quote:Originally posted by Mark Hodges: I think I figured it out...
As I was going down through the article again to see why at the top they tell you to leave the ISA server part of the domain, but then have you add users to the config from the domain (which means it has to be part of the domain). The single document is 511 pages, but it doesn't really build upon itself from section to section.
The part of about adding the users was in a completely different section...I didn't notice that as I scrolled down the pages setting up the environment that I must have someone how jumped a couple sections down...and when I scrolled a couple pages to find where I was in the setup, I actually used the lab setup section from a different area....
Guess thats what happens when you are playing with your virtual lab in the middle of the night
Later on I also read another article you wrote about how it doesn't actually matter if its not on your domain anyhow..as soon as that box is compromised you are 0wnp3d anyhow...
One question I do have though...I have a virtual lab setup and on the Local network I have an edge ISA server providing PPTP site - site tunnels with a Windows 2000 server at a Remote Branch office location (to allow client machine the ability to use Exchange mode in Outlook through the tunnel) which works great...
I also then wanted the ability to vpn into the local network to access resources using pptp. When I enabled client VPN access and try to dial in it gives me the following error:
Error 913: A Remote Access Client attempted to connect over a port that was reserved for Routers only.
So ISA server will not allow you to create a Remote Site and authenticate incoming PPTP clients as well?
Hi Mark,
You must be referring to the VPN Deployment Guide on the MS site. I did that doc, and I was disappointed that they decided to make it a single doc, since it was designed to be a collection of docs that should be independent from one another, with a common config scenario that is covered in one of the earlier docs in the series. I agree that making it so long, and putting on the independent docs into a single doc isn't the best way to present the material.
You are correct. The best way to go is to make the ISA firewall a member of the domain. If your firewall is oWN0rErd to the extent where they might leverage in some way the firewall's domain membership, you're fux0red in the same way as if the machine weren't a member of the domain
The ISA firewall can be a site to site VPN gateway and a remote access VPN server. Is that the issue you're running into now?
I posted my problem earlier... http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000386 And yes i followed this great article to. The only question i have is why the DHCP Relay Agent is not supported on the ISA Server itself. I still haven't found a sollution to this problem.
Could you help me this one??
Kind Regards, P. Dijkman
Hi P,
I wish I could tell you why. Something about the ISA firewall component breaks the DHCP relay agent. I'm hoping this is fixed in a SP in the future.
The problem I am struggling with is that I am using a certificate purchased brom Verisign. I do not have a CA. I am not sure how to use this certificate although it is an all purpose certificate. I have imported it into personal as well as Root certificates and tried .cer as well as PKCS#7 with the whole chain.
PPTP works fine but I get a error 789 on the client with an event 547 IKE SA negotiation failed on the ISA server's security log.
I have tried to chose the right sections from this article but I either have another problem or chose the wrong ones.
I do not have a "Administrator" certificate only one for the site.
Thanks,
PaulW
Hi Paul,
The certificate should be imported into the machine's Personal certificate store, not the user Personal certificate store, so make sure that's not the issue.
Also, don't put the machine certificate into the machine's Trusted Root Certification Authorities store, you need the Verisign Root CA certificate in that Trusted Root Certificate Store.
Tom, just one comment on the VPN doc on the MS site - it would be real nice if they'd put pages numbers on it properly. I share your comment about wishing it hadn't all been wrapped into one, but if it must then at least it can be done right.
I killed a tree printing off all 511 pages (one of those tactile types, y'know?) and then my 2yr old decided to help daddy out by knocking the stack on the floor.
Otherwise a very useable and well thought out doc. Thanks for all the time and effort you put into it.
Tom, Thanks for the reply on setting up machine personal certificates. My L2TP connection still doesn't work with my store-bought certificate but it works when I use a preshared key. This leads me to believe there's more to buying a certificate than I initially thought.
I contacted Verisign with the problem and they replied, "Your VeriSign SSL certificate will most likely not work for setting up client authentication into your VPN."
This is why I think it moight be helpful to go over what to do when you buy a certificate.
PaulW
P.S., I will enter this a a separate post to see if I can get it resolved. I may need to follow your section on creating a certificate with a CA if I have no further luck.
Thanks for the article it was certainly helpful up to the point where I can't get DHCP addresses to PPTP VPN clients.
The ISA 2004 Server is denying itself from obtaining DHCP addresses from the DHCP server.
Destination IP 255.255.255.255 Dest Port 67 Client IP 10.111.10.1 Protocol DHCP (request) Action Denied Connection Source Network Internal Destination Local Host
How can I allow the DHCP (request) to be passed to the DHCP server.
Posts: 4
Joined: 28.Feb.2005
From: USA
Status: offline
I have followed the article exactly and users are able to connect via VPN, but I am having this issue. The user connects, they can ping anything on the internal network and can browse to shares, and I can ping them from the internal network. I can even control their machine with Remote Desktop across the VPN from the internal network. Yet, when the VPN user attempts to access the internal intranet or Exchange server, it just times out.
This worked before, but we upgraded from ISA 2000 to the new version. Since then, nada. Can anyone give me any pointers? I already have the rules for VPN to Internal and Internal to VPN, full access in place. Gotta be missing something.
quote:Originally posted by Mark Hodges: I think I figured it out...
As I was going down through the article again to see why at the top they tell you to leave the ISA server part of the domain, but then have you add users to the config from the domain (which means it has to be part of the domain). The single document is 511 pages, but it doesn't really build upon itself from section to section.
The part of about adding the users was in a completely different section...I didn't notice that as I scrolled down the pages setting up the environment that I must have someone how jumped a couple sections down...and when I scrolled a couple pages to find where I was in the setup, I actually used the lab setup section from a different area....
Guess thats what happens when you are playing with your virtual lab in the middle of the night
Later on I also read another article you wrote about how it doesn't actually matter if its not on your domain anyhow..as soon as that box is compromised you are 0wnp3d anyhow...
One question I do have though...I have a virtual lab setup and on the Local network I have an edge ISA server providing PPTP site - site tunnels with a Windows 2000 server at a Remote Branch office location (to allow client machine the ability to use Exchange mode in Outlook through the tunnel) which works great...
I also then wanted the ability to vpn into the local network to access resources using pptp. When I enabled client VPN access and try to dial in it gives me the following error:
Error 913: A Remote Access Client attempted to connect over a port that was reserved for Routers only.
So ISA server will not allow you to create a Remote Site and authenticate incoming PPTP clients as well?
Hi Mark,
Yes, the document was never designed be to a single doc, but a collection of separate, self-standing docs that you could look at the table of contents to immediately go to the doc you needed that applied to your specific config. Its unfortunate that they decided to put it together as a single doc.
quote:Originally posted by Nobbyness: Tom, just one comment on the VPN doc on the MS site - it would be real nice if they'd put pages numbers on it properly. I share your comment about wishing it hadn't all been wrapped into one, but if it must then at least it can be done right.
I killed a tree printing off all 511 pages (one of those tactile types, y'know?) and then my 2yr old decided to help daddy out by knocking the stack on the floor.
Otherwise a very useable and well thought out doc. Thanks for all the time and effort you put into it.
I am currently opening a new branch office using ISA 2004 with a 2003 OS, and one host behind it running 2003 Server. My main office is all Win 2K with ISA 2000. I will be connecting the two sites using a site-to-site VPN from the Branch office ISA 2004 server to the Main office. Once the link is up I will be joining the Branch office ISA 2004 server to the domain and then upgrade the Branch office host to a domain controller as well so clients can login remotely.
From my understanding once I have upgraded the Branch office host to a DC I need to:
a) Branch Office - Install ADS in integrated mode, b) Branch Office - Install the DHCP service, c) Main Office - Add a LAT entry in ISA 2000 for the Branch office network,
d) Main Office and Branch Office - Do I need to add a seperate site under "Sites and Services"?
Can anyone think of anything else that needs to be performed?
Many Thanks for your always useful articles I did all steps for having a L2TP/IPSEc connection in ISA 2004 I have no problem using the PPTP but when setting L2TP i got the error Event Type: Error Event Source: Microsoft Firewall Event Category: None Event ID: 14147 Date: 4/16/2005 Time: 10:43:05 AM User: N/A Computer: HQ-FW-INT1 Description: ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;.
and the following in the ISA server alert
Alert Information Description: ISA Server detected routes through adapter LAN that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;. ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.0.3-192.168.0.3;.
Posts: 20
Joined: 23.Mar.2004
From: New Zealand
Status: offline
Hi all,
I'm getting a peculiar issue with some VPN clients out there. For the most part the L2TP VPN works fine, but occasionally the following happens on some clients:
1. They will have established a connection, but can not get to the internal network at all. Usually disconnecting and then reconnecting fixes the issue.
2. Can not get in at all (they do not appear to reach the ISA Server). As a result of this, the firewall service is restarted and all is fine again.
The client machines are all XP Pro SP2 with latest updates and as I say, for the most part the L2TP VPN works fine, but occasionally the above issues crop up.
Note that the ISA Server is not part of the domain but can handle L2TP connections for the most part.
In the VPN clients Access rule,if i want to limit the network entities (From) to one IP address so shall i put the public IP of the remote network or the remote VPN client IP (DHCP IP)?
In the VPN clients Access rule,if i want to limit the network entities (From Side) to one IP address so shall i put the public IP of the remote network or the remote VPN client IP (IP via DHCP)?
Tom, I am confused as to why we request an Administrator certificate for the VPN client computer, shouldn't we request a computer certificate for the VPN client? Dave.
Posts: 8
Joined: 27.Jul.2005
From: Australia
Status: offline
Wonderful Article, I found it to be quite comprehensive. I need to setup a VPN, which is something I haven't had to do before, and I have not had much luck yet.
I will have a bit more of a muck around with VPN a bit later when I have access to the test lab now that I have found this article.
I don't know if this thread is still alive but... I have to setup an ISA 2004 as a VPN server, but my ISA is not joined with the domain that I have the vpn client logo on to. More precisely ISA is not joined with any domain but it's "serving" three domains. Can you help me with these?
HI Tom, great article. I succesfully set up a PPTP VPN environment that enable remote users to connect to my headquarter.
ISA server is member of my W2000 Domain envrionment. Using VPN, remote users can access only to some computer and only using some protocols like RDP and SQL. Remote client obtain IP address from my internel DHCP server. It work very well, but I have only one big problem, when a remote user connect succesfully to my VPN, they loose all their internal connections. They cannot use their internal exchange environment or they cannot connect to other PC of their LAN.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: VPN Server article discussion 
RE: VPN Server article discussion - ![[Smile]](/image/smiles/smile.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Eek!]](/image/smiles/eek.gif)
RE: VPN Server article discussion - 
RE: VPN Server article discussion - 
RE: VPN Server article discussion - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread