Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN L2TP/IPSec - Automatic Certificate Request
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN L2TP/IPSec - Automatic Certificate Request - 6.Aug.2007 2:47:59 PM
|
|
|
alish
Posts: 8
Joined: 6.Aug.2007
From: Russia, Tomsk
Status: offline
|
Hello,
Gurus, help me to troubleshoot one problem please.
I configure VPN L2TP/IPSec. Computer with ISA Server installed cannot access CA to request certificate. The configuration is the following:
- Windows Server 2003 R2 Enterprise SP2;
- ISA Server 2006 Standard (Edge Firewall);
- Computer with ISA Server is member of the domain (Windows 2003 mode);
- CA at domain controller (Windows Server 2003 Enterprise SP2).
Briefly, installation process:
1. Install ISA Server.
2. Select template Edge Firewall, agree with automatic creation rules for Web-access and VPN.
3. Install SCW, install its addition to know roles for ISA 2006.
4. Run and complete SCW, followed by Tom Shinder's guidelines.
5. Switch IPSec Service startup from Disabled to Automatic.
Further I changed Default Domain Policy: activated Automatic Certificate Request for computers. Run CA console, verfied: all right, computers can request certificates from CA after gpupdate /target:computer /force or after a while (in Issued Certificates appropriate records appear). But computer with ISA Server cannot do that. Event with message about successfully updating policies appears in Windows log and another error event in 40-50 second after that:
Event Log: Application
Event ID: 13
Source: AutoEnrollment
Automatic certificate enrollment for local system failed to enroll for one Computer certificate (0x800706ba). The RPC server is unavailable.
There is another one event while booting:
Event Log: System
Event ID: 10005
Source: DCOM
DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
OK, explored Tom's advices again: exactly - there is system policy #22 with option "Enforce strict RPC compliance". BTW, note to this option: When this checkbox is not selected, additional RPC type protocols, such as DCOM, will be enabled. Ready - option is cleared. At the same time (JIC) verified that ISA Server does not block fragmented IP-packets. Unfortunately, without success.
What else... I created rules to allow all traffic from/to ISA Server in LAN (Local Host -> Internal, Internal -> Local Host). Tried to request certificate again through gpupdate and Certificates (local computer) console. Unsuccessfully. Although RPC-packets are allowed as I can see at the Logging. My assumption is the ISA Server is not cause. So, how to dig that situation then? Any ideas?
|
|
|
|
RE: VPN L2TP/IPSec - Automatic Certificate Request - 6.Aug.2007 7:23:21 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
1. Disable the RPC filter
2. Create an Access Rule that allows all traffic to and from the enterprise CA computer
3. Restasrt the ISA Firewall
4. Request the Certificate using the Certificates MMC
5. Enable the RPC filter
6. Disable the Access Rule that allows all traffic to and from the enterprise CA
7. Restart the ISA Firewall
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: VPN L2TP/IPSec - Automatic Certificate Request - 7.Aug.2007 12:05:19 AM
|
|
|
alish
Posts: 8
Joined: 6.Aug.2007
From: Russia, Tomsk
Status: offline
|
Hi, Tom.
Thanks for advice but it not works.
I did almost the same yesterday. Detached the RPC Filter in RPC protocol definition (Firewall Policy, Toolbox, All Prtotocols, RPC (all interfaces), Parameters, Application Filters, clear checkbox) instead of disabling RPC Filter at server level. Of course, I've tried your solution too.
P.S. Furthermore, I attempted to rollback SCW policy and requested certificate after that. It didn't fix error. So, applied SCW policy again.
|
|
|
|
|
RE: VPN L2TP/IPSec - Automatic Certificate Request - 7.Aug.2007 12:22:11 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Remember that you MUST restart the ISA Firewall after disabling the RPC filter and creating the All Open rule between the Local Host Network and the enterprise CA. If you don't restart the ISA Firewall machine, it won't work, even after creating the rule and disabling the filter.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
RE: VPN L2TP/IPSec - Automatic Certificate Request - 7.Aug.2007 1:20:35 PM
|
|
|
alish
Posts: 8
Joined: 6.Aug.2007
From: Russia, Tomsk
Status: offline
|
Ops... "machine"! I thought you mean "restart Firewall Service".
OK, I'll try tomorrow replay the experiment with this correction.
Thanks for your patience, Tom.
...
Yeah, works!
< Message edited by alish -- 7.Aug.2007 11:37:20 PM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
