Welcome to ISAserver.org

VPN's can connect, but...

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN's can connect, but...

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN's can connect, but... - 20.Oct.2005 6:07:00 PM

thecoffeeguy

Posts: 165
Joined: 28.Aug.2005
Status: offline

Can't access resources?

Ok. I was able to get VPN clients able to connect properly. They are picking up their IP address via my DHCP server on my intranet. So far so good.

The problem is that they don't seem to be able to access servers and services on the intranet.

What I did was create a firewall policy; rule applies to all outbound traffic.

From: VPN Clients
To: Range of computers I specified (IP range)
Content types: All
Users: A specific group I setup on the LOCAL ISA Server.

Couple things.

1.) Could the problem be because I did not put these accounts in AD?

2.) THe VPN client connected and authenticated. Not only could they not access servers on our intranet, but they also could not browse the internet.

ANy ideas on how to fix this?

I really need to fix this ASAP.

Thanks,

Jason

Post #: 1

Featured Links*

RE: VPN's can connect, but... - 21.Oct.2005 3:32:00 AM

jonsauter

Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline

Jason,

The big question is, what users are you allowing to establish a VPN connection? For example, if you allow domain users to establish a VPN connection and then allow all traffic from a set of local users, that won't work. The users allowed to establish a VPN connection and the users allowed to access resources from the VPN network must pull from the same list/directory.

(in reply to thecoffeeguy)

Post #: 2

RE: VPN's can connect, but... - 21.Oct.2005 2:44:00 PM

thecoffeeguy

Posts: 165
Joined: 28.Aug.2005
Status: offline

quote:
Originally posted by Cornelius:
Jason,

The big question is, what users are you allowing to establish a VPN connection? For example, if you allow domain users to establish a VPN connection and then allow all traffic from a set of local users, that won't work. The users allowed to establish a VPN connection and the users allowed to access resources from the VPN network must pull from the same list/directory.

So, for example, I setup VPN connections for 2 different people;

First person is part of the Domain and in AD. I set the rule up, specified users and selected domain users for that rule. I specified the ability to see everything.

The second person, is a local account I created on the ISA box and put into a specific account and put that in the rule. I set this rule up to only allow access to specific servers.

Will that not work?
Easier to just stick the users in Active Directory?

Thanks,

Jason

(in reply to thecoffeeguy)

Post #: 3

RE: VPN's can connect, but... - 21.Oct.2005 2:53:00 PM

MTL

Posts: 4
Joined: 21.Oct.2005
From: Pennsylvania
Status: offline

I had a similar problem. The cause turned out to be DNS related. My VPN clients were getting IP addresses, but not getting the domain name from DHCP. I set up the DHCP Relay Agent in RRAS and all worked fine.

BTW, I'd put everybody in AD.

(in reply to thecoffeeguy)

Post #: 4

RE: VPN's can connect, but... - 25.Oct.2005 3:50:00 AM

jonsauter

Posts: 66
Joined: 8.Jul.2005
From: Dallas, TX
Status: offline

Yeah, Active Directory is certainly a better way of going about it. And DNS is a must have for things to work (thought the DHCP relay agent is the more complicated way of getting it to work). But if you're set on using local accounts, let me just make sure I'm clear. You have two access rules set up to allow VPN clients access to the internal network. One applies to domain users, one applies to the local users. Under the VPN configuration, you ALSO added domain users AND the local users to the users/groups allowed to connect to VPN, correct?

My guess is so far this is right because they can actually connect to VPN. Can you access resources by IP address? If so, its definitely a DNS issue. If not, is the behavior consistent for both groups or isolated to just the local group?

(in reply to thecoffeeguy)

Post #: 5