• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 16.Jun.2006 8:59:24 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline

I'm trying to setup a ISA to ISA S-2-S VPN. Unfortunately I have the dreaded DSL and PPPoE on one side. I've searched the forums and looked at
http://www.isaserver.org/articles/200sbsinstallpart1.html without luck. I see Tom was supposed to be doing an article on configuring ISA behind a SOHO type device, but can't find it. None the less, here is my setup and findings. If anyone has ideas, I'd appreciate it.
 
At office: ISA 2004 on Windows 2003 (both patched) with static public IP on business cable. ISA server is a domain member. Private IP 192.168.0.1/24

At Home: ISA 2004 on Windows 2003 (both patched) behind a Linksys BEFSX41 router on residential DSL (PPPoE). ISA server is standalone (not a domain member), though I wouldn't mind it being one. Public IP: 192.168.169.200/24 Private IP:192.168.155.1/24

Both Home and Office ISA servers have 2 NIC's

I followed the PPTP S-2-S instructions from Tom's book. The office server can make the S-2-S connection to home, I can ping and Remote Desktop from the office to the home ISA server and the server behind the home ISA server (running DHCP). However I cannot ping or remote desktop from either server at home to the office server. I am able to connect to a VPN from an WinXP PC behind the home ISA server.

I have tried both port forwarding 1723 and 47 to the public interface on the home ISA server, as well as putting the public interface of the home ISA server on the Linksys DMZ port (and enabling DMZ within the router).

Why does it only work one way?

Thanks
Post #: 1
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 17.Jun.2006 2:54:14 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rainman,

I did do that article, but published it at TechProGuild.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rainman13)
Post #: 2
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 19.Jun.2006 4:15:28 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
quote:

ORIGINAL: tshinder

Hi Rainman,

I did do that article, but published it at TechProGuild.

HTH,
Tom


I'm on the site and can't seem to find it.  Could you tell me the article name so I can search for it?  A direct link would work as well.

(in reply to tshinder)
Post #: 3
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 19.Jun.2006 5:47:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rainman,

I think this is what you're looking for:

http://techrepublic.com.com/5100-6350_11-6042192.html?tag=search

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rainman13)
Post #: 4
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 19.Jun.2006 7:26:39 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
quote:

ORIGINAL: tshinder

Hi Rainman,

I think this is what you're looking for:

http://techrepublic.com.com/5100-6350_11-6042192.html?tag=search

HTH,
Tom


Looks good so far.  Is it possible, or has anyone done it where the VPN terminates at the ISA server behind that NAT device instead of at the device?

(in reply to tshinder)
Post #: 5
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 19.Jun.2006 8:45:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rainman,

That's an easy one. Just configure the NAT device to pass PPTP and L2TP/IPSec to the ISA firewall's external interface.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rainman13)
Post #: 6
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 20.Jun.2006 7:46:11 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Hi Rainman13,
  I need help on similar configuration you have?

This is my test Network?
Office
T1......>..>ISA Server with 3 NIC (Member of DC)......>
I want to install Domain Controller with Internal IP Address...191.9.xxx.xxx after making connection with Home.

Home:
Cable Modem with dynamic IP Address......>DLink Router.....>ISA Server with 3 NIC (Member of DC)......>
I want to i(Internal IP Address...192.168.100.xxx)

IN this case how do I start make vpn connection between two home and office?

what port do I forward on router to point to ISA Servers External NIC and what address I give to external NIC as it needs to be able to make connection to External NIC of ISA Server at office. I am very confused on this.

What type of configuration I should go with on ISA Servers (Arrary members or individual)? In this case how will I one server see other server?

Future plan after making sucessfull VPN is creating one Forest, domain and 2 sites one for each location with different ip address.
please try help me on this?

(in reply to Rainman13)
Post #: 7
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 20.Jun.2006 8:37:58 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
quote:

ORIGINAL: bhavin78

Hi Rainman13,
I need help on similar configuration you have?

This is my test Network?
Office
T1......>..>ISA Server with 3 NIC (Member of DC)......>
I want to install Domain Controller with Internal IP Address...191.9.xxx.xxx after making connection with Home.

Home:
Cable Modem with dynamic IP Address......>DLink Router.....>ISA Server with 3 NIC (Member of DC)......>
I want to i(Internal IP Address...192.168.100.xxx)

IN this case how do I start make vpn connection between two home and office?

what port do I forward on router to point to ISA Servers External NIC and what address I give to external NIC as it needs to be able to make connection to External NIC of ISA Server at office. I am very confused on this.

What type of configuration I should go with on ISA Servers (Arrary members or individual)? In this case how will I one server see other server?

Future plan after making sucessfull VPN is creating one Forest, domain and 2 sites one for each location with different ip address.
please try help me on this?


Actually I still don't have this working.  It still works from the office to home, but not from home to office.  I have pptp (1723) forwarded and also have it on my Linksys DMZ port.  I'm going to try going to my parents house where they have cable instead of DSL.  This way I don't have a PPPoE problem, and should be able to complete the S-2-S setup.

In your case, why do you need the DLink router at home?  Does your ISP require some sort of authentication that ISA can't do?

(in reply to bhavin78)
Post #: 8
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 20.Jun.2006 9:19:13 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Main question is how do I start with the configuration from previous post?
I am no where right now?
Forget about forwarding port, I will use two public static IP address at work. and create two network.

I already installed  ISA Server on windows server 2003 which is DC with 3 NIC and internal address is 192.168.100.1-255
external is public IP address.

Now second thing I want to do for other side of the network is install ISA server on windows server 2003  with 3 NIC Cards, Public IP address on external NIC and internal IP range is 191.9.xxx.xxx-255.
what configuration I go with for ISA server?
How do I make vpn connection and how will one isa server see other isa server (name resolution) with out any connection?
than I want to promote that server to DC which will be on different site.

Try to help me at the point u are right now.





(in reply to Rainman13)
Post #: 9
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 20.Jun.2006 9:30:37 PM   
Rainman13

 

Posts: 19
Joined: 29.Apr.2005
Status: offline
quote:

ORIGINAL: bhavin78

Main question is how do I start with the configuration from previous post?
I am no where right now?
Forget about forwarding port, I will use two public static IP address at work. and create two network.

I already installed  ISA Server on windows server 2003 which is DC with 3 NIC and internal address is 192.168.100.1-255
external is public IP address.

Now second thing I want to do for other side of the network is install ISA server on windows server 2003  with 3 NIC Cards, Public IP address on external NIC and internal IP range is 191.9.xxx.xxx-255.
what configuration I go with for ISA server?
How do I make vpn connection and how will one isa server see other isa server (name resolution) with out any connection?
than I want to promote that server to DC which will be on different site.

Try to help me at the point u are right now.








If you have Tom's book "Configuring ISA Server 2004".  If you start at the bottom of page 747, he details it extremely well. 

I did just figure it out and have it working.  Definitely an ID 10 T error.  The lesson here, read the section... do NOT just follow steps and assume you can make it work.  In actually reading the text with a finetooth comb I found it.  The final piece of the puzzle was that I didn't have the "Main" user account created on the office server.  Tom wasn't kidding, it uses the name of the demand dial interface (which you can see in RRAS) as the username.

Once I finish testing what I needed the S-2-S for, I'll play with port forwarding vs. DMZ and L2TP VPN instead of PPTP.

(in reply to bhavin78)
Post #: 10
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 21.Jun.2006 1:33:04 AM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
I completly understan what u mean to say. I am not trying to just get information from you thinking that I will be able to do it. I want to try , I have tried and I want do anything until I understan. I am still trying to understand how I am going to do this?

I will appreciate if you can answer the question which I am not able to figure out.

I am going to create an account on both ISA Server
ISAServer Local Account: ISALocal/Branch
ISAServer Branch Account: ISABranch/Main
Create Remote Site Network on Both ISA Server.

Still confuse on how do I create my second dc on site 2 where branch ISA server is going to be. I do that before putting isa server or after vpn connection is up and running?

WHy do we create account locally, is it possible to use domain user name and password?

(in reply to Rainman13)
Post #: 11
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 21.Jun.2006 5:25:49 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Rainman13

quote:

ORIGINAL: bhavin78

Main question is how do I start with the configuration from previous post?
I am no where right now?
Forget about forwarding port, I will use two public static IP address at work. and create two network.

I already installed  ISA Server on windows server 2003 which is DC with 3 NIC and internal address is 192.168.100.1-255
external is public IP address.

Now second thing I want to do for other side of the network is install ISA server on windows server 2003  with 3 NIC Cards, Public IP address on external NIC and internal IP range is 191.9.xxx.xxx-255.
what configuration I go with for ISA server?
How do I make vpn connection and how will one isa server see other isa server (name resolution) with out any connection?
than I want to promote that server to DC which will be on different site.

Try to help me at the point u are right now.








If you have Tom's book "Configuring ISA Server 2004".  If you start at the bottom of page 747, he details it extremely well. 

I did just figure it out and have it working.  Definitely an ID 10 T error.  The lesson here, read the section... do NOT just follow steps and assume you can make it work.  In actually reading the text with a finetooth comb I found it.  The final piece of the puzzle was that I didn't have the "Main" user account created on the office server.  Tom wasn't kidding, it uses the name of the demand dial interface (which you can see in RRAS) as the username.

Once I finish testing what I needed the S-2-S for, I'll play with port forwarding vs. DMZ and L2TP VPN instead of PPTP.


Hi Rainman,

Thanks! I try to include a lot of information to help people understand why we are doing the things that need to be done. There are a lot of details in configuring the site to site VPN that can catch you, but when you read the details as described, it always works! :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Rainman13)
Post #: 12
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 21.Jun.2006 5:28:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: bhavin78

I completly understan what u mean to say. I am not trying to just get information from you thinking that I will be able to do it. I want to try , I have tried and I want do anything until I understan. I am still trying to understand how I am going to do this?

I will appreciate if you can answer the question which I am not able to figure out.

I am going to create an account on both ISA Server
ISAServer Local Account: ISALocal/Branch
ISAServer Branch Account: ISABranch/Main
Create Remote Site Network on Both ISA Server.

Still confuse on how do I create my second dc on site 2 where branch ISA server is going to be. I do that before putting isa server or after vpn connection is up and running?

WHy do we create account locally, is it possible to use domain user name and password?



Hi B,

Making the branch office ISA firewall a DC is tricky, as you can lock yourself out if you don't follow the correct procedures.

I believe I included this scenario in the ISA 2004 VPN deployment kit over at http://www.microsoft.com/technet/prodtechnol/isa/2004/deployment/default.mspx

Or it might be in the branch office deployment kit, located on the same page. I spent hundreds of hours working on those docs so that you don't have to go through the pain I did to figure things out :)

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)
Post #: 13
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 10.Jul.2006 5:00:34 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
I am trying to set up Network from Tom's book and few things are not working for me as I might be doing something wrong. I need some help on this.
1) I configured everything according to Tom's book and so far I can ping DC from ISA and vice versa.
2)I have three Physical NIC on the Guest OS with VM installed and configured according to tom's book. Guest OS also has Vmnet1 and vmnet8 where  those came from, do I have to configure them? vmnet8 has ip address 192.168.169.1 and vmnet1 has IP address 192.168.80.1 (where this came from and do I have to do any thing with this virtual NIC)
3) how many NIC I should use on Guest OS? Right now I have only used one which connects to my Router(internet connection)

(in reply to tshinder)
Post #: 14
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 10.Jul.2006 5:57:24 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
1) I configured everything according to Tom's book and so far I can ping DC from ISA and vice versa.
TOM: When testing site to site VPNs, always test from hosts behind the ISA firewalls, not from the ISA firewalls themselves. There's no point to that since the firewalls are used as workstations or servers.

2)I have three Physical NIC on the Guest OS with VM installed and configured according to tom's book. Guest OS also has Vmnet1 and vmnet8 where  those came from, do I have to configure them? vmnet8 has ip address 192.168.169.1 and vmnet1 has IP address 192.168.80.1 (where this came from and do I have to do any thing with this virtual NIC)
TOM: In the site to site VPN scenarios, start with two virtual NICs on the ISA firewalls. For main and branch office firewalls, the external should be BRIDGED. For the main office internal, I typically use VMNet2 and for the branch office internal I typically use VMnet4, but it doesn't really matter. VMNet1 and VMNet8 are special purpose out of the box and you don't need to worry about them or use them.

3) how many NIC I should use on Guest OS? Right now I have only used one which connects to my Router(internet connection)
TOM: Each client behind each ISA firewall VM should have two NICs, and each ISA firewall should have two NICs. Not sure what you mean by "connects to your router"

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)
Post #: 15
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 10.Jul.2006 6:08:50 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Connect to router means one of my Physical NIC on Guest OS is connected directly to Router.
GUEST OS NIC...... DLink Router....>CableModem

I am trying to test a real world scenario using VMWare.
This is what I am trying?
Create Site to site vpn between two physical location using ISA Enterprise Edition.
Install replica of Main office DC  behind remote ISA
 
I am going to use Enterprise Edition of ISA Server but in you book it does not explain that part on how to confiugre Remote ISA Server or may be I missed it. So far I have already installed ISA Server at Main office now, When I install ISA Server on remote-ISA how is it going to see Main office ISA before site to site vpn?

(in reply to tshinder)
Post #: 16
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 10.Jul.2006 6:16:56 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

The Guest OS doesn't have physical NIC. Are you referring to the Host OS?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)
Post #: 17
RE: ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE - 10.Jul.2006 6:20:27 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
sorry my mistake, that's what I meant Host OS?
am trying to test a real world scenario using VMWare.
This is what I am trying?
Create Site to site vpn between two physical location using ISA Enterprise Edition.
Install replica of Main office DC  behind remote ISA
 
I am going to use Enterprise Edition of ISA Server but in you book it does not explain that part on how to confiugre Remote ISA Server or may be I missed it. So far I have already installed ISA Server at Main office now, When I install ISA Server on remote-ISA how is it going to see Main office ISA before site to site vpn?

(in reply to tshinder)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 04 to ISA 04 Site-to-Site VPN & DSL PPPoE Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts