

    The TMG external NIC 174.143.50.173 netmask 255.255.255.252 and internal NIC 192.168.20..254/24

     

    Did the PPTP path-through factor of ISP modem/router affacted all this? If say PPTP path-through is the cause, then why when I connect directly to the modem/router and try outgoing VPN to location A and other location just fine? Can someone explain to me?

    Wednesday, August 4, 2010 10:19 AM

Answers

  • I have the anonymous access rule in place from the beginning. After I changed the modem/router with another modem/router at location, now I can connect the outbounce vpn from behind the TMG. I did not use a pure modem or configure modem/router in full bridged mode but just change it with an old modem/router. The only problem now is that I can vpn out to all locations but not the location A which is behind the ISA firewall. There was a mistake in location A topology, it should be like Internet <> ISP modem <> ISP wireless router <> ISA firewall <> Internal. I had tried to change the ISP wireless router with another one with the same PPPoE setting but cannot connect to ISP. Maybe these two wiressless router were not in the same class. So, I tried to configure dial up connection on the ISA server and connected it directly to the ISP modem. The dial up connection returned error 615. I wonder is there any configuration I missed. ISA server has two NICs one internal one external. External NIC was configured with public IP 172.140.65.173 netmask 255.255.255.252 DG 172.140.65.172. ISP advised me to use static PPPoE IP 172.140.65.172 they provided but I didn't see where to put in this IP when I configure the dial up connection. Can anyone advise on this?

    If really cannot, I will try to change a modem/router which is same class with the current ISP modem/router. I think most probably the problem will be solved in this way.

    • Marked as answer by JPOlas Monday, September 27, 2010 9:48 AM
    Thursday, August 12, 2010 10:19 AM

All replies

  • Update:

    I am so desperate there is no solution yet. It is a nightmare for me to receive complain everyday about this. Anyway, i will try replace all the modem/router combo devices with a pure modem to check it out by today. Just hopefully it will work.

    Monday, August 9, 2010 3:19 AM
  • Outbound PPTP is only possible for SecureNAT Clients.
     
    PPTP is not a TCP or UDP Based protocol.
    The firewall service and the web proxy service only handle TCP and UDP.  ISA/TMG's Firewall Service is based on the technology of a Winsock Proxy Server and the Web Proxy Service follows the standard of a CERN Compliant Web Proxy Services.  Both of these standard only "do" TCP and UDP.
     
    The SecureNAT Service is a NAT Service and can do pretty much any protocol but is not capable of authentication,..so any Access Rules used by it must be anonymous (aka "All Users").
     
    If the workstation is running the Firewall Client (or TMG Client) then it must be disabled while the VPN is active.
     
    Of course you will also have to have a correct Access Rule in place that is anonymous (All Users)
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Technet Library
     ISA2004
    http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
     ISA2006
    http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
     
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html
     
    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
     
    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.mspx
     
    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
    "JPOlas" <=?utf-8?B?SlBPbGFz?=> wrote in message news:b0460baf-daa2-49c0-8dbe-6d69272cc380...

    Update:

    I am so desperate there is no solution yet. It is a nightmare for me to receive complain everyday about this. Anyway, i will try replace all the modem/router combo devices with a pure modem to check it out by today. Just hopefully it will work.

    Monday, August 9, 2010 3:51 PM
  • I have the anonymous access rule in place from the beginning. After I changed the modem/router with another modem/router at location, now I can connect the outbounce vpn from behind the TMG. I did not use a pure modem or configure modem/router in full bridged mode but just change it with an old modem/router. The only problem now is that I can vpn out to all locations but not the location A which is behind the ISA firewall. There was a mistake in location A topology, it should be like Internet <> ISP modem <> ISP wireless router <> ISA firewall <> Internal. I had tried to change the ISP wireless router with another one with the same PPPoE setting but cannot connect to ISP. Maybe these two wiressless router were not in the same class. So, I tried to configure dial up connection on the ISA server and connected it directly to the ISP modem. The dial up connection returned error 615. I wonder is there any configuration I missed. ISA server has two NICs one internal one external. External NIC was configured with public IP 172.140.65.173 netmask 255.255.255.252 DG 172.140.65.172. ISP advised me to use static PPPoE IP 172.140.65.172 they provided but I didn't see where to put in this IP when I configure the dial up connection. Can anyone advise on this?

    If really cannot, I will try to change a modem/router which is same class with the current ISP modem/router. I think most probably the problem will be solved in this way.

    • Marked as answer by JPOlas Monday, September 27, 2010 9:48 AM
    Thursday, August 12, 2010 10:19 AM
  • You're topology makes no sense to me.  I can't do anything with that.  I have no idea what "Location A" is or how it fits into anything.
     
    The PPPoE should be gotten rid of.   PPPoE is always a horrible situation.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "JPOlas" <=?utf-8?B?SlBPbGFz?=> wrote in message news:60d2cdec-4f94-4ef1-9b6c-a2ee2a1c13dc...

    I have the anonymous access rule in place from the beginning. After I changed the modem/router with another modem/router at location, now I can connect the outbounce vpn from behind the TMG. I did not use a pure modem or configure modem/router in full bridged mode but just change it with an old modem/router. The only problem now is that I can vpn out to all locations but not the location A which is behind the ISA firewall. There was a mistake in location A topology, it should be like Internet <> ISP modem <> ISP wireless router <> ISA firewall <> Internal. I had tried to change the ISP wireless router with another one with the same PPPoE setting but cannot connect to ISP. Maybe these two wiressless router were not in the same class. So, I tried to configure dial up connection on the ISA server and connected it directly to the ISP modem. The dial up connection returned error 615. I wonder is there any configuration I missed. ISA server has two NICs one internal one external. External NIC was configured with public IP 172.140.65.173 netmask 255.255.255.252 DG 172.140.65.172. ISP advised me to use static PPPoE IP 172.140.65.172 they provided but I didn't see where to put in this IP when I configure the dial up connection. Can anyone advise on this?

    If really cannot, I will try to change a modem/router which is same class with the current ISP modem/router. I think most probably the problem will be solved in this way.

    Thursday, August 12, 2010 3:27 PM