• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN Clients cannot access Internal Websites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN Clients cannot access Internal Websites Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN Clients cannot access Internal Websites - 6.Apr.2005 10:09:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
We are trying to move from a standalone VPN server to using ISA 2004 for VPN. The problem we are having is that when VPN clients try to access internal websites, they get the following error message:

Error Code: 500 Internal Server error. The pipe is being closed (232).

The problem is not a name resolution problem or access problem. I can ping the internal dns name and get a reply.

I found the following post about this same problem - http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000239. Adding the ISA address as a proxy server for the VPN connection as suggested fixes the problem if I enable Web Proxy client access on the ISA server. However, the problem is that we do not want to use ISA as a proxy server. We wish to use ISA strictly to publish servers and for VPN.

Any ideas how I can fix my problem without using ISA as a Proxy server.

Also, can anyone explain why is this a problem? Isn't the whole idea of VPN to give external clients access to internal resources. Our internal clients don't need a proxy setting in their browser to access intranet websites. This was not a problem on our standalone Win2k VPN server.

Thanks,
Jack

[ April 06, 2005, 10:15 PM: Message edited by: Jack Wilcox ]
Post #: 1
RE: VPN Clients cannot access Internal Websites - 7.Apr.2005 4:49:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jack,

You don't need to use ISA as a Web proxy to access internal sites via the VPN. In fact, those connections wouldn't be proxied anyhow, since the internal domains should be configured for Direct Access, and if the VPN clients were configured to be Web proxy clients, they wouldn't ignore the Web proxy client configuration and use Direct Access.

This especially makes no sense because I, and my customers, access their internal sites all the time through the VPN client connection.

What Access Rules do you have in place to allow these connections and what is the route relationship between the VPN Clients Network and the ISA firewall Network on which the Web servers are located?

Thanks!
Tom

(in reply to jwilcox)
Post #: 2
RE: VPN Clients cannot access Internal Websites - 7.Apr.2005 4:42:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
Good - I'm glad I'm not the only one that thinks this makes no sense. Here are more details.

Access Rule:
Allow All Outbound Traffic From VPN Clients To All Networks (and Local Host) for All Users

VPN address assignment is configured for DHCP. The VPN client is on the same network as the web servers they are trying to access.

I can ping the server with both it's host name and it's internal DNS name, so I know that name resolution is working correctly. I can even browse the hard drive of the web server. I just can't access it in the browser without going to Tools > Internet Options > Connections and select the VPN connection and click Settings and select Use Proxy Server checkbox and type in the internal address of the ISA server as the proxy server.

We also have a standalone Win2k server using Routing and Remote Access for VPN Access that we have always used. But we are wanting to move VPN over to our ISA server. We do not have this issue when going through the other VPN server, so it has something to do with ISA.

You mentioned Direct Access. I am not sure if we have this configured or not. I have never really understood how this works. My understanding was that Direct Access only works if you are using the autoconfig script in the browser. We are not using that and to be honest, I'm not really very sure how to even do that. Any help would be appreciated.

Thanks,
Jack

(in reply to jwilcox)
Post #: 3
RE: VPN Clients cannot access Internal Websites - 7.Apr.2005 5:48:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
Do you have multiple IPs bound on the external interface? Are you VPNing to the "primary" IP address? The primary is the address listed in the main dialog of TCP/IP properties.

Also, check the Binding order to ensure the Internal NIC is bound first.

(in reply to jwilcox)
Post #: 4
RE: VPN Clients cannot access Internal Websites - 7.Apr.2005 6:13:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
There are two IPs bound to the external interface - the primary IP and a listener for publishing Outlook Web Access. We are VPNing to the Primary IP address. In testing I have also tried VPNing to the secondary IP and I also tried removing the secondary IP altogether, but still had the same problem.

I checked the binding order and the External NIC was bound first, so I changed it so that the Internal NIC was bound first. But that didn't make a difference. Same problem.

Thanks,
Jack

(in reply to jwilcox)
Post #: 5
RE: VPN Clients cannot access Internal Websites - 7.Apr.2005 7:16:00 PM   
jwilcox

 

Posts: 20
Joined: 14.Sep.2004
From: San Angelo, TX
Status: offline
Well, it's now working correctly. I am not sure what ended up fixing it. I have changed so many things in the process of troubleshooting this. I ended up rebooting the machine and after that everything worked like it should. So I am not sure if it was the rebooting that fixed it or some setting I may have changed that needed rebooting to take effect or a combination of both or what, but the problem is gone and I'm happy.

Thanks guys for your input. I appreciate the responses.

Jack

(in reply to jwilcox)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN Clients cannot access Internal Websites Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts