• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

PPTP outbound with ISA 2004

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> PPTP outbound with ISA 2004 Page: [1]
Login
Message << Older Topic   Newer Topic >>
PPTP outbound with ISA 2004 - 20.Jan.2005 2:14:00 PM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
Hello there
Sorry for the little spelling faults, english isn't my native language "[Smile]"
I spend almost a day reading various topics about pptp outbound with ISA 2004.
Most of the topics have the same symptoms, but not always the same solution.
This is my situation:

Client XP---2003sbs with ISA 2004----Vigor 2600---Wan---Vigor 2600+----2000SBS with ISA2000

When i configure ISA 2004 to allow outbound PPTP i get an error 619 on the client pc.
When i configure RRAS on ISA 2004 to setup PPTP to this ISA 2004 server i get nog error code, but a message that the connection cannot be made.

When I connect to the ISA2000 server without ISA2004, everythings works fine!
But as soon ISA 2004 is involved, it doesn't connect.

I have also another PPTP connection setup that looks like this:
Client---2003SBS with ISA2004---vigor2600---WAN---Vigor 2600+
Vigor is configured to accept PPTP.
This also works fine! Also when I set up ISA2004 to connect to the vigor Router.

So my conclusion:
PPTP won't work trough ISA2004 to ISA2000.

I there anybody who has had the exact same problem?

Note: ISA 2004 is properly configured. no worrys about that, because the PPTP directly to an Vigor modem works fine.
Also, the ISA2000 is configured properly because I'm able to connect to the ISA2000 without ISA 2004.

Help me??? "[Frown]"

[ January 20, 2005, 02:19 PM: Message edited by: Dutchie ]
Post #: 1
RE: PPTP outbound with ISA 2004 - 20.Jan.2005 2:39:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Dutchie,

The ISA firewall isn't supported on SBS, so perhaps that's part of the problem. Try:

1. Removing SBS from the firewall
2. Making the clients SecureNAT clients
3. Enabling a rule for outbound PPTP

HTH,
Tom

(in reply to hgerrit)
Post #: 2
RE: PPTP outbound with ISA 2004 - 20.Jan.2005 4:49:00 PM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
Hi Tom

Thnx for the response.
1: Correct, but we are testing ISA 2004 because SP1 for SBS contains ISA 2004.
2: We tried both options...no result
3: outbound rule is present (because pptp to an vigor modem works fine)

this afternoon (holland) we also tested the exact same situation with ISA 2000...and guess what: it worked.

Somewhere on the I-net a person told that before you install ISA2004 you should enable ICF. Is that true? Because if that's the case, I'm not so happy because we have to remove ISA 2004, enable ICF and then re-install ISA2004.
But that is what I'm trying to prevent.

Any suggestions are welcome

(in reply to hgerrit)
Post #: 3
RE: PPTP outbound with ISA 2004 - 20.Jan.2005 7:32:00 PM   
Guest
I have that trouble too. Absolutely like your trouble! But at both sides I have ISA 2004 (at client side and at server side). I haven't installed SBS. Just Windows 2000 AS + ISA 2004. Active directory is not present. Rule All/toAll/fromAll is present and enabled at both ISAs. Without one of that ISAs (anyone) all works fine. But if I install ISA 2004 at any end VPN don't work. If I shutdown all ISA services (and firewall) the VPN DON'T work also. If I will uninstall ISA VPN will work good.

(in reply to hgerrit)
  Post #: 4
RE: PPTP outbound with ISA 2004 - 21.Jan.2005 8:46:00 AM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
That's indeed possible...because we havan't got any customers already equipped with ISA2004. Only ISA 2000.

But this problem has travelled along the internet several times. Hoping that Tom can help us out here [Big Grin]

(in reply to hgerrit)
Post #: 5
RE: PPTP outbound with ISA 2004 - 21.Jan.2005 12:36:00 PM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
We've got something closer.

The problem appears to be in the Microsoft firewall packet engine driver!

You run CMD on the server and then:
net stop FWENG

Then it is possible to make te PPTP connection

Research still in progress. updates later

(in reply to hgerrit)
Post #: 6
RE: PPTP outbound with ISA 2004 - 22.Jan.2005 3:26:00 PM   
Guest
Did you find something? Now I have only one workaround - uninstall the ISA on client side and don't use firewall at all (on client side).

(in reply to hgerrit)
  Post #: 7
RE: PPTP outbound with ISA 2004 - 24.Jan.2005 4:42:00 PM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
Update

This is as far as we can get:
I've uploaded an image to show u the network situation we currently are testing
http://www.t-ict.nl/docs/VPN.jpg

Situation 1 doesn't work because it goes over ISA 2004.
We also replaced the SBS2003 with an 2003 standard edition with ISA2004.
We did this because ISA2004 isn't supported on SBS2003.

Situation 3 DOES work because it goes over ISA 2000.
Situation 2 DOES work (Don't know why it works, but A connection to a Vigor over ISA 2004 works perfectly.

Now we tested a little bit with the Firewall Engine.
In situation 1:
We made a little adjustement in FWENG with fwengmon.exe. We managed to configure the route so it doesn't go over ISA server kernel-mode driver. When this is configured, PPTP DOES work!

This is not a solution, not a work around, but only to show where the problem exists.

Can we conclude this is a bug?

[ January 24, 2005, 04:49 PM: Message edited by: Dutchie ]

(in reply to hgerrit)
Post #: 8
RE: PPTP outbound with ISA 2004 - 24.Jan.2005 7:27:00 PM   
Guest
My investigations shows me that VPN works normaly if only ONE ISA 2004 uses (no matter at client side or like VPN server). If we will use TWO ISA 2004 VPN doesn't work. It not expand to ISA 2000.

And if make allow rule to VPN server (which based on ISA 2004) in fwengmon it will work. But it will weaken the security.

BTW my version of ISA: 4.0.2161.50

Who will listen us at Microsoft if we will report about bug?
BTW one time I report about error in the Cisco study programm and receive an answer after ONE YEAR. [Wink]

(in reply to hgerrit)
  Post #: 9
RE: PPTP outbound with ISA 2004 - 10.Oct.2005 10:57:00 AM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
any updates?

many more seems to have this problem

(in reply to hgerrit)
Post #: 10
RE: PPTP outbound with ISA 2004 - 15.Oct.2005 6:35:00 PM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
More of the same

forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=001188

(in reply to hgerrit)
Post #: 11
RE: PPTP outbound with ISA 2004 - 20.Oct.2005 3:42:00 AM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
updates?

(in reply to hgerrit)
Post #: 12
RE: PPTP outbound with ISA 2004 - 11.Nov.2005 11:00:28 PM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
Updates?

(in reply to jdl)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> PPTP outbound with ISA 2004 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts