I have set up a lab using ISA 2006 Enterprise Edition consisting of a single Enterprise with two arrays to simulate a main office/branch office site to site VPN scenario. I have configured the CSS in the main office to be located on the same box that is running ISA 2006 EE. No replica CSS has been deployed in the branch office and therefore the array member in the branch office is configured to connect to the CSS/ISA in the main office. The VPN connection is active and the branch ISA can communicate with a DC at the main office.
The problem that I'm experiencing is that the ISA 2006 EE array member in the branch office array is unable to connect to the configuration storage server in Main office. Also, the main office CSS/ISA is failing to connect to the branch office array member as the mgmt console of the ISA/CSS shows that it's unable to retrieve information from the server in the branch array.
When the branch office ISA tries to connect to the main office CSS/ISA, the logs on the main office array show that connections are being denied for the MS Firewall Storage and Control protocols. The source address is shown as the Branch ISA IP address assigned from the DHCP server on the main office internal network and the destination is the internal IP address of the CSS/ISA. When the main office CSS/ISA tries to retrieve information from the branch office array member, the logs show that connections are being denied to 'RPC (All Interfaces)'. In this case, the main office array logs show that the source address is the main office CSS/ISA IP address assigned from a static address pool configured on the branch ISA and the destination address is the internal IP address of the branch ISA.
Can anybody please help?
Thanks in advance.Thursday, June 04, 2009 1:39 PM
Did you use the Branch Office Connection weirdzard to make this connection?
There are a lot of special tweaks that must be applied at the remote ISA in order for this to work properly; many of which youy cannot make for yourself.
You'll find it on the CD as <CD>\FPC\Program Files\Microsoft ISA Server\AppCfgWzd.exe
Jim Harrison Forefront Edge CSThursday, June 04, 2009 4:34 PM
Yes Jim, I used the 'Branch Office Connectivity Wizard' at the branch office ISA with an answer file created at the main office ISA. As I said in my post above, the connectivity to the VPN was established without any problems and the branch office was able to join the domain. When the branch office ISA rebooted and the wizard resumed, I specified that it becomes a member of another Enterprise and it is at this point where it fails when it tries to connect to the CSS at the main office.
Thursday, June 04, 2009 8:52 PM
- Edited by Matt Jones. _ Friday, June 05, 2009 9:19 AM