• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN Server article discussion

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN Server article discussion Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
VPN Server article discussion - 29.Mar.2004 3:54:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussion the VPN server article over at http://isaserver.org/articles/2004vpnserver.html.

Thanks!
Tom

[ July 06, 2004, 08:32 PM: Message edited by: tshinder ]
Post #: 1
RE: VPN Server article discussion - 31.Mar.2004 8:09:00 AM   
danielschell

 

Posts: 1
Joined: 31.Mar.2004
From: Adelaide, Australia
Status: offline
Hi Tom,

As always an excellent article. I followed the steps and successfully got the l2tp vpn connection working by adding a certificate to the client laptop 'computer'.

However, what I wish to achieve is to add the certificate to the user rather than the computer so that only the currently logged on user can make the l2tp connection. I tried to do this with no luck...

Do you know if this is some how possible? I look forward to any advice you could offer in this area.

Regards,
Daniel Schell
GFiAP

(in reply to tshinder)
Post #: 2
RE: VPN Server article discussion - 31.Mar.2004 10:24:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Daniel,

Thanks!

I completed the user certificate authentication doc yesterday for the ISA 2004 VPN Deployment Kit. Send me a note at tshinder@tacteam.net and I'll send you a draft copy.

HTH,
Tom

(in reply to tshinder)
Post #: 3
RE: VPN Server article discussion - 31.Mar.2004 1:30:00 PM   
turbomcp

 

Posts: 36
Joined: 13.Nov.2002
Status: offline
weird problem
i set up everything the same way like in the document except one thing. i am using an isa server that is not part of the domain(stand alone)
and using radius for authentication.
i pass the authentication part but get disconnected on the "registrating your computer on the network" part
or it gets connected for one sec and disconnect in asecond.
on the isa box i see the vpn client and its ip from the dhcp server.
any ideas?

(in reply to tshinder)
Post #: 4
RE: VPN Server article discussion - 2.Apr.2004 3:32:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Turbo,

This is a bug in beta 2. Good news is that its been fixed!

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: VPN Server article discussion - 10.Apr.2004 3:03:00 PM   
mcfly9

 

Posts: 21
Joined: 10.Apr.2004
Status: offline
Hello Tom!

I might be asking this on the wrong place but I'm starting to get desperate... [Wink] I have some problems getting our PocketPCs working with ISA Server 2004. Do you know something about getting the computer certificates onto Windows Mobile 2003? Selecting "administrator" as a template type trick doesn't work, as the IE in the PPC doesn't support ActiveX.

Is there any other method than computer certificates for granting access to my network for clients using L2TP/IPSec VPN?

(in reply to tshinder)
Post #: 6
RE: VPN Server article discussion - 10.Apr.2004 8:38:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi McFly,

We have a doc that might have this info. Write to me at tshinder@isaserver.org and I'll send it to you. It will be released with the update to the Exchange/ISA deployment kit for ISA 2004.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: VPN Server article discussion - 20.May2004 4:39:00 PM   
_Trip

 

Posts: 14
Joined: 6.Apr.2004
From: Appleton, WI
Status: offline
Great Article (Haven't gotten through it yet, but I'm working on it).

One note, at least on my network. In order to add the Group to the VPN clients allowed screen. The gorup needed to be a "Global" group, and not a Domain Local. It wouldn't even list out the Domain Local groups. (Even though ISA is part of the domain.)

Could be a misconfiguration elsewhere, but I thought I'd point it out...

(in reply to tshinder)
Post #: 8
RE: VPN Server article discussion - 21.May2004 12:24:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tim,

Good point. You can only use Global security groups to assign user/group based access controls.

Thanks!
Tom

(in reply to tshinder)
Post #: 9
RE: VPN Server article discussion - 6.Jul.2004 6:06:00 PM   
ismailhazir

 

Posts: 1
Joined: 6.Jul.2004
From: istanbul/turkey
Status: offline
Hello Tom,
I have read your article(about site to site vpn ipsec) two times but I didn't get a solution yet.
Although I did the same lab , I can not ping from 10.0.0.2 to the 10.0.1.2 (other Remote Lan Client) with its private IP from main local site.branch and main connections could not be connected. always status is unreachable.
Is there anything be forgotten? such as how will the vpn clients get an ip to communicate with the remote lan? is there something more that should be done by me?
I am really confused about site to site vpn.
Any more custom documentation including an example?

İsmail
MCT/MCSE/CCNP

(in reply to tshinder)
Post #: 10
RE: VPN Server article discussion - 6.Jul.2004 8:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Ismail,

That article is for VPN remote access server, not for site to site VPN. There are articles on how to do the site to site VPN in the VPN kit over at www.msfirewall.org/isa2004kits.htm

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: VPN Server article discussion - 21.Jul.2004 12:05:00 PM   
andyjh122

 

Posts: 27
Joined: 14.Apr.2003
Status: offline
I've read a bunch of ipsec articles and a few mention using the IPSec and IPSec (Offline) cert templates.

What's the difference between using the Administrator cert template and the IPSec cert template?

How does this apply to ISAServer2004 vpns?

Thanks,
Andrew

(in reply to tshinder)
Post #: 12
RE: VPN Server article discussion - 21.Jul.2004 3:21:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andrew,

The offline template is used by VPN gateways. So, when the ISA firewall is configured as a VPN gateway for a site to site configure, you can configure EAP auth and use the offline template.

Make sure to check out the VPN kit for the ISA 2004 firewall.

HTH,
Tom

(in reply to tshinder)
Post #: 13
RE: VPN Server article discussion - 17.Aug.2004 2:36:00 PM   
Guest
Tom,

I am having a similar issue as turbomcp above. I have an ISA 2004 box setup in standalone mode and configured for VPN PPTP access. It is talking to a radius server for authenication. When I try to connect I get two different situations, with no obvious correlation as to why one or the other occurs. The first event is that the connection succeeds and then disconnects in under a second.

The other possibility is that it gives me an Error 619 saying that the connection has closed. without ever fully connecting.

I have checked all the event logs and they are all clean. The radius server shows that authentication is successful. The only server-side evidence that something is wrong is that a query on the ISA logs shows a Failed VPN connection attempt, with no other noticable errors on any server (radius logs and event logs on dc, radius, and isa servers) (none of the services are on the same server). The client has an odd
"The server could not bind to the transport \Device\NetBT_Tcpip_{F35DA341-A376-42DA-B098-8383BEFEA789}."
which does not appear all the time.

This one has me baffled, any ideas.

Thanks,
Chris

(in reply to tshinder)
  Post #: 14
RE: VPN Server article discussion - 5.Dec.2004 4:34:00 AM   
Guest
I've been going over the article (and what looks to be the same article from MS which is slightly dated) in my virtual lab and the one thing that doesn't correlate very well has to do with making the ISA Server standalone or part of the domain.

At the top of their article they state make your ISA server standalone...then when you are configuring the groups in VPN config it states to add the groups from the domain...which you cannot do when the ISA server is standalone.

So, which is the proper way..if using groups/isa on domain is not the preferred method..why would M$ create a whitepaper explaining this is how you do it?

Sincerely confused,

Mark Hodges

(in reply to tshinder)
  Post #: 15
RE: VPN Server article discussion - 5.Dec.2004 3:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <clckct>:
Tom,

I am having a similar issue as turbomcp above. I have an ISA 2004 box setup in standalone mode and configured for VPN PPTP access. It is talking to a radius server for authenication. When I try to connect I get two different situations, with no obvious correlation as to why one or the other occurs. The first event is that the connection succeeds and then disconnects in under a second.

The other possibility is that it gives me an Error 619 saying that the connection has closed. without ever fully connecting.

I have checked all the event logs and they are all clean. The radius server shows that authentication is successful. The only server-side evidence that something is wrong is that a query on the ISA logs shows a Failed VPN connection attempt, with no other noticable errors on any server (radius logs and event logs on dc, radius, and isa servers) (none of the services are on the same server). The client has an odd
"The server could not bind to the transport \Device\NetBT_Tcpip_{F35DA341-A376-42DA-B098-8383BEFEA789}."
which does not appear all the time.

This one has me baffled, any ideas.

Thanks,
Chris

Hi Chris,

Take a look at the article I did on RADIUS auth and access control over RADIUS auth'ed users connecting to the ISA firewall. When you use RADIUS for VPN users connecting to the ISA firewall, the ISA firewall might not apply ISA firewall rules the way you might have expected them to.

HTH,
Tom

(in reply to tshinder)
Post #: 16
RE: VPN Server article discussion - 5.Dec.2004 3:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by <Mark Hodges>:
I've been going over the article (and what looks to be the same article from MS which is slightly dated) in my virtual lab and the one thing that doesn't correlate very well has to do with making the ISA Server standalone or part of the domain.

At the top of their article they state make your ISA server standalone...then when you are configuring the groups in VPN config it states to add the groups from the domain...which you cannot do when the ISA server is standalone.

So, which is the proper way..if using groups/isa on domain is not the preferred method..why would M$ create a whitepaper explaining this is how you do it?

Sincerely confused,

Mark Hodges

Hi Mark,

The paper here is definitely correct. What MS article is giving you a problem and what part of the MS article is giving you problems?

Thanks!
Tom

(in reply to tshinder)
Post #: 17
RE: VPN Server article discussion - 6.Dec.2004 4:07:00 AM   
Rumple

 

Posts: 30
Joined: 5.Dec.2004
Status: offline
I think I figured it out...

As I was going down through the article again to see why at the top they tell you to leave the ISA server part of the domain, but then have you add users to the config from the domain (which means it has to be part of the domain). The single document is 511 pages, but it doesn't really build upon itself from section to section.

The part of about adding the users was in a completely different section...I didn't notice that as I scrolled down the pages setting up the environment that I must have someone how jumped a couple sections down...and when I scrolled a couple pages to find where I was in the setup, I actually used the lab setup section from a different area....

Guess thats what happens when you are playing with your virtual lab in the middle of the night [Smile]

Later on I also read another article you wrote about how it doesn't actually matter if its not on your domain anyhow..as soon as that box is compromised you are 0wnp3d anyhow...

One question I do have though...I have a virtual lab setup and on the Local network I have an edge ISA server providing PPTP site - site tunnels with a Windows 2000 server at a Remote Branch office location (to allow client machine the ability to use Exchange mode in Outlook through the tunnel) which works great...

I also then wanted the ability to vpn into the local network to access resources using pptp. When I enabled client VPN access and try to dial in it gives me the following error:

Error 913: A Remote Access Client attempted to connect over a port that was reserved for Routers only.

So ISA server will not allow you to create a Remote Site and authenticate incoming PPTP clients as well?

(in reply to tshinder)
Post #: 18
RE: VPN Server article discussion - 20.Dec.2004 9:32:00 AM   
pdijkman

 

Posts: 38
Joined: 19.Oct.2004
Status: offline
Hi Tom,

I posted my problem earlier...
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000386
And yes i followed this great article to.
The only question i have is why the DHCP Relay Agent is not supported on the ISA Server itself.
I still haven't found a sollution to this problem.

Could you help me this one??

Kind Regards,
P. Dijkman

(in reply to tshinder)
Post #: 19
RE: VPN Server article discussion - 21.Dec.2004 12:23:00 AM   
pwaldeier

 

Posts: 38
Joined: 18.Feb.2004
From: Pennsauken NJ
Status: offline
Hi Tom,

The problem I am struggling with is that I am using a certificate purchased brom Verisign. I do not have a CA. I am not sure how to use this certificate although it is an all purpose certificate. I have imported it into personal as well as Root certificates and tried .cer as well as PKCS#7 with the whole chain.

PPTP works fine but I get a error 789 on the client with an event 547 IKE SA negotiation failed on the ISA server's security log.

I have tried to chose the right sections from this article but I either have another problem or chose the wrong ones.

I do not have a "Administrator" certificate only one for the site.

Thanks,

PaulW

(in reply to tshinder)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN Server article discussion Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts