Welcome to ISAserver.org

Publishing VPN Server

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 Firewall] >> General >> Publishing VPN Server

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

Publishing VPN Server - 21.Mar.2001 3:14:00 AM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

Does any one know how to publish an intenal VPN server instead of using the ISA server. (Turning on RRAS on the ISA server shut off all client access). I have RRAS setup on an internal machine and I dont know what to enter for Protocol Definitions. Thank you

Post #: 1

Featured Links*

RE: Publishing VPN Server - 21.Mar.2001 3:22:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

If you have the choice I would use ISA for this purpose. You could do what you are intending. You would need to establish packet filters for gre 43 and udp 1723 I believe.

Then you would need to publish the server and associate the packet filters with its publication.

You could use ISA for this, which I would advise.

John

(in reply to corymckee)

Post #: 2

RE: Publishing VPN Server - 21.Mar.2001 3:42:00 AM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

I would like to use ISA for this but unfortunately ISA does not RRAS very much right now. When I turn RRAS on ISA stops letting clients out.

(in reply to corymckee)

Post #: 3

RE: Publishing VPN Server - 21.Mar.2001 4:28:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

RRas doens't criple my configuration. What are the specifics of your situation?

John

(in reply to corymckee)

Post #: 4

RE: Publishing VPN Server - 21.Mar.2001 6:11:00 PM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

Nothing out of the ordinary. It was working fine and then for no reason 5 or 6 days ago ISA started acting funny. No RRAS and it denies client access all of a sudden and the server has to be rebooted.

(in reply to corymckee)

Post #: 5

RE: Publishing VPN Server - 21.Mar.2001 7:40:00 PM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

What does the event log say? I would really appreciate it if you could let me know the message and ids associated with this.

Thanks,

John

(in reply to corymckee)

Post #: 6

RE: Publishing VPN Server - 21.Mar.2001 11:43:00 PM

marcush

Posts: 10
Joined: 15.Mar.2001
From: sweden
Status: offline

I have kind of the same problem.

When i make a vpn connection to my isa server and run terminal services thrue the tunel and start IE5 on the server it don`t route thrue the gateway of external interface, it seams that it makes the ip for the vpn on the server to the default gateway.

This is very frustrating

Please help me

Marcus

------------------

(in reply to corymckee)

Post #: 7

RE: Publishing VPN Server - 21.Mar.2001 11:52:00 PM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

Unfortunately there is no data in the event logs.

(in reply to corymckee)

Post #: 8

RE: Publishing VPN Server - 22.Mar.2001 8:51:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

The issue with the vpn tunnel gatway issue may be resolved through dialup connection properties, network tab, tcp/ip properties, advanceed and deselect use remote gateway.

John

Unfortunate there were no error messages produced. I would think given this strange behavior one might consider a reinstall to see if that corrects the problem.

(in reply to corymckee)

Post #: 9

RE: Publishing VPN Server - 22.Mar.2001 7:07:00 PM

hAkron

Posts: 40
Joined: 22.Mar.2001
From: Akron, OH, USA
Status: offline

In reguards to RRAS, I have found in a few situations with Multihomed servers, when setting up the RRAS server via the wizzard, outbound communication seems to halt. I have been able to work around this by ending the wizzard with the "Configure Services Manualy" option. I don't know if this will help in your case since I think you said it was working for a while then quit, but you might want to give it a try.

(in reply to corymckee)

Post #: 10

RE: Publishing VPN Server - 26.Mar.2001 8:15:00 PM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

I was about to implement this and I wasnt sure what gre was.

quote:
Originally posted by jmunyan:
If you have the choice I would use ISA for this purpose. You could do what you are intending. You would need to establish packet filters for gre 43 and udp 1723 I believe.
Then you would need to publish the server and associate the packet filters with its publication.
OR
You could use ISA for this, which I would advise.
John

(in reply to corymckee)

Post #: 11

RE: Publishing VPN Server - 26.Mar.2001 8:19:00 PM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

Also what is the direction on these.

quote:
Originally posted by jmunyan:
If you have the choice I would use ISA for this purpose. You could do what you are intending. You would need to establish packet filters for gre 43 and udp 1723 I believe.
Then you would need to publish the server and associate the packet filters with its publication.
OR
You could use ISA for this, which I would advise.
John

(in reply to corymckee)

Post #: 12

RE: Publishing VPN Server - 27.Mar.2001 6:23:00 AM

jmunyan

Posts: 800
Joined: 3.Feb.2001
From: Seattle, WA
Status: offline

GRE stands for generic routing encapsulation.

I would consider giving ms a call rather than creating the filters you are after.

BTW www.acronymfinder.com is a cool site for deciphering...whatelse acronyms.

John

[This message has been edited by jmunyan (edited 27 March 2001).]

(in reply to corymckee)

Post #: 13

RE: Publishing VPN Server - 29.Mar.2001 4:12:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Cory,

You can't publish VPN Server's because the publishing wizards only work for TCP/UDP protocols. You should be able to enable VPN inbound to the ISA Server by using the wizard. It creates some packet filters and configures RRAS for you. Try is on a clean machine and you'll see that it works.

You would place a VPN server on a DMZ, I suppose, but that would be somewhat messy, though it can be done. The best way is to start clean on the ISA Server and use the Client VPN wizard.

HTH,
Tom

quote:
Originally posted by corymckee:
Does any one know how to publish an intenal VPN server instead of using the ISA server. (Turning on RRAS on the ISA server shut off all client access). I have RRAS setup on an internal machine and I dont know what to enter for Protocol Definitions. Thank you

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to corymckee)

Post #: 14

RE: Publishing VPN Server - 3.Apr.2001 3:37:00 AM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

I tried building a new machine. I Installed Win2k Server, then SP1 and then ISA. The server worked fine until running the VPN Wizard then as soon as RRAS starts all clients are denied access. Stopping the RRAS service resolves the problem. This was an entirely new machine.

quote:
Originally posted by tshinder:
Hi Cory,
You can't publish VPN Server's because the publishing wizards only work for TCP/UDP protocols. You should be able to enable VPN inbound to the ISA Server by using the wizard. It creates some packet filters and configures RRAS for you. Try is on a clean machine and you'll see that it works.
You would place a VPN server on a DMZ, I suppose, but that would be somewhat messy, though it can be done. The best way is to start clean on the ISA Server and use the Client VPN wizard.
HTH,
Tom

(in reply to corymckee)

Post #: 15

RE: Publishing VPN Server - 3.Apr.2001 6:45:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Cory,

This is really getting annoying

Several people have mentioned the same problem, and I am not sure what is causing it. I can tell you that I have always been able to get the inbound VPN to work, always. But you're definitely not the only one that has had this problem.

I'm going to take a stab at this, though. How do you assign addresses to your VPN clients? Are you using DHCP or a static pool? If you are using DHCP, where is the DHCP server located?

I'm going to write an article on how to configure a VPN Server tonight, and it'll be on brainbuzz.com tomorrow or Wed. Then later this week, I'm going to write tutorial on configuring VPN connections with ISA Server and some of the infrastructure elements that need to be in place to make it work.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to corymckee)

Post #: 16

RE: Publishing VPN Server - 3.Apr.2001 7:17:00 AM

corymckee

Posts: 57
Joined: 5.Feb.2001
Status: offline

I am using DHCP though it is not finding the pool. The DCHP server is the DNS server and DNS is working fine.

(in reply to corymckee)

Post #: 17

RE: Publishing VPN Server - 5.Apr.2001 10:16:00 AM

tshinder

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Cory,

So, when you check the assigned addresses on the DHCP Server, you don't have any that have been assigned to the RRAS service on the ISA Server? Have you run out of addresses? That could cause a problem

Any thing to check out is your settings on the RRAS Server. Right click on the Server name in the RRAS console and click Properties. Then click the IP tab. On the bottom of the dialog box there is a drop-down list box where you can select the adapter that the VPN clients get their DNS, WINS and IP address settings. Make sure that adapter is on the same network ID as the DHCP Server (unless you're getting fancy with DHCP or BOOTP Relay )

HTH<
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

(in reply to corymckee)

Post #: 18

RE: Publishing VPN Server - 5.Apr.2001 6:10:00 PM