Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN acces problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN acces problem - 21.Sep.2005 4:55:00 AM
|
|
|
arvid
Posts: 3
Joined: 20.Sep.2005
Status: offline
|
Hi,
I have read most of the posts here and come along many of them that have the same problem as me but I still did not find the answer so ii hope some can help me with my vpn acces problem.
IÆm trying to setup vpn with ISA 2004. We have a office domain where the ISA server acts like a firewall. The ISA server and both domain controllers are members of the office domain and are members of the RAS and IAS group. VPN client Access is enabled. On the groups tab of the VPN Clients Properties I have added a local group on the ISA server. I cannot choose any domain groups here The local group ( vpnusers) is having a user that is a local admin and a domain admin. The local user has granted dial in permissions aswel as the domain user. On the protocols tab I have PPTP checked. User mapping is not configured. The system policy ôAllow VPN client traffic to ISA Serverö is default and I have added two acces rules:
1. Allow All Outbound traffice from VPN clients to Internal for All Users
2. Allow PPTP from External/Internal/Localhost to External/Internal/Localhost for All Users.
On a external client I have configured a vpn connection to my office ( ISA). When I perform a portscan from the client computer port 1723 is open.
When I try to make a connection from the external client the logging on the ISA server sees the attempt is coming in :
1. Initiated connection on destination port 1723, PPTP to external ip of the isa server , rule Allow VPN client traffic to ISA Server
2. Initiated connection on destination port 0 , PPTP to external ip of the isa server, rule Allow VPN client traffic to ISA Server
3. Closed connection on destination port 1723, PPTP to external ip of the isa server, rule Allow VPN client traffic to ISA Server
4. Failed VPN connection attempt , to destionation port 0 en destination ip 0.0.0.0 , NO rule
5. Then Then the ISA server is denying the connection. The alerts log says thatöThe VPN connection attempt by user OFFICE\* from VPN client IP address *.*.*.* could not be established.
The failure is due to error: 0xc0040021
Any help would be vermy much appreciated.
Kind regards ,
Arvid
|
|
|
|
|
RE: VPN acces problem - 25.Sep.2005 9:25:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Like a firewall?
|
|
|
|
|
RE: VPN acces problem - 26.Sep.2005 7:17:00 PM
|
|
|
longman
Posts: 44
Joined: 7.Feb.2005
Status: offline
|
The error code at the end translates to 'An attempt to log on to the VPN server was rejected during the authentication phase. The client session was disconnected.'
Why didn't you grant the user dial in access at the domain level? Then have the user use their domain credentials when making a vpn connection. Finally create a rule allowing vpn users access to the internal resources required.
|
|
|
|
|
RE: VPN acces problem - 28.Sep.2005 5:10:00 AM
|
|
|
slaikan
Posts: 6
Joined: 12.Oct.2004
Status: offline
|
Hi
We've got the same problem, there is another post on this forum which exhibits similar problems by <Mauro> on 4 September 20, 2005 07:56 PM.
Our configuration
ISA2004 SP1 running on Windows 2003 SP1, ISA Server is part of domain but not a DC. ISA Server has 2 NICS, Internal and External. External adapter has about 12 IP's bound to it. We publish OWA / OMA / Async / RPC over HTTPS and about 8 other websites located on different servers without any problems. Our ISA server was configured initially using the edge firewall config. We used the ISA VPN tasks to configure the VPN and RAS access.
We have added the domain users group from the domain to the users allowed to VPN to the ISA Server. The user has dial-in permissions in AD
We have 2x W2000 DC's and 1x W2003 DC in a W2000 native mode domain. All authentication on the domain appears to be working, dcdiag and netdiag reporting no problems. FSMO roles are on the W2000 DC's however.
We are using a Windows XP Pro SP2 workstation to VPN to the ISA 2004 Server to the first IP configured on the external adapter on the ISA Server. If we dial in directly to the server using ISDN we get the same error.
From the Windows XP PC, we get a error 691, access denied.
On the ISA Server we also get error: 0xc0040021 in the alerts tab. In the event viewer of the ISA Server, we get
Event Type: Warning
Event Source: Microsoft Firewall
Event Category: None
Event ID: 21171
Date: 2005/09/26
Time: 04:28:53 PM
User: N/A
Computer: INJNBISA01
Description:
The VPN connection attempt by user DOMAIN\user from VPN client IP address x.x.x.x could not be established.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 21 00 04 c0 !..+
We have verified that the username and password are valid. We've made sure that we're not using the UPN for the logon as suggested by another post on this forum.
We've tried different authentication methods, going right down to PAP authentication, still no luck.
We've tried disabling the VPN from the task pane on the right then re-enabling the VPN.
We've tried increasing the amount of VPN ports from 5 - 10 - 15, still no luck.
We're running out of ideas, can anyone help please, we've hit a brick wall.....
I can't find where this is going wrong, we deployed ISA in this configuration and VPN / RAS wasn't a problem. Only difference was the install was done on a domain that has a Windows 2003 DC that has all the FSMO roles.
Thanks
Shawn
|
|
|
|
|
RE: VPN acces problem - 28.Sep.2005 4:02:00 PM
|
|
|
slaikan
Posts: 6
Joined: 12.Oct.2004
Status: offline
|
Bingo! Solved the problem. In going through the the reports that the MPS tools generate, i noticed that the ISA Server was using out new Windows 2003 DC for authentication. It suddenly struck me that when RAS users logon, the logon name format we're using us domain\username. Knowing that our FSMO roles are not located on the Windows 2003 DC, ISA Server authenticating RAS/VPN users using domain\username, we decided to move the PDC Emulator to the Windows 2003 DC. After doing that the VPN began authenticating properly. So the problem wasn't really with ISA, it appears that Windows 2003 has a problem using the PDC Emulator located on the Windows 2000 DC.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
