• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PPTP VPN - Error 678 - System Policy blocking

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> PPTP VPN - Error 678 - System Policy blocking Page: [1]
Login
Message << Older Topic   Newer Topic >>
PPTP VPN - Error 678 - System Policy blocking - 11.Jun.2007 11:38:35 AM   
johnny_mango

 

Posts: 42
Joined: 17.Jan.2007
Status: offline
Hi there,

I have been having trouble with setting up a PPTP VPN in ISA Server 2006 EE. I enter name and password on client, but then I get a message saying the remote computer did not respond, error 678.
In the ISA Server monitoring, I see the following:
0x8007274d wsaeconnrefused
I have tried in internally and externally, the external client results in the system policy blocking it (allow vpn client traffic...)

The access rules are any-any all protocols (donīt worry, the server is isolated.) The external is connected to the external interface of the ISA via a hub, can ping it, and is able to telnet to a publish smtp server. There are no other errors in the ISA console, and netstat -na does not show the port 1723 being open, which I find odd.

Can anyone help me out here, please?

< Message edited by johnny_mango -- 11.Jun.2007 12:43:21 PM >
Post #: 1
RE: PPTP VPN - Error 678 - System Policy blocking - 17.Jun.2007 3:48:46 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Did you enable VPN client connections in the ISA Firewall console?

Also, make sure User Mapping is not enabled.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to johnny_mango)
Post #: 2
RE: PPTP VPN - Error 678 - System Policy blocking - 17.Jun.2007 6:24:43 PM   
johnny_mango

 

Posts: 42
Joined: 17.Jan.2007
Status: offline
Hi Thomas,

First of all, Iīd like to make known my appreciation for your input to the ISA community. You have helped many people through the years, and I add that my focus is on many technologies, not only Isa Server, therefore ISA Server being a specialst subject, I appreciate a great deal your advice.

I assume clent VPN connections is enabled. Basically  I followed the wizard in the ISA Server console. We have now opened all the ports on this firewall,  Juniper interface exetrnal, and I add that the VPN access was working correctly from the DMZ. Why, therefore, should it not be working froum outside? I have enabled PPTP and then P2TP, because of the incompatibility from some firewalls, and it still does not work from the DMZ,  producing errors 792 and 789 from the Internet, with all ports open on the external interface of the firewall. The firewall is a Juniper Netscreen.

What options do I have for creating some kind of log on the client? I add that the Event Viewer shows no errors and that the client has the Administrator and Trusted Root Certiciation Authority certificates insalled, not showing erros, not being member of the domain.

(in reply to tshinder)
Post #: 3
RE: PPTP VPN - Error 678 - System Policy blocking - 19.Jun.2007 9:41:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Johnny,

Thanks for the kind words.

You say that you can connect to the VPN when the client is in the DMZ between the netscreen and the ISA Firewall. In that case, I recommend a parallel firewall configuration, where the netscreen and the ISA Firewall sit side by side with public addresses. Then you can terminate the VPN connections directly at the ISA Firewall and not worry about bugs in the netscreen software.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to johnny_mango)
Post #: 4
RE: PPTP VPN - Error 678 - System Policy blocking - 20.Jun.2007 11:54:46 AM   
johnny_mango

 

Posts: 42
Joined: 17.Jan.2007
Status: offline
Hi Tom,

Thanks for your reply.

This is an important subject for me, because having moved on from this issue (whereby it was enough for the client to prove it was working from the DMZ) we now have 2 more clients with whom we will be implementing something similar.

Is this a know bug with Juniper Netscreen, or is it frequently the case that there is some kind of imcompatibility? Precisely for that reason I tried with L2TP after first trying PPTP, having heard that not all routers are PPTP compliant. In this particular case we opened *all* the ports on this particular interface on the firewall, and checked the logs to see if anything was being blocked, and apparently it wasnīt.

It would be excellent if I could present something solid to our client, to back up the parallel firewall scenario.

(in reply to tshinder)
Post #: 5
RE: PPTP VPN - Error 678 - System Policy blocking - 21.Jun.2007 6:30:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
How about the fact that Microsoft uses the ISA Firewall's VPN server as the their VPN server for their world wide network? Nothing in front of them other than routers, since ISA was designed from the ground up to be an edge network firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to johnny_mango)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> PPTP VPN - Error 678 - System Policy blocking Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts