I have been having trouble with setting up a PPTP VPN in ISA Server 2006 EE. I enter name and password on client, but then I get a message saying the remote computer did not respond, error 678. In the ISA Server monitoring, I see the following: 0x8007274d wsaeconnrefused I have tried in internally and externally, the external client results in the system policy blocking it (allow vpn client traffic...)
The access rules are any-any all protocols (donīt worry, the server is isolated.) The external is connected to the external interface of the ISA via a hub, can ping it, and is able to telnet to a publish smtp server. There are no other errors in the ISA console, and netstat -na does not show the port 1723 being open, which I find odd.
Can anyone help me out here, please?
< Message edited by johnny_mango -- 11.Jun.2007 12:43:21 PM >
First of all, Iīd like to make known my appreciation for your input to the ISA community. You have helped many people through the years, and I add that my focus is on many technologies, not only Isa Server, therefore ISA Server being a specialst subject, I appreciate a great deal your advice.
I assume clent VPN connections is enabled. Basically I followed the wizard in the ISA Server console. We have now opened all the ports on this firewall, Juniper interface exetrnal, and I add that the VPN access was working correctly from the DMZ. Why, therefore, should it not be working froum outside? I have enabled PPTP and then P2TP, because of the incompatibility from some firewalls, and it still does not work from the DMZ, producing errors 792 and 789 from the Internet, with all ports open on the external interface of the firewall. The firewall is a Juniper Netscreen.
What options do I have for creating some kind of log on the client? I add that the Event Viewer shows no errors and that the client has the Administrator and Trusted Root Certiciation Authority certificates insalled, not showing erros, not being member of the domain.
You say that you can connect to the VPN when the client is in the DMZ between the netscreen and the ISA Firewall. In that case, I recommend a parallel firewall configuration, where the netscreen and the ISA Firewall sit side by side with public addresses. Then you can terminate the VPN connections directly at the ISA Firewall and not worry about bugs in the netscreen software.
This is an important subject for me, because having moved on from this issue (whereby it was enough for the client to prove it was working from the DMZ) we now have 2 more clients with whom we will be implementing something similar.
Is this a know bug with Juniper Netscreen, or is it frequently the case that there is some kind of imcompatibility? Precisely for that reason I tried with L2TP after first trying PPTP, having heard that not all routers are PPTP compliant. In this particular case we opened *all* the ports on this particular interface on the firewall, and checked the logs to see if anything was being blocked, and apparently it wasnīt.
It would be excellent if I could present something solid to our client, to back up the parallel firewall scenario.
How about the fact that Microsoft uses the ISA Firewall's VPN server as the their VPN server for their world wide network? Nothing in front of them other than routers, since ISA was designed from the ground up to be an edge network firewall.