Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
Hi Mr.Thomas,
First of all I would like to thank you for the great Tutorials you are posting in this great forum.
Regading the Branch Office Connectivity, Part 5. After making all the necessary configuration and creating the Answer File. I ran the AppCfgWzd.exe to start the Wizard which is connecting the Branch Office to the Main Office.
All the Process is done fine without any problem including joining the Branch Office ISA Firewall to the Domain. But after restarting the machine, and again Resuming the Wizard, when the Branch ISA Firewall tryes to Switch from it's ows CSS to the Remote CSS which is located in the Main office, the wizard hangs in here.
I have seen the Active Connection on both Machines, Branch ISA Firewall and Main office CSS Machine. Strage things is happening I can see an APIPA Address tryes to connect to the CSS machine.
Brahcn office ISA Firewall Events: 21271 21257 21211 14147
I gues the APIPA Address is the one which is creating the problem when the Branch Office ISA Firewall tryes to connect to the CSS Machine @ the Main office, it tryes with the APIPA Address instead of the one of the Static Pool Addresses.
Are the autonet addresses coming from the branch office?
Check the Event Viewer to see why this is happening. You should have a static address pool or use DHCP at the branch office, depending on what resources you have available.
Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
Hi Mr.Thomas,
one of the main event i beleive is this:
quote:
ISA Server Detected Routes Through Network Adapter Adapter_Name That Do Not Correlate with the Network Element to Which This Adapter Belongs
Becuase when the connection trys to be established from Branch to the Main office, and ISA Firewall in the Branch office trys to conntact CSS Machine @ the main office, in the main office Active Connection are the Autonet Address.
I have followed the same as your instruction given, but the only differents are the IP Addresses,
Public IP's: 10.90.8.x /24 Main office LAN: 192.168.1.x/24 Branch office LAN: 25.1.1.x/24
DC is located @ the branch also which is reprsenting the other site in the Active Directory Site and Services.
What is the idea of deplying DHCP Server @ the Branch office? what will be the configurations?
Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
HI Thomas,
Branch Office Addresses: 25.1.1.0 /24 NCDC01 25.1.1.2 NCISA01 25.1.1.4 Main office Addresses: 192.168.1.0/24 HMSISA01 1921.168.1.12 HMSDC01 1921.168.1.3 HMSDC02 1921.168.1.4 HMC-CSS01 192.168.1.20 ---------------------------- Branch office DC is DNS integrated and prefered DNS is pointing to itself and secondary to the Main office 192.168.1.3
ISA Firewall in Branch office, LAN Nic DNS is pointint to 25.1.1.2 and secondary to 192.168.1.3 ---------------------------------
Internal Address of ISA Server is 25.1.1.0 ~ 25.1.1.255, actually i have selected the LAN instead of typing the Addresses.
Static Address pool. 25.1.1.252 ~ 25.1.1.254 "the same as your tutorials" --------------------
I think, the problem is from the Static Address Pool when it tryes to establish a connection to the main office, instead of using the address assigened, it automatically assigend an APIPA address.
Branch office DC is DNS integrated and prefered DNS is pointing to itself and secondary to the Main office 192.168.1.3
ISA Firewall in Branch office, LAN Nic DNS is pointint to 25.1.1.2 and secondary to 192.168.1.3 TOM: Remove the secondary DNS server, it's not required and could create real problems for branch office users in certain circrumstances. ---------------------------------
Internal Address of ISA Server is 25.1.1.0 ~ 25.1.1.255, actually i have selected the LAN instead of typing the Addresses. TOM: What do you mean by "I have selected the LAN instead of typing the Addresses" mean?
Static Address pool. 25.1.1.252 ~ 25.1.1.254 "the same as your tutorials" TOM: How can you "Select the LAN" and have a static address pool? --------------------
Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
Hi Tom,
quote:
nternal Address of ISA Server is 25.1.1.0 ~ 25.1.1.255, actually i have selected the LAN instead of typing the Addresses. TOM: What do you mean by "I have selected the LAN instead of typing the Addresses" mean?
I mean during the Setup of Branch office ISA Firewall, when it asks for Internal LAN Address, I have selected the LAN Interface.
quote:
Static Address pool. 25.1.1.252 ~ 25.1.1.254 "the same as your tutorials" TOM: How can you "Select the LAN" and have a static address pool?
The static Address Pool is creared by the Answer file when I created it.
What to do then during the setup of ISA Firewall in Branch office installation when it asks for the Internal Network Address ? Do I have to type a range or selecting the Internal Interface itself ?
ISA Server detected routes through the network adapter WAN that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 25.255.255.255-25.255.255.255,169.254.119.194-169.254.119.194;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur. ----------------------------------- 20111
A Demand Dial connection to the remote interface Branch on port VPN3-4 was successfully initiated but failed to complete successfully because of the following error: The L2TP connection attempt failed because security negotiation timed out. -------------------------------------------------------------------------
21265
The routing table for the network adapter Branch includes IP address ranges that are not defined in the array-level network Branch, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network. The following IP address ranges will be dropped as spoofed: External:169.254.119.194-169.254.119.194;
BR,
Habibalby
< Message edited by habibalby -- 2.Feb.2007 2:32:24 PM >
and make my ISA a domain controller if it's ISA 2006? Or would I just run the create VPN site-to-site connection wizard and then follow the DC article? Also, What is CSS and do I need it as this would mean buying enterprise edition?
Thanks,
Jonathon
< Message edited by JonMoore87 -- 6.Aug.2009 8:01:07 AM >
Sure, after the site to site VPN is up, you could make it a DC, but there might be issues with authentication for the branch office in that you'll need to allow LDAP(s) etc. from the clients to the firewall.
In general, this isn't a supported configuration, but if you pound on it longer enough, it should work
Great, I'll purchase a standard ISA 2006 run the wite to site vpn wiz and then make it a dc... ship it off to the new office and I'm sure we'll be away!