Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN Connects, no network access

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Connects, no network access Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN Connects, no network access - 29.Oct.2007 9:14:33 PM   
Jagit

 

Posts: 3
Joined: 29.Oct.2007
Status: offline 		I know this has been covered, but I still can't get it working.

Servers:   SBS2003 - running Exchange (1 nic 192.168.0.2)
              Windows 2003 Server (NOT SBS) running ISA2000 with sp2 (2 nic,
              one 192.168.0.3 and one 192.168.254.2 which is connected to an
             ADSL modem)

As far as I know, they have been patched up completely.

I have run the "Allow VPN client connections" wizard, which started and configured RRAS.

VPN connects, I can see the entry in RRAS, but there is no access to the network, espicially the SBS2003 server for their e-mails.

Please help!
Post #: 1
RE: VPN Connects, no network access - 31.Oct.2007 3:26:01 AM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		define "no access"
The VPN sesson authenticates?
The VPN session assigns an IP address?
Can you ping the VPN's 'default gateway'?
Can you ping the known IP address of the SBS server?
does ipconfig /all show any DNS (or even WINS) entries that reside on your internal network?
can you ping those internal DNS servers?
does a ping to an internal name (server.domainname) resolves to an IP address?

It's possible that system policies are rejecting traffic unless its from certain IPs...
maybe it's not a 'network' problem, but a permissions problem in gaining access to those resources.
once we can confirm all the above underlying network tests are working then we can proceed to the apps that run over them, web-publishing etc etc.


_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to Jagit)
Post #: 2
RE: VPN Connects, no network access - 31.Oct.2007 5:25:32 PM   
Jagit

 

Posts: 3
Joined: 29.Oct.2007
Status: offline 		This is all fixed now (I'm $300odd dollars cheaper for it thanks to Microsoft).

It seems that ISA was blocking RPC !!!???? There is a KB article 936594 that gives you a whole heap of stuff that needs to be done, but in the end, all you need to do is make sure the OS and ISA have the latest service packs, which mine did, and then modify the following two registry entries to 0

  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableRSS
  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA

If the don't exist, create them (the are both DWORD's) and then restart your Server.  Surprise, surprise, everything works.  Three days banging my head against a brick wall for this!

(in reply to AHIT)
Post #: 3
RE: VPN Connects, no network access - 31.Oct.2007 6:42:51 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		well, there you go.. a "known issue"
KB Article for those reading this in time to come - http://support.microsoft.com/kb/936594
titled: "You may experience network-related problems after you install Windows Server 2003 SP2 or the Scalable Networking Pack on a Windows Small Business Server 2003-based computer"

The article talks about ISA2004 specifically. Are you running ISA2004 or has your expereince essentially confirmed the same 'process' for ISA2000 as well if your running ISA2K?

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to Jagit)
Post #: 4
RE: VPN Connects, no network access - 31.Oct.2007 8:19:32 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Another SP2 issue!

I now use the following REG file on all my SP2 installs that involve ISA and other network related/intensive applications...

----------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"EnableTCPA"=dword:00000000
"EnableRSS"=dword:00000000
"EnableTCPChimney"=dword:00000000
-----------

Cheers

JJ

< Message edited by Jason Jones -- 31.Oct.2007 8:22:04 PM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to AHIT)
Post #: 5
RE: VPN Connects, no network access - 31.Oct.2007 8:21:34 PM   
Jason Jones

 

Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		P.S. I also include the following REG file to remove weak encryption ciphers from Windows when ISA is hosting SSL services:

--------
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff
----------

This basically only allows Windows to accept >128bit ciphers...

Cheers

JJ

< Message edited by Jason Jones -- 31.Oct.2007 8:22:59 PM >

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 6
RE: VPN Connects, no network access - 1.Nov.2007 9:48:12 PM   
Jagit

 

Posts: 3
Joined: 29.Oct.2007
Status: offline 		No, I'm running ISA2000, with SP2 on a server running Windows Server R2 with SP2.  Not much of a surprise not to realise that I would ignore this artice during my search for a solution.

Good idea to have a that registry file in hand if I ever need to rebuild the server.

Jim

(in reply to Jason Jones)
Post #: 7
RE: VPN Connects, no network access - 6.Nov.2007 6:45:14 PM   
AHIT

 

Posts: 1561
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline 		... the advantages of a change control document/register.
What was changed.. when, by whom and WHY.
Makes for recovery (or general trouble shooting issues) MUCH easier when theres a documented process to follow to get things running again or to undo when something else breaks.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to Jagit)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN Connects, no network access Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts