Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
failed in any VPN connection to outside locations
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
failed in any VPN connection to outside locations - 3.Oct.2006 4:00:58 PM
|
|
|
2isa
Posts: 33
Joined: 3.Oct.2006
Status: offline
|
Hi,
I have ISA server 2004 , installed with the default configuration , my problem is users can’t using VPN connection , I mean can’t access outside servers that using VPN connection , any help !
|
|
|
|
|
RE: failed in any VPN connection to outside locations - 4.Oct.2006 4:01:22 PM
|
|
|
2isa
Posts: 33
Joined: 3.Oct.2006
Status: offline
|
that happens in general when a guest in our comapny using our ISA server try to access theire private network through VPN client .
the gest or our users always face this error , they configured as a(local users as firewall clients , Guests only putting internet setting no firewall defined) , our ISA in installed both modes Cash (proxy) and firewall at the same time .
|
|
|
|
|
RE: failed in any VPN connection to outside locations - 4.Oct.2006 8:37:29 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi 2isa,
for outbound VPN access, make sure that:
1. de clients are configured as SecureNAT clients only. If the Firewall client is installed, disable it for the duration of the VPN connection.
2. create the necessary access rules and apply them to all users. For a PPTP based VPN you need to allow the PPTP protocol; for an IPSec based VPN you need to allow IKE and NAT-T .
For the IPSec stuff, detailled info can be found at http://www.isaserver.org/articles/IPSec_Passthrough.html.
HTH,
Stefaan
|
|
|
|
|
RE: failed in any VPN connection to outside locations - 13.Oct.2006 11:51:04 AM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
quote:
1. de clients are configured as SecureNAT clients only. If the Firewall client is installed, disable it for the duration of the VPN connection.
Hi Stefan,
i usually dont disable the FWC when establishing a VPN connection, when its established the FWC will have a red X on it with no problem .
do i have to disable it ??? or its ok if its disconnected automatically after the vpn connection is established?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: failed in any VPN connection to outside locations - 13.Oct.2006 4:11:22 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tarek,
actually I recommend a two step process to get the outbound VPN working.
First, disable the Firewall client and the Web Proxy settings before setting up the VPN connection. You can than easily test all applications (web and non-web based) through the VPN connection.
Secondly, and this requires some more thinking and configuration, is fine tuning the Web Proxy and Firewall clients settings so you don't have to disable those clients anymore. This is explained in my article http://www.isaserver.org/articles/IPSec_Passthrough.html, section '4. Configuring ISA Clients'.
The fact that you get a Red X on the Firewall client means to me that the VPN connection enforces 'no split tunneling' (the setting 'use default gateway on remote network' on a Microsoft VPN client). In my experience, I assume here that the VPN connection is used to reach some services at a business partner, that's rather an unusual configuration because it cuts off the user completely from his normal business environment. Therefore, if only some services need to be accessed through the VPN connection than split tunneling is normally allowed. It becomes than crucial to correctly configure the Firewall and Web Proxy client.
HTH,
Stefaan
< Message edited by spouseele -- 13.Oct.2006 4:19:03 PM >
|
|
|
|
|
RE: failed in any VPN connection to outside locations - 24.Oct.2006 3:25:37 AM
|
|
|
vladj
Posts: 6
Joined: 6.Oct.2006
Status: offline
|
Hi,
I have a similar scenario, with addtions though. I need to coneect with a vpn client application to 192.168.1.0/24 network at the partner.
Also we have a site-to-site VPN to a remote office, which also uses 192.168.1.0/24.
The configuration uses the remote office subnet with a direct route(not NAT) network rule in ISA Networks tab.
What do I need to do when I need to acces only the partner network? Just disable firewall client, and configure some rules for outbound VPN?
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
