Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Server article discussion
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Server article discussion - 29.Mar.2004 3:54:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This thread is for discussion the VPN server article over at http://isaserver.org/articles/2004vpnserver.html.
Thanks!
Tom
[ July 06, 2004, 08:32 PM: Message edited by: tshinder ]
|
|
|
|
|
RE: VPN Server article discussion - 31.Mar.2004 8:09:00 AM
|
|
|
danielschell
Posts: 1
Joined: 31.Mar.2004
From: Adelaide, Australia
Status: offline
|
Hi Tom,
As always an excellent article. I followed the steps and successfully got the l2tp vpn connection working by adding a certificate to the client laptop 'computer'.
However, what I wish to achieve is to add the certificate to the user rather than the computer so that only the currently logged on user can make the l2tp connection. I tried to do this with no luck...
Do you know if this is some how possible? I look forward to any advice you could offer in this area.
Regards,
Daniel Schell
GFiAP
|
|
|
|
|
RE: VPN Server article discussion - 31.Mar.2004 10:24:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Daniel,
Thanks!
I completed the user certificate authentication doc yesterday for the ISA 2004 VPN Deployment Kit. Send me a note at tshinder@tacteam.net and I'll send you a draft copy.
HTH,
Tom
|
|
|
|
RE: VPN Server article discussion - 31.Mar.2004 1:30:00 PM
|
|
|
turbomcp
Posts: 36
Joined: 13.Nov.2002
Status: offline
|
weird problem
i set up everything the same way like in the document except one thing. i am using an isa server that is not part of the domain(stand alone)
and using radius for authentication.
i pass the authentication part but get disconnected on the "registrating your computer on the network" part
or it gets connected for one sec and disconnect in asecond.
on the isa box i see the vpn client and its ip from the dhcp server.
any ideas?
|
|
|
|
|
RE: VPN Server article discussion - 2.Apr.2004 3:32:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Turbo,
This is a bug in beta 2. Good news is that its been fixed!
HTH,
Tom
|
|
|
|
|
RE: VPN Server article discussion - 10.Apr.2004 8:38:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi McFly,
We have a doc that might have this info. Write to me at tshinder@isaserver.org and I'll send it to you. It will be released with the update to the Exchange/ISA deployment kit for ISA 2004.
Thanks!
Tom
|
|
|
|
|
RE: VPN Server article discussion - 20.May2004 4:39:00 PM
|
|
|
_Trip
Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
|
Great Article (Haven't gotten through it yet, but I'm working on it).
One note, at least on my network. In order to add the Group to the VPN clients allowed screen. The gorup needed to be a "Global" group, and not a Domain Local. It wouldn't even list out the Domain Local groups. (Even though ISA is part of the domain.)
Could be a misconfiguration elsewhere, but I thought I'd point it out...
|
|
|
|
|
RE: VPN Server article discussion - 21.May2004 12:24:00 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tim,
Good point. You can only use Global security groups to assign user/group based access controls.
Thanks!
Tom
|
|
|
|
|
RE: VPN Server article discussion - 6.Jul.2004 6:06:00 PM
|
|
|
ismailhazir
Posts: 1
Joined: 6.Jul.2004
From: istanbul/turkey
Status: offline
|
Hello Tom,
I have read your article(about site to site vpn ipsec) two times but I didn't get a solution yet.
Although I did the same lab , I can not ping from 10.0.0.2 to the 10.0.1.2 (other Remote Lan Client) with its private IP from main local site.branch and main connections could not be connected. always status is unreachable.
Is there anything be forgotten? such as how will the vpn clients get an ip to communicate with the remote lan? is there something more that should be done by me?
I am really confused about site to site vpn.
Any more custom documentation including an example?
İsmail
MCT/MCSE/CCNP
|
|
|
|
|
RE: VPN Server article discussion - 6.Jul.2004 8:34:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Ismail,
That article is for VPN remote access server, not for site to site VPN. There are articles on how to do the site to site VPN in the VPN kit over at www.msfirewall.org/isa2004kits.htm
HTH,
Tom
|
|
|
|
|
RE: VPN Server article discussion - 21.Jul.2004 12:05:00 PM
|
|
|
andyjh122
Posts: 27
Joined: 14.Apr.2003
Status: offline
|
I've read a bunch of ipsec articles and a few mention using the IPSec and IPSec (Offline) cert templates.
What's the difference between using the Administrator cert template and the IPSec cert template?
How does this apply to ISAServer2004 vpns?
Thanks,
Andrew
|
|
|
|
|
RE: VPN Server article discussion - 21.Jul.2004 3:21:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Andrew,
The offline template is used by VPN gateways. So, when the ISA firewall is configured as a VPN gateway for a site to site configure, you can configure EAP auth and use the offline template.
Make sure to check out the VPN kit for the ISA 2004 firewall.
HTH,
Tom
|
|
|
|
|
RE: VPN Server article discussion - 17.Aug.2004 2:36:00 PM
|
|
|
Guest
|
Tom,
I am having a similar issue as turbomcp above. I have an ISA 2004 box setup in standalone mode and configured for VPN PPTP access. It is talking to a radius server for authenication. When I try to connect I get two different situations, with no obvious correlation as to why one or the other occurs. The first event is that the connection succeeds and then disconnects in under a second.
The other possibility is that it gives me an Error 619 saying that the connection has closed. without ever fully connecting.
I have checked all the event logs and they are all clean. The radius server shows that authentication is successful. The only server-side evidence that something is wrong is that a query on the ISA logs shows a Failed VPN connection attempt, with no other noticable errors on any server (radius logs and event logs on dc, radius, and isa servers) (none of the services are on the same server). The client has an odd
"The server could not bind to the transport \Device\NetBT_Tcpip_{F35DA341-A376-42DA-B098-8383BEFEA789}."
which does not appear all the time.
This one has me baffled, any ideas.
Thanks,
Chris
|
|
|
|
|
RE: VPN Server article discussion - 5.Dec.2004 4:34:00 AM
|
|
|
Guest
|
I've been going over the article (and what looks to be the same article from MS which is slightly dated) in my virtual lab and the one thing that doesn't correlate very well has to do with making the ISA Server standalone or part of the domain.
At the top of their article they state make your ISA server standalone...then when you are configuring the groups in VPN config it states to add the groups from the domain...which you cannot do when the ISA server is standalone.
So, which is the proper way..if using groups/isa on domain is not the preferred method..why would M$ create a whitepaper explaining this is how you do it?
Sincerely confused,
Mark Hodges
|
|
|
|
|
RE: VPN Server article discussion - 5.Dec.2004 3:08:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by <clckct>:
Tom,
I am having a similar issue as turbomcp above. I have an ISA 2004 box setup in standalone mode and configured for VPN PPTP access. It is talking to a radius server for authenication. When I try to connect I get two different situations, with no obvious correlation as to why one or the other occurs. The first event is that the connection succeeds and then disconnects in under a second.
The other possibility is that it gives me an Error 619 saying that the connection has closed. without ever fully connecting.
I have checked all the event logs and they are all clean. The radius server shows that authentication is successful. The only server-side evidence that something is wrong is that a query on the ISA logs shows a Failed VPN connection attempt, with no other noticable errors on any server (radius logs and event logs on dc, radius, and isa servers) (none of the services are on the same server). The client has an odd
"The server could not bind to the transport \Device\NetBT_Tcpip_{F35DA341-A376-42DA-B098-8383BEFEA789}."
which does not appear all the time.
This one has me baffled, any ideas.
Thanks,
Chris
Hi Chris,
Take a look at the article I did on RADIUS auth and access control over RADIUS auth'ed users connecting to the ISA firewall. When you use RADIUS for VPN users connecting to the ISA firewall, the ISA firewall might not apply ISA firewall rules the way you might have expected them to.
HTH,
Tom
|
|
|
|
|
RE: VPN Server article discussion - 5.Dec.2004 3:11:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by <Mark Hodges>:
I've been going over the article (and what looks to be the same article from MS which is slightly dated) in my virtual lab and the one thing that doesn't correlate very well has to do with making the ISA Server standalone or part of the domain.
At the top of their article they state make your ISA server standalone...then when you are configuring the groups in VPN config it states to add the groups from the domain...which you cannot do when the ISA server is standalone.
So, which is the proper way..if using groups/isa on domain is not the preferred method..why would M$ create a whitepaper explaining this is how you do it?
Sincerely confused,
Mark Hodges
Hi Mark,
The paper here is definitely correct. What MS article is giving you a problem and what part of the MS article is giving you problems?
Thanks!
Tom
|
|
|
|
|
RE: VPN Server article discussion - 20.Dec.2004 9:32:00 AM
|
|
|
pdijkman
Posts: 38
Joined: 19.Oct.2004
Status: offline
|
Hi Tom,
I posted my problem earlier...
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000386
And yes i followed this great article to.
The only question i have is why the DHCP Relay Agent is not supported on the ISA Server itself.
I still haven't found a sollution to this problem.
Could you help me this one??
Kind Regards,
P. Dijkman
|
|
|
|
|
RE: VPN Server article discussion - 21.Dec.2004 12:23:00 AM
|
|
|
pwaldeier
Posts: 36
Joined: 18.Feb.2004
From: Pennsauken NJ
Status: offline
|
Hi Tom,
The problem I am struggling with is that I am using a certificate purchased brom Verisign. I do not have a CA. I am not sure how to use this certificate although it is an all purpose certificate. I have imported it into personal as well as Root certificates and tried .cer as well as PKCS#7 with the whole chain.
PPTP works fine but I get a error 789 on the client with an event 547 IKE SA negotiation failed on the ISA server's security log.
I have tried to chose the right sections from this article but I either have another problem or chose the wrong ones.
I do not have a "Administrator" certificate only one for the site.
Thanks,
PaulW
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
I have some problems getting our PocketPCs working with ISA Server 2004. Do you know something about getting the computer certificates onto Windows Mobile 2003? Selecting "administrator" as a template type trick doesn't work, as the IE in the PPC doesn't support ActiveX.![[Smile]](/image/smiles/smile.gif)
