if I got your configuration right, ISA server is behind a NAT device (the ADSL router). Correct?
If so, what VPN protocol are you using? If it is PPTP make sure that TCP port 1723 and IP protocol 47 (GRE) is forwarded to the ISA external interface. If it is L2TP/IPSec check out the following MSKB's:
I have both IPSec AND pptp activated on my ISA server As i wrote in my network setup map the ISA server computer is a demilitarized zone which is set to forward everything so there shouldn't be any problems with the forwarding of the connection data after all ISA is my network firewall, so it seems natural not to protect it to the internet and let itself control the traffic
I somehow managed to solve the connection problem with the vpns (i guess it had something to do with the IP settings i had... DHCP server didn't work, now a IP range does) but now i'm facing some other troubles... for instance that the VPNs can neither communicate with the server nor with each other through VPN they are shown as successfully connected in ISA and they also get there IPs out of the range i defined but not even one single echo command is able to reach them...
i'd appreciate any information that might help with this
Hi elemist, i've in a same situation like you. My setup like this :
Internet (VPN clients over DynDNS) -> ADSL router (192.168.1.8) -> (192.168.1.1 - WAN) ISA Server (10.10.0.1) -> local network
I've setup same like you, on my local network 10.10.0.x i've a DC 10.10.0.1. I install IAS on this DC and setup for this verify ISA 2004 to IAS client. On my ISA 2004 i point to DC to recognize IAS server. On my ADSL modem i've forward TCP port 1723 and IP protocol 47 to my ISA WAN interface.
But every time i try to connect it stop with error 678 or 721.
If i using RRAS on my DC(10.10.0.2) and on my ISA i created a Server publishing rule to publish a PPTP server on 10.10.0.2 then i try to connect, it's successfuly. But in this solution i've using VPN over RRAS on my DC not VPN on my ISA 2004.
I've read all article about created VPN on isaserver.org and i'm check my config to make sure it's correct but VPN not working. I'm really confuse. I've talk with my friend and he try setup VPN over ISA 2004 (but he using IP public with him's broad brand connection)
Anyone try to setup VPN with DDNS before, could you explain and correct for me if i'm wrong. Tks in advance :)
From: The Netherlands
I didn’t use yet ISA technology. Myself I also was looking for creating a vpn connection (in my case I actually want to have a tunnel between a pix and an ISA2004 server from a remote location, but this ISA is behind an ADSL router that of course is doing NAT).
I started first a with the concept and feasibility part. There are 3 VPN technologies I know: - IPSec tunnel - L2TP/IPSec - PPTP
I started to analyze if IPSec would be possible to use. And if so, AH and/or ESP limitations/requirements. The teory will say:
IPSec transport mode
AH – will do a hash(will sign)entire packet (IP, TCP/UDP, Data) --> cannot cross a router or NAT since either of those will modify at least one of those fields. ESP- will also have sign TCP/UDP header and Data IPSec tunnel mode:
Will add an extra IP header to support passing routers
--> a NAT process (any change) to a packet will automatically invalidate it at reception
Microsoft released an update (supporting NAT-T) that will allow L2TP/IPSec client to exist in a NATed network. (http://support.microsoft.com/?id=818043). However, the VPN server that will be IPSec based, cannot stay in a NATed network.
Conclusion would be: - if you have ADSL router (one dynamic IP) and behind of it your VPN server (ISA) then you cannot choose IPSec based solution. Possible (theoretically should work, practically I have to see) to use PPTP - if you have an ADSL modem only (not a router), and you connect your VPN server to it (your external network interface of your ISA will be then a public IP) any vpn should work (ok… still limitations for IPSec tunnel if the address will change too often) - If you have an SDSL that normally will allow you more public IPs then put your VPN server in a DMZ, assign it a public IP and would be no problem with IPSec.
Hi I have ISA 2004 installed in our network and also configured and everything was working fine.
Since I am using a router called Aztec and it is taking too much time to update my DNS(dyndns.org), yesterday we have changed our router to Linksys WAG200G where there is DDSNS option in router itself.
Once I installed this new router vpn clients cannot establish a connection with my ISA, i done all steps including port forwarding, 50,50,500 1723 ports forwarded, but still not working.
Could you please explain little in details how is your network setup? Your ISA has got two Interfaces, one is for External and the other for Internal? As there are so many factors that won't keep you to be connected to your VPN Server.
It could be your VPN Settings in ISA itself.
It could be the DHCP Server, are you using DHCP or manually assigned IP's?
Have you installed the DHCP-Relay Agent and selected the Internal Interface to provide IPs?
What protocols you have selected? PPTP or L2TP?
Have you assigned a VPN Group to be able to dial-in to ISA VPN?
Did you select the External Interface of ISA to listen for VPN Connection?
What Authenitication are using, RADIUS ? or only AD
If you can give some justification we will be glad to help to our optimum level .