Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Finding Local Expert/Consultant?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Finding Local Expert/Consultant? - 5.Aug.2004 5:50:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
I have a curious situation where I'd like to perhaps use a Hawking FR24 to share dual WAN connections, one of which is already behind a speedstream router. Playing with that already has become a headache and I'm thinking just to use the ISA2004 on my single Road Runner business cable connection. But I have questions about this component and that setting. Does anybody have any suggestions for where to find a local reasonably priced consultant who could spend a day with us? I'm in Columbus, OH.
Thanks,
Rob
[ August 05, 2004, 05:51 PM: Message edited by: rberger007 ]
|
|
|
|
RE: Finding Local Expert/Consultant? - 6.Aug.2004 12:52:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rob,
It shouldn't be too difficult to set up the basics.
If you put a cable router in front of the ISA firewall, configure the external address on the external interface of the ISA firewall to be on the same network ID as the LAN interface of the cable router. Then set the default gateway on the external interface of the ISA firewall to be the IP address of the LAN interface of the router.
Are you using an internal network DNS server?
Thanks!
Tom
|
|
|
|
RE: Finding Local Expert/Consultant? - 6.Aug.2004 5:30:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
I'm almost there. I've uninstalled and reinstalled ISA2004. I avoided the EdgeFirewal Template per one of your earlier recommendations.
Internal NIC is on 10.0.0.x network using 255.255.255.0 subnet mask. No Default Gateway is entered. DNS points to self and internal DNS servers in our active directory.
External NIC is using a static public address, 24.123.x.x. Default Gateway is set to the static IP as instructed by our ISP. DNS point to self (internal IP) and internal DNS servers in our AD.
Curiously, I can get to WindowsUpdate.microsoft.com from the ISA box. I suppose I won't need to use SUS then. I can't get to google.com, cnn.com or other sites, which is good.
I've enabled the PPTP VPN for 50 users. They have to be a member of the VPNUsers active directory group (which I am). I'm pointing to one of our DCs running IAS as the RADIUS. I entered mydomain.com in the user mapping.
Firewall Policy is set to all all outbound from VPN Clients group to only 2 servers inside our LAN. Instead of having them on the Internal Network, I'm having them assigned IPs in the 172.16.0.1-60 range. DNSs used are our internal DNS servers.
When I try to connect from the external client machine, I get an Error 800: VPN Connection could not be established. The server might be unreachable, or security parameters might not be configured properly.
Did I set up the perimeter IP range incorrectly? I saw the other Error 800 posts on the microsoft.public.isa.vpn NG, but I don't think they apply. I CAN ping the ISA box from the external side.
[ August 06, 2004, 05:49 PM: Message edited by: rberger007 ]
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 6.Aug.2004 6:54:00 PM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi Rob,
The reason you can go to windowsupdate but not google is because it's in the ISA system policy ( windows allowed sites ).
As of your second problem : did you enable all protocols necessary from ISA to DC for Radius ?
If you enable the monitoring , do you see any 'denied' packets ?
LexP
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 6.Aug.2004 7:18:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
I added all protocols allowed to & from the RADIUS server and Local Host. I can now see the PPTP session opened, but I still get the Error 800 on the client.
How should I set the "networks" so clients can VPN in and authenticate to the RADIUS and yet reach shared directories on another server? Perimeter or DHCP on existing 10.0.0.x network?
Do I need to somehow publish either the RADIUS server or the ISA server as a PPTP server?
[ August 06, 2004, 08:43 PM: Message edited by: rberger007 ]
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 7.Aug.2004 9:48:00 AM
|
|
|
penrose.l@2college.nl
Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline
|
Hi Rob ,
Sorry can't help you with that we don't use VPN ( yet ) and we haven't got any experience with that. I know you need to assign a VPN pool , that you need to set up your ISA to listen for incoming VPN calls etc.. but no concrete procedures. Maybe Tom could help you with this , I know he has experience with VPN's...
Kind regards,
LexP
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 7.Aug.2004 6:36:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by rberger007:
I added all protocols allowed to & from the RADIUS server and Local Host. I can now see the PPTP session opened, but I still get the Error 800 on the client.
How should I set the "networks" so clients can VPN in and authenticate to the RADIUS and yet reach shared directories on another server? Perimeter or DHCP on existing 10.0.0.x network?
Do I need to somehow publish either the RADIUS server or the ISA server as a PPTP server?
Hi Rob,
Have you seen the VPN kit? I think there are some docs in there that might help. Although the screen shots are from beta builds, the same concepts and basic procedures still apply.
HTH,
Tom
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 10.Aug.2004 3:29:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
I just tried all that (PPTP only. Didn't do the cert services or L2TP) and I still get the error 800. Do I have to do L2TP/Cert?
Now I'm getting Error 651 and 678 from the client. I used to get 651's in the Beta, but Tom said the new version would fix this. (See our previous post, http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000057)
Any suggestions? Sheesh, this is a simple VPN situation on a simple network. Am I that dumb (don't answer that) or what am I missing?
[ August 10, 2004, 05:06 PM: Message edited by: rberger007 ]
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 3:13:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rob,
Does your ISP allow incoming connections?
Does the upstream router allow inbound connections to the PPTP protocols?
Thanks!
Tom
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 3:22:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
quote:
Does your ISP allow incoming connections?
I think so. It's Time Warner Road Runner Business Class. For now, I'm just trying to go from one public IP address (laptop) to another public IP address (ISA2004) in our allotted static range. They're sequential IPs.
quote:
Does the upstream router allow inbound connections to the PPTP protocols?
There is no upstream router doing filtering. ISA2004 is plugged directly into the Cisco supplied by TWRR which is passing all traffic. Maybe I should try establishing a VPN from the internal network to confirm?
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 3:30:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
Establishing the VPN from the Internal network works via PPTP, so it must be something in the Cisco router. Damn RR, they said everything was set to pass through. Obviously not!
Now all I have to do is make the necessary changes so Mr. VPN Client can browse the VPN Network as well as regular Internet activities simultaneously...
Thanks,
Rob
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 4:11:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
TWRR insists that there are no ports being blocked on our router. That everything goes through. All .82 traffic goes through to our production server and is handled by our existing Netscreen firewall/router. All .83 traffic should go through to the ISA2004 box. (It seems plausible, I can see other connections from around the world being denied to .83 in the Monitoring.)
If that's true, why would PPTP VPN work when I'm on internal LAN but not on external? When I'm external trying to VPN in, the log shows PPTP Initiated and then nothing else. The client then gets the Error 800. Grrrrrrrrrrrr.
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 4:52:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ron,
I'm confused by your setup now. What's the netscreen packet filter doing and where's it situation in relation to the ISA Firewall.
Thanks!
Tom
|
|
|
|
|
RE: Finding Local Expert/Consultant? - 11.Aug.2004 8:53:00 PM
|
|
|
rberger007
Posts: 41
Joined: 16.Mar.2004
Status: offline
|
quote:
Originally posted by rberger007:
ISA2004 is being tested on another IP so that it can replace the Netscreen. I think I may have solved the problem - I never "published the pptp vpn server". (I thought you only had to publish web/mail servers, duh.)
Nope. I'm publishing both the Internal and external IP of the ISA and I still get the Error 800 on the client.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Cool]](/image/smiles/cool.gif)
![[Razz]](/image/smiles/tongue.gif)
RE: Finding Local Expert/Consultant? - ![[Frown]](/image/smiles/frown.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
