VPN Client (Full Version)

All Forums >> [ISA Server 2000 General] >> General



Message


NetAdmin -> VPN Client (26.Jan.2007 12:35:14 AM)

Hi,

We have ISA Server 2000 on Windows 2000 Server. Our head office has VPN setup and they have given us Cisco Systems VPN Client version 4.8.01.0300 to access their mail server.

Initially I was unable to connet VPN Client but then I had to open some UDP ports on the ISA Server and now I can connect/authenticate through VPN Client. But I can not ping their mail server and Outlook can not find the exchange server.

Can anybody help me resolve this issue, is there any thing I need to do on the ISA Server ?

Many thanks!




spouseele -> RE: VPN Client (26.Jan.2007 6:28:24 AM)

Hi NetAdmin,

the definitive answer can be found in my article How to pass IPSec traffic through ISA Server. And don't forget to read the related topic mentioned at the very end of the article.

HTH,
Stefaan




NetAdmin -> RE: VPN Client (27.Jan.2007 7:39:20 AM)

 
Hello Spouseele,

Many thanks for your reply. I think I have followed part of your article already. I mean I did defined protocol definitions for UDP ports 500 and 4500 and also created protocol rule. After this configuration I was able to authenticate through VPN client. But after the connection is established and I am authenticated through  the VPN client, I am unable to ping their mail server and hence outlook can not find the exchange Server.

Could you please guide me what next I have to do in order to access the mail server successfully?

I would be gratful.

Many thanks in advance!




spouseele -> RE: VPN Client (27.Jan.2007 11:12:14 AM)

Hi NetAdmin,

What is the ISA logging telling you?
What is the Cisco VPN client logging telling you?
Did you verify that the Cisco admin enabled IPSec NAT-T support?
Did you verify that the Cisco admin enabled Transparent Tunneling?
Did you read the debugging steps mentioned in Cisco VPN client ->ISA 2000-> Cisco VPN Concentrator?
...

HTH,
Stefaan




NetAdmin -> RE: VPN Client (30.Jan.2007 6:55:57 AM)

 
Thanks Stefaan for the Help!

I am getting closer and here is the update so far.

1. We have installed firewall client on all the computers since we are having problem of slow browsing if we enable proxy in internet explorer. I know it should not be like this but somehow its happening with us that when we turn proxy ON, we get very very slow browsing and particularly we can not download anything due to speed. But with firewall client we are OK.

2. I opened UDP ports and now I am able to connect/authenticate VPN Client to our remote network.

3. When I turn on proxy settings in internet explorer then I can ping the mail server on the remote network...means when I turn on proxy settings then everything seems OK. But when I turn off proxy settings and turn on firwall client then I can not connect VPN Client. Previously, when firwall client was ON and proxy was OFF, I was able to connect VPN client but I was not able to ping mail server on the remote server. Now I did'nt change anything on the ISA Server but now I can not connect VPN client when firewall client is ON and proxy is OFF.

Would greatly appreciate if you could guide me from here onwards. I have checked the points you mentioned in your post and here is the log entries of Cisco Client for your information:

2      16:39:44.015  01/30/07  Sev=Warning/3 IKE/0xE300002C
ISAKMP header invalid: Invalid version 5.14 found

3      16:39:44.015  01/30/07  Sev=Warning/3 IKE/0xE3000039
Received an invalid or malformed IKE packet: message id = 0x08100601

Many thanks in advance!




spouseele -> RE: VPN Client (30.Jan.2007 3:44:47 PM)

Hi NetAdmin,

I doubt very much you have really made a successful VPN connection!

On the internal client, make sure that:
1. the client is configured as a SecureNAT client.
2. the Firewall client is disabled for the duration of the VPN connection.
3. the Web Proxy client is disabled for the duration of the VPN connection.

Only when it works as a SecureNAT client only, we can start fine tune the client configuration.

Also, we need both the ISA and the VPN client logging.

HTH,
Stefaan




NetAdmin -> RE: VPN Client (31.Jan.2007 2:04:39 AM)

Many thanks Stefaan for the reply!

1. I did check in TCP/IP and found that I have specified gateway address which is the internal IP address of the ISA Server. It means client is configured as SecureNAT?

2. When I disable firewall client during the period of VPN connection then the VPN works just fine and I am able to ping mail server on the remote network - but if we have to disable firewall client in order to work VPN then I dont think this is an ideal solution for us. We need firewall client enabled all the time since we have slowness in browsing otherwise.

3. I am also able to connect through VPN client when I disable firewall and web proxy settings.

4. I tried to enable firewall client after VPN connection established (by disabling firewall client), but after some time VPN connection drops with the following message

"Secure VPN Connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"

5. Below are some entries of VPN Client log

2      16:39:44.015  01/30/07  Sev=Warning/3 IKE/0xE300002C
ISAKMP header invalid: Invalid version 5.14 found

3      16:39:44.015  01/30/07  Sev=Warning/3 IKE/0xE3000039
Received an invalid or malformed IKE packet: message id = 0x08100601

6. Below are some entries of ISA Log:

2007-01-30 23:59:33 192.168.0.4 192.168.0.255 Udp 138 138 BLOCKED <external IP>
2007-01-30 23:59:40 192.168.0.4 192.168.0.255 Udp 2717 19771 BLOCKED <external IP>

Thank you for your time in advance!




spouseele -> RE: VPN Client (31.Jan.2007 2:20:48 PM)

Hi NetAdmin,

I clearly did say
quote:

Only when it works as a SecureNAT client only, we can start fine tune the client configuration.
[8D][8D][8D]

quote:

2. When I disable firewall client during the period of VPN connection then the VPN works just fine and I am able to ping mail server on the remote network - but if we have to disable firewall client in order to work VPN then I dont think this is an ideal solution for us. We need firewall client enabled all the time since we have slowness in browsing otherwise.

3. I am also able to connect through VPN client when I disable firewall and web proxy settings.

So, I assume from now on that the VPN is working if the client is configured as SecureNAT client only! [:)]

quote:

We need firewall client enabled all the time since we have slowness in browsing otherwise. 

That's certainly not a normal behavior and might have to do with your DNS setup. Please post the result of the' ipconfig /all' command on the ISA server and on an internal client.

Now, regarding the fine tuning of the client configuration. I suggest you first read again what I wrote in my article  How to pass IPSec traffic through ISA Server, section 4. Configuring ISA Clients. It's crucial you first fully understand that section before start playing with the client configuration settings.

HTH,
Stefaan 




NetAdmin -> RE: VPN Client (1.Feb.2007 2:14:50 AM)

 
Hello Stefaan,

Many thanks for your focussed reply as usual and I am sorry for asking questions those you have already replied. I would try to be more focuss.

I have re-red your excellent article and I am clear that VPN will work only when ISA clients are configured as SecureNat clients.

I have one more confusion regarding configuration of various client's type on the ISA Server. Could you please clearify whether we need to do some special configuration on the ISA Server in order to make ISA clients as SecureNat clients? As far as I understand, we need to specify internal IP address of the ISA Server as the gateway in the client's TCP/IP settings and then client should start browsing? .... means we do not need to enable proxy settings in the Internet Explorer and also we do not require to install firewall clients in order to browse internet? If this is the case then I am unable to browse the Internet when I ONLY specify internal IP address of the ISA Server in the Client's TCP/IP settings, I need to either specify proxy settings or I have to install firewall client.

Below are the details of ipconfig/all of one of our internal client:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : NetAdmin
 Primary DNS Suffix  . . . . . . . : ourdomain.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : RemoteDomain.pvt
                                    ourdomain.org
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) 82559 Fast Ethernet LAN on Motherboard
Physical Address. . . . . . . . . : 00-D0-B7-A7-8B-68
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1

Below are the details of ipconfig/all of our Windows 2000 Server on which ISA and Exchange 2000 are installed:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : Server
Primary DNS Suffix  . . . . . . . : ourdomain.org
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ourdomain.org
Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Compaq NC3163 Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-02-A5-CD-11-38
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.1
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : SMC EZ Card 10/100 (SMC1211TX)
Physical Address. . . . . . . . . : 00-10-B5-F4-B5-46
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : Public IP of Server
Subnet Mask . . . . . . . . . . . : 255.255.255.XXX
Default Gateway . . . . . . . . . : Public IP of DSL Router
DNS Servers . . . . . . . . . . . : ISP DNS Server IP 1
                                    ISP DNS Server IP 2

So, now what next? should I proceed with the fine tunning of firewall client as you mentioned in your article under the heading 4.5 Configuration Issues?

Many thanks for your time and guidance. I really appreciate it !!!

Best,
NetAdmin




spouseele -> RE: VPN Client (1.Feb.2007 3:36:11 PM)

Hi NetAdmin,

quote:

I have one more confusion regarding configuration of various client's type on the ISA Server.

Have you read Jim Harrison's excellent articles about the different ISA client types? If not, you should! They are referenced in my article.

An internal workstation should be configured as Web Proxy *and* Firewall *and* SecureNAT client at the same time. Internal servers should be Web Proxy *and* SecureNAT if they need outbound access and/or if you have to publish them.

Keep in mind that if you require authentication on a protocol and/or site&content rule than only Web Proxy and Firewall client requests can apply to that rule. However, when a request is sent as a SecureNAT client request than only an anonymous can be applied to those requests. Moreover, ISA can only do DNS resolving on behalf of a Web Proxy and Firewall client. A SecureNAT client must be able to perform DNS resolving on his own.

Regarding your configuration:

1. You have a simple non-routed internal network. So, if an internal host has the ISA internal interface as default gateway than that host is configured as a SecureNAT client.

2. The DNS server on the client points to the ISA server internal interface. Why? Are you running an internal DNS server on the ISA server itself?

3. You said you run the Exchange server on the ISA server too. Why? Where is the DC? On ISA too? Are you running an SBS type of installation?

In my opinion you should first resolve your DNS problems. Nevertheless you can already start to test the fine tunning of Web Proxy and Firewall client. Follow the guidance in my article but do it step by step and test it with every change you make to the configuration. The concept is quite simple: make sure that the public IP address of the VPN server and all IP ranges reachable through the VPN tunnel are *not* redirected by the Web Proxy and Firewall client to the local ISA server.

HTH,
Stefaan





NetAdmin -> RE: VPN Client (2.Feb.2007 5:41:14 AM)

 
Hello Stefaan,

Many thanks for the reply!

Yes, we have a Windows 2000 Server on which ISA 2000/Exchange 2000 are installed and this is also our DC. I know this is not an ideal setup but we are in the process of separating the servers.

I have followed fine tunning process of firewall client in your article but sorry to say that I was not successful. Here is what I did:

1. Enabled proxy settings + firewall client on the client computer and this is also SecureNAT client.

2. Created locallat.txt file in firewall client folder and entered following entry:
    192.168.0.0     192.168.0.255

3. I did not entered host IP of VPN client in locallat.txt file which is a public IP of our remote network.

4. On the ISA Server, when I tried to configure web proxy clients for Direct Access, proxy and firewall services did'nt start after that. Services starts again when I undo direct access changes.

5. When I disable firewall client for the period of VPN connection, then it works fine.

As you pointed-out, it looks like a DNS problem but what do you think what could be wrong within DNS. We have setted this up since 2003 and it is working fine - I mean we are not facing any problem in name resolution and with exchange as well. However, the DNS is set on manual, it is not daynamic.

Would appreciate your thought to help resolve this issue for me. Many many thanks!




spouseele -> RE: VPN Client (2.Feb.2007 2:04:42 PM)

Hi NetAdmin,

oh no... what an awful configuration! [:(]

OK, so on one box you have the DC, the Exchange and the ISA 2000. So, you are running 'by definition' the internal DNS server on ISA itself. Now, to tackle the DNS problem, you should do the following:
- configure your ISP DNS servers as forwarders in the internal DNS server (on ISA).
- remove the ISP DNS servers from the ISA external interface.
- make sure you have a packet filter allowing the DNS protocols (TCP port 53 outbound and UDP port 53 send/receive).

Test from the ISA itself with the 'nslookup' command that the DNS can resolve internal and external FQDN's. Next, test it out with the 'nslookup' command from an internal client configured as SecureNAT client only. If both are working, your DNS problem should been solved (hopefully).

Now, for the VPN:
quote:

The concept is quite simple: make sure that the public IP address of the VPN server and all IP ranges reachable through the VPN tunnel are *not* redirected by the Web Proxy and Firewall client to the local ISA server.

So, if the Network ID 192.168.0.0/24 is reachable *through* the VPN tunnel than it should be in the 'locallat.txt' file as well as the IP address of the remote VPN server. And yes, that's normally a public IP address. 
If done properly, all traffic destined for the remote network should go through the VPN tunnel, at least assuming that no proxy settings are defined in IE. Otherwise HTTP/HTTPS traffic will still be redirected to the ISA server instead of going through the VPN tunnel.

quote:

4. On the ISA Server, when I tried to configure web proxy clients for Direct Access, proxy and firewall services did'nt start after that. Services starts again when I undo direct access changes.

Can you elaborate on that in more detail? It shouldn't happen! In the mean time, disable the proxy settings in IE .

HTH,
Stefaan




NetAdmin -> RE: VPN Client (3.Feb.2007 7:26:25 AM)

 
Hello Stefaan,

Thanks for the reply!

Here is the update....

1. I configured our ISP DNS servers as forwarders in the internal DNS server.

2. Removed ISP DNS Servers from the ISA external interface. It asked me that local computer IP will be used as DNS since I did not mention even local dns IP address. I left it blank and system assigned it IP address 127.0.0.1.

3. Created packet filters for TCP port 53 outbound, as a remote fixed port, and also created UDP port 53 send/receive, as a remote fixed port.

4. After above configurations, I was unable to browse the Internet. I was able to ping google.com but I was not able to ping yahoo.com as I was able to ping before making these changes. However, nslookup was working fine. I tried nslookup and also tried nslookup yahoo.com - both were working fine. Email was also working. I was also able to ping ISP's DNS servers. But somehow Internet browsing was not working.

5. I tried nslookup from client as SecureNAT only, it was working fine.

6. Since I was not able to browse the internet, I had to undo above changes.

Regarding Direct Access:

On the ISA Server, when I tried to configure web proxy clients for Direct Access, proxy and firewall services did'nt start after that. I mean I followed referenced article in your article to configure ISA Server for Direct Access. After making changes, I try to restarted services of ISA server but serivce did not start.

I dont know what to do next but I really want to fix my problem, so that I could run VPN Client.....

Thanks again Stefaan for your time and guidance!




NetAdmin -> RE: VPN Client (3.Feb.2007 9:30:42 AM)

 
Hello again Stefaan,

In DNS, I turned it to dynamic updates. DNS was/is not AD-integrated. After turning it to dynamic updates, I am receiving below error message in the System log. Thought I should share this with you. Many thanks any help!

Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5774
Date:  2/3/2007
Time:  6:24:26 PM
User:  N/A
Computer: SERVER
Description:
Registration of the DNS record '_kerberos._tcp.dc._msdcs.domain.com. 600 IN SRV 0 100 88 server.domain.com.' failed with the following error:
A socket operation was attempted to an unreachable host. 
Data:
0000: 51 27 00 00               Q'..   




spouseele -> RE: VPN Client (3.Feb.2007 2:57:09 PM)

Hi NetAdmin,

Oops... DNS is not AD integrated... Why? [:(]

quote:

3. Created packet filters for TCP port 53 outbound, as a remote fixed port, and also created UDP port 53 send/receive, as a remote fixed port.

Hmm... strange they weren't already in place.

If the nslookup for external FQDN's works from the ISA itself and an internal host than your DNS configuration should be OK. Did you try not previous tested FQDN's to be sure you don't work with cached entries?

If you say you was unable to browse the Internet, was this from the ISA server itself or also from an internal host?

Regarding the Direct Access, I never seen such a behavior before. It sounds more and more that your ISA Server is somehow screwed up. Maybe it would be a better approach to rebuild the box from scratch. You can than split the ISA off to a separate box and upgrade to ISA 2006 also.

HTH,
Stefaan




NetAdmin -> RE: VPN Client (4.Feb.2007 7:42:51 AM)

 
Hello Stefaan,

Thanks for the reply!

I was unable to browse the internet from ISA itself as well as from internal client. But now I have played little bit with the DNS and it seems that I can receive nslookup response from yahoo but I am still not receiving response from google or even from my own ISP...weird, is'nt it ?

So, there is no hope to run VPN client in the present situation?

I have noticed another behavour of VPN Client. I connect VPN client by disabling firewall client and when I get connected I turn firewall client back ON. It works OK for a while but after about 20 minutes VPN client get disconnected with the message which I mentioned in my previous post.

We have now 4 Servers available and in near future we are planning to separate servers. So, we will be running following services:

- Windows 2000 DC 
- Backup copy of DC
- ISA 2000 or 2006
- Exchange 2000 or may be 2003
- DNS Server
- VPN Client for remot network
- Internet through ADSL router

How would you recommend, how I should setup these services on various machines ?

Many thanks!




spouseele -> RE: VPN Client (4.Feb.2007 11:30:59 AM)

Hi NetAdmin,

quote:

So, there is no hope to run VPN client in the present situation?

You have to fix first your DNS and Direct Access problem to have it working the way you want.  

For the DNS problem I gave you a possible solution but apparently it still don't work well. So, you'll have to investigate that further by analyzing the ISA logs, particular the IP packet filter log in your case, and maybe a NetMon trace on the ISA external interface. Again, if nslookup works well from the ISA itself and from an internal host with the ISA as DNS server, I see no reason why you wouldn't be able to use IE as a Web Proxy client.

Regarding the Direct Access problem, I have no clue what is happening here with the Web Proxy service! Nothing in the logs or event viewer as a hint?

quote:

I have noticed another behavour of VPN Client. I connect VPN client by disabling firewall client and when I get connected I turn firewall client back ON. It works OK for a while but after about 20 minutes VPN client get disconnected with the message which I mentioned in my previous post.

Wait a moment! Are you saying that the 'locallat.txt' for the firewall client isn't working either? If so, what's the content of this file and were have you saved it?

quote:

We have now 4 Servers available and in near future we are planning to separate servers.
 
If you already have 4 servers I don't see any reason why you can't have a better configuration already! I would say with the given services:
- 1 server for AD/DNS/DHCP
- 1 server for Exchange 2003 or 2007
- 1 server for ISA 2006 SE
Also, let them are run Windows 2003 SP1 or R2 and make sure you upgrade your domain to a native Windows 2003 domain.

HTH,
Stefaan 




NetAdmin -> RE: VPN Client (9.Feb.2007 2:26:13 AM)

 
Hi again Stefaan,

I want to update you with the progress and also want to start correcting my DNS problem. Basically I did not do much since we last communicated. I just changed my DNS mode to Daynamic and now my event log is neat and clean. But I still can not nslookup to external hosts from ISA box itself. Could you please list for me the tasks for successfully configuring DNS Server when one box is having DC/DNS/ISA/Exchange at the same time. I understand you already have pointed out steps to correct DNS problem. But could we also focus on ISA Server in greater details keeping in mind that ISA does not blocks DNS traffic. Regarding TCP/UDP port 53 on ISA Server, could you explain me whether these would be local fixed ports or remote fixed ports? What is role of LAT and LDT in ISA, should it be configured properly?

Here are answer of your query from your last post:

I entered following entries in the locallat.txt
192.168.0.0     192.168.0.255

Many thanks for your help in advance!




spouseele -> RE: VPN Client (9.Feb.2007 10:39:58 AM)

Hi NetAdmin,

as said before
quote:

For the DNS problem I gave you a possible solution but apparently it still don't work well. So, you'll have to investigate that further by analyzing the ISA logs, particular the IP packet filter log in your case, and maybe a NetMon trace on the ISA external interface.

So, what's the ISA firewall and IP packet filter log telling you?
And yes, the DNS IP packet filters should have as remote fixed port = 53 and the local port should be any.

Please, please, please... I have said it multiple times
quote:

So, if the Network ID 192.168.0.0/24 is reachable *through* the VPN tunnel than it should be in the 'locallat.txt' file as well as the IP address of the remote VPN server. And yes, that's normally a public IP address. 

I see the network ID 192.168.0.0/24  in the 'locallat.txt' file, but where is the IP address of the remote VPN server?
Also, where did you save that file?

HTH,
Stefaan




NetAdmin -> RE: VPN Client (8.Mar.2007 2:16:10 AM)

Hello Stefaan,

I wanted to update you...

I tried my best to resolve problem which are with my DNS and ISA but was not successful yet, so finally I did decide to install ISA on another Server and leave the DNS/ISA/PDC box as is. So, I installed ISA on another Server; then I installed VPN client on a client computer. I was able to connect to remote VPN server without making any changes on the ISA server for VPN Client. I defined protocol rule on ISA server allowing everything and applied this rule to local users.

Then I configured outlook and I was able to open my mailbox from remote network. But outllook prompted for username/domain/password and when I provided user information, I was able to open mailbox successfully. Is there any way I can avoid this username/password screen while opening outlook ?

So now coming to firewall client....... When I enabled firewall client in addition to proxy settings or without enabling proxy settings THEN I am able to connect VPN client but I am unable to ping the mail server which is on the remote network. BUT everything seems OK with the proxy settings and now my internet browsing is also very good with proxy settings as was not with our previous ISA Server machine.

So, it would be great if you could guide me how to avoid username/password screen in outlook and if possibly this could work through firewall client too. I have not yet tried Fine Tunning of Firewall client as mentioned in your article but I think we can now live without firewall client.

Many thanks in advance!




Page: [1] 2   next >   >>