• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: VPN Server article discussion

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: VPN Server article discussion Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: VPN Server article discussion - 21.Dec.2004 12:10:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Mark Hodges:
I think I figured it out...

As I was going down through the article again to see why at the top they tell you to leave the ISA server part of the domain, but then have you add users to the config from the domain (which means it has to be part of the domain). The single document is 511 pages, but it doesn't really build upon itself from section to section.

The part of about adding the users was in a completely different section...I didn't notice that as I scrolled down the pages setting up the environment that I must have someone how jumped a couple sections down...and when I scrolled a couple pages to find where I was in the setup, I actually used the lab setup section from a different area....

Guess thats what happens when you are playing with your virtual lab in the middle of the night [Smile]

Later on I also read another article you wrote about how it doesn't actually matter if its not on your domain anyhow..as soon as that box is compromised you are 0wnp3d anyhow...

One question I do have though...I have a virtual lab setup and on the Local network I have an edge ISA server providing PPTP site - site tunnels with a Windows 2000 server at a Remote Branch office location (to allow client machine the ability to use Exchange mode in Outlook through the tunnel) which works great...

I also then wanted the ability to vpn into the local network to access resources using pptp. When I enabled client VPN access and try to dial in it gives me the following error:

Error 913: A Remote Access Client attempted to connect over a port that was reserved for Routers only.

So ISA server will not allow you to create a Remote Site and authenticate incoming PPTP clients as well?

Hi Mark,

You must be referring to the VPN Deployment Guide on the MS site. I did that doc, and I was disappointed that they decided to make it a single doc, since it was designed to be a collection of docs that should be independent from one another, with a common config scenario that is covered in one of the earlier docs in the series. I agree that making it so long, and putting on the independent docs into a single doc isn't the best way to present the material.

You are correct. The best way to go is to make the ISA firewall a member of the domain. If your firewall is oWN0rErd to the extent where they might leverage in some way the firewall's domain membership, you're fux0red in the same way as if the machine weren't a member of the domain [Big Grin]

The ISA firewall can be a site to site VPN gateway and a remote access VPN server. Is that the issue you're running into now?

Thanks!
Tom

(in reply to tshinder)
Post #: 21
RE: VPN Server article discussion - 21.Dec.2004 12:11:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by P. Dijkman:
Hi Tom,

I posted my problem earlier...
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000386
And yes i followed this great article to.
The only question i have is why the DHCP Relay Agent is not supported on the ISA Server itself.
I still haven't found a sollution to this problem.

Could you help me this one??

Kind Regards,
P. Dijkman

Hi P,

I wish I could tell you why. Something about the ISA firewall component breaks the DHCP relay agent. I'm hoping this is fixed in a SP in the future.

Tom

(in reply to tshinder)
Post #: 22
RE: VPN Server article discussion - 21.Dec.2004 12:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by cpaulw:
Hi Tom,

The problem I am struggling with is that I am using a certificate purchased brom Verisign. I do not have a CA. I am not sure how to use this certificate although it is an all purpose certificate. I have imported it into personal as well as Root certificates and tried .cer as well as PKCS#7 with the whole chain.

PPTP works fine but I get a error 789 on the client with an event 547 IKE SA negotiation failed on the ISA server's security log.

I have tried to chose the right sections from this article but I either have another problem or chose the wrong ones.

I do not have a "Administrator" certificate only one for the site.

Thanks,

PaulW

Hi Paul,

The certificate should be imported into the machine's Personal certificate store, not the user Personal certificate store, so make sure that's not the issue.

Also, don't put the machine certificate into the machine's Trusted Root Certification Authorities store, you need the Verisign Root CA certificate in that Trusted Root Certificate Store.

HTH,
Tom

(in reply to tshinder)
Post #: 23
RE: VPN Server article discussion - 23.Dec.2004 5:28:00 PM   
Nobbyness

 

Posts: 7
Joined: 21.Jul.2003
From: Tallahassee
Status: offline
Tom, just one comment on the VPN doc on the MS site - it would be real nice if they'd put pages numbers on it properly. I share your comment about wishing it hadn't all been wrapped into one, but if it must then at least it can be done right.

I killed a tree printing off all 511 pages (one of those tactile types, y'know?) and then my 2yr old decided to help daddy out by knocking the stack on the floor. [Eek!]

Otherwise a very useable and well thought out doc. Thanks for all the time and effort you put into it.

(in reply to tshinder)
Post #: 24
RE: VPN Server article discussion - 30.Dec.2004 4:55:00 PM   
pwaldeier

 

Posts: 38
Joined: 18.Feb.2004
From: Pennsauken NJ
Status: offline
Tom,
Thanks for the reply on setting up machine personal certificates. My L2TP connection still doesn't work with my store-bought certificate but it works when I use a preshared key. This leads me to believe there's more to buying a certificate than I initially thought.

I contacted Verisign with the problem and they replied, "Your VeriSign SSL certificate will most likely not work for setting up client authentication into your VPN."

This is why I think it moight be helpful to go over what to do when you buy a certificate.

PaulW

P.S., I will enter this a a separate post to see if I can get it resolved. I may need to follow your section on creating a certificate with a CA if I have no further luck.

(in reply to tshinder)
Post #: 25
RE: VPN Server article discussion - 17.Jan.2005 8:38:00 PM   
PaulCyr

 

Posts: 60
Joined: 17.Mar.2001
From: Charlottetown, PE, Canada
Status: offline
Thanks for the article it was certainly helpful up to the point where I can't get DHCP addresses to PPTP VPN clients.

The ISA 2004 Server is denying itself from obtaining DHCP addresses from the DHCP server.

Destination IP 255.255.255.255 Dest Port 67 Client IP 10.111.10.1 Protocol DHCP (request) Action Denied Connection Source Network Internal Destination Local Host

How can I allow the DHCP (request) to be passed to the DHCP server.

(in reply to tshinder)
Post #: 26
RE: VPN Server article discussion - 19.Feb.2005 2:16:00 PM   
PaulCyr

 

Posts: 60
Joined: 17.Mar.2001
From: Charlottetown, PE, Canada
Status: offline
This article has an error in one of the graphics, or maybe I should say the graphic shows a protocol that my ISA 2004 box does not have.

The graphic just above the following section in the article:

Enable Dial-in Access for the Administrator Account

has a protocol listed as ALL PROTOCOLS with arrows pointing both ways. How do I create a protocol defination that is equal to this?

(in reply to tshinder)
Post #: 27
RE: VPN Server article discussion - 28.Feb.2005 7:19:00 PM   
transparency_76

 

Posts: 4
Joined: 28.Feb.2005
From: USA
Status: offline
I have followed the article exactly and users are able to connect via VPN, but I am having this issue. The user connects, they can ping anything on the internal network and can browse to shares, and I can ping them from the internal network. I can even control their machine with Remote Desktop across the VPN from the internal network. Yet, when the VPN user attempts to access the internal intranet or Exchange server, it just times out.

This worked before, but we upgraded from ISA 2000 to the new version. Since then, nada. Can anyone give me any pointers? I already have the rules for VPN to Internal and Internal to VPN, full access in place. Gotta be missing something.

(in reply to tshinder)
Post #: 28
RE: VPN Server article discussion - 10.Apr.2005 11:58:00 PM   
theB123

 

Posts: 2
Joined: 10.Apr.2005
From: Little Egg Harbor, NJ
Status: offline
I am having the same problem as PaulCyr with the denied DHCP requests. I have tried several rules to allow this traffic, to no avail. I even referred to an article on Microsoft's ISA Server site: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/isadhcprelay.mspx . Can anyone help?

(in reply to tshinder)
Post #: 29
RE: VPN Server article discussion - 11.Apr.2005 12:48:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Mark Hodges:
I think I figured it out...

As I was going down through the article again to see why at the top they tell you to leave the ISA server part of the domain, but then have you add users to the config from the domain (which means it has to be part of the domain). The single document is 511 pages, but it doesn't really build upon itself from section to section.

The part of about adding the users was in a completely different section...I didn't notice that as I scrolled down the pages setting up the environment that I must have someone how jumped a couple sections down...and when I scrolled a couple pages to find where I was in the setup, I actually used the lab setup section from a different area....

Guess thats what happens when you are playing with your virtual lab in the middle of the night [Smile]

Later on I also read another article you wrote about how it doesn't actually matter if its not on your domain anyhow..as soon as that box is compromised you are 0wnp3d anyhow...

One question I do have though...I have a virtual lab setup and on the Local network I have an edge ISA server providing PPTP site - site tunnels with a Windows 2000 server at a Remote Branch office location (to allow client machine the ability to use Exchange mode in Outlook through the tunnel) which works great...

I also then wanted the ability to vpn into the local network to access resources using pptp. When I enabled client VPN access and try to dial in it gives me the following error:

Error 913: A Remote Access Client attempted to connect over a port that was reserved for Routers only.

So ISA server will not allow you to create a Remote Site and authenticate incoming PPTP clients as well?

Hi Mark,

Yes, the document was never designed be to a single doc, but a collection of separate, self-standing docs that you could look at the table of contents to immediately go to the doc you needed that applied to your specific config. Its unfortunate that they decided to put it together as a single doc.

Tom

(in reply to tshinder)
Post #: 30
RE: VPN Server article discussion - 11.Apr.2005 12:56:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Nobbyness:
Tom, just one comment on the VPN doc on the MS site - it would be real nice if they'd put pages numbers on it properly. I share your comment about wishing it hadn't all been wrapped into one, but if it must then at least it can be done right.

I killed a tree printing off all 511 pages (one of those tactile types, y'know?) and then my 2yr old decided to help daddy out by knocking the stack on the floor. [Eek!]

Otherwise a very useable and well thought out doc. Thanks for all the time and effort you put into it.

Hi Nob,

Thanks!
[Big Grin]

Tom

(in reply to tshinder)
Post #: 31
RE: VPN Server article discussion - 11.Apr.2005 6:16:00 PM   
dforsman

 

Posts: 80
Joined: 14.Dec.2002
From: Vancouver, Canada
Status: offline
I am currently opening a new branch office using ISA 2004 with a 2003 OS, and one host behind it running 2003 Server. My main office is all Win 2K with ISA 2000. I will be connecting the two sites using a site-to-site VPN from the Branch office ISA 2004 server to the Main office. Once the link is up I will be joining the Branch office ISA 2004 server to the domain and then upgrade the Branch office host to a domain controller as well so clients can login remotely.

From my understanding once I have upgraded the Branch office host to a DC I need to:

a) Branch Office - Install ADS in integrated mode,
b) Branch Office - Install the DHCP service,
c) Main Office - Add a LAT entry in ISA 2000 for the Branch office network,

d) Main Office and Branch Office - Do I need to add a seperate site under "Sites and Services"?

Can anyone think of anything else that needs to be performed?

Also if anyone is setting up site-to-site that should look at this article, it was very helpful:
http://www.windowsecurity.com/articles/Configuring_Gateway_to_Gateway_L2TPIPSec_VPNs_Part_1_Configuring_the_Infrastructure.html

Going to implement tomorrow and any advice would be great.

Thanks

(in reply to tshinder)
Post #: 32
RE: VPN Server article discussion - 16.Apr.2005 9:44:00 AM   
shahvalian

 

Posts: 1
Joined: 16.Apr.2005
Status: offline
Hi Tom,

Many Thanks for your always useful articles
I did all steps for having a L2TP/IPSEc
connection in ISA 2004 I have no problem using
the PPTP but when setting L2TP i got the error
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 4/16/2005
Time: 10:43:05 AM
User: N/A
Computer: HQ-FW-INT1
Description:
ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;.

and the following in the ISA server alert


Alert Information
Description: ISA Server detected routes through adapter LAN that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;.
ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;.

What do you think the problem is ?

Many Thanks

(in reply to tshinder)
Post #: 33
RE: VPN Server article discussion - 18.Apr.2005 2:39:00 AM   
bbroadfoot

 

Posts: 20
Joined: 23.Mar.2004
From: New Zealand
Status: offline
Hi all,

I'm getting a peculiar issue with some VPN clients out there. For the most part the L2TP VPN works fine, but occasionally the following happens on some clients:

1. They will have established a connection, but can not get to the internal network at all. Usually disconnecting and then reconnecting fixes the issue.

2. Can not get in at all (they do not appear to reach the ISA Server). As a result of this, the firewall service is restarted and all is fine again.

The client machines are all XP Pro SP2 with latest updates and as I say, for the most part the L2TP VPN works fine, but occasionally the above issues crop up.

Note that the ISA Server is not part of the domain but can handle L2TP connections for the most part.

Has anyone else experienced this?

Thanks in advance for any help/advice.

B

(in reply to tshinder)
Post #: 34
RE: VPN Server article discussion - 5.Oct.2005 3:34:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Tom,

In the VPN clients Access rule,if i want to limit the network entities (From) to one IP address so shall i put the public IP of the remote network or the remote VPN client IP (DHCP IP)?

Any Explaination why?

Thanks,
Al-Taee

(in reply to tshinder)
Post #: 35
RE: VPN Server article discussion - 6.Oct.2005 12:58:00 PM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
All [Smile] ,

In the VPN clients Access rule,if i want to limit the network entities (From Side) to one IP address so shall i put the public IP of the remote network or the remote VPN client IP (IP via DHCP)?

Any Explaination why?

Thanks,
Al-Taee

(in reply to tshinder)
Post #: 36
RE: VPN Server article discussion - 23.Mar.2006 8:59:42 AM   
Dkamiller

 

Posts: 9
Joined: 12.Dec.2004
Status: offline
Tom, I am confused as to why we request an Administrator certificate for the VPN client computer, shouldn't we request a computer certificate for the VPN client? Dave.

(in reply to tshinder)
Post #: 37
RE: VPN Server article discussion - 1.May2006 8:57:34 AM   
gniknomis

 

Posts: 8
Joined: 27.Jul.2005
From: Australia
Status: offline
Wonderful Article, I found it to be quite comprehensive. I need to setup a VPN, which is something I haven't had to do before, and I have not had much luck yet.

I will have a bit more of a muck around with VPN a bit later when I have access to the test lab now that I have found this article.

Thanks

(in reply to tshinder)
Post #: 38
RE: VPN Server article discussion - 11.Aug.2006 12:34:33 PM   
Rickytr

 

Posts: 3
Joined: 11.Aug.2006
Status: offline
I don't know if this thread is still alive but...
I have to setup an ISA 2004 as a VPN server, but my ISA is not joined with the domain that I have the vpn client logo on to. More precisely ISA is not joined with any domain but it's "serving" three domains.
Can you help me with these?

Thanks a lot.

Ricky

(in reply to gniknomis)
Post #: 39
RE: VPN Server article discussion - 6.Nov.2006 9:47:00 AM   
Mousexx74

 

Posts: 9
Joined: 6.Nov.2006
Status: offline
HI Tom, great article.
I succesfully set up a PPTP VPN environment that enable remote users to connect to my headquarter.

ISA server is member of my W2000 Domain envrionment.
Using VPN, remote users can access only to some computer and only using some protocols like RDP and SQL.
Remote client obtain IP address from my internel DHCP server. It work very well, but I have only one big problem,
when a remote user connect succesfully to my VPN, they loose all their internal connections. They cannot use their internal exchange environment or they cannot connect to other PC of their LAN.

Does someone help me?
Fabio

I'm very sorry for my english.

(in reply to pwaldeier)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: VPN Server article discussion Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts