[isalist] Re: Error establishing a VPN to the ISA server
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 10:57:19 -0700
Until the one you switch to is on a 10. network and all the work Tom did
with the internal IP stuff is all for naught. ;)
I¹m telling ya... This is becoming way more and more common. I¹m surprised
to see this dude¹s hotel on 192.168.110 (I really am) but it¹s actually
becoming more common for some of my people to be on conflicting nets,
particularly when they give you a 10.0.0.0 address on a 255.0.0.0 subnet.
Hence the need for a localized NAT solution? OWA/RCPoHTTP is fine when all
you need is email stuff, but when you¹ve got to be RDP¹ing into multiple
servers, accessing SQL boxes, hitting VoIP equipment, etc., publishing
scenarios just don¹t cut it...
I¹ve tried lots of different things at varying degrees of complexity (like a
virtual pc install, Kerio routing tricks, KY jelly, etc) but I¹ve found that
keeping things limited to the ³plug THIS into THAT, then plug THAT into the
OTHER THING² mentality is the best.
That¹s really why most of my mobile people have the high speed EVDO
solutions (we use verizon) so that we don¹t really have to worry about it.
Hotel connections are usually way faster, but EVDO works all the time (most
of the time, anyway).
I can actually envision a market for a little USB device that NAT¹s the
connection all the time for the true ³road warrior² that spends a lot of
time on other people¹s networks.
t
On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx> spoketh to all:
> A non-technical solution: Wouldn't it of been easier to tell the Directory to
> switch hotels? :p
>
> But then that wouldn't be any fun for you guys...
>
> Jonathon J. Howey
> MENSE Inc.
> P 780.409.5620
> F 780.409.5621
> D 780.409.5628
> C 780.965.8363
> Jonathon@xxxxxxxx
>
> Defining the Future of Transportation
> www.MENSE.ca <http://www.mense.ca/>
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: June 28, 2006 8:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
> Nice tip!
> Thanks!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, June 28, 2006 9:19 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>
>>
>> You¹ll still hit it. The router will be given the local IP just like a
>> lappy would, and you¹ll hit it via the NAT¹d connection. Do it all the
>> time.
>>
>> t
>>
>>
>> On 6/28/06 6:51 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
>> all:
>>
>>
>>> What if that broadband router has to interact with a log on page?
>>>
>>> Thomas W Shinder, M.D.
>>> Site: www.isaserver.org <http://www.isaserver.org/>
>>> Blog: http://blogs.isaserver.org/shinder/
>>> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>>> MVP -- ISA Firewalls
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
>>>> On Behalf Of Glenn P. JOHNSTON
>>>> Sent: Tuesday, June 27, 2006 11:18 PM
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: RE: [isalist] Re: Error establishing a VPN to the ISA server
>>>>
>>>>
>>>>
>>>> Plan is, I am going to take;
>>>>
>>>>
>>>>
>>>> 1.
>>>> 2. A linksys 4 port BB router, to plug in between the hotels BB, and his
>>>> notebook, which I think will do the trick nicely.
>>>> 3.
>>>> 4.
>>>> 5. A wireless broadband card, just in case.
>>>> 6.
>>>> 7.
>>>> 8. A second notebook with the companys SOE on it, also just in case.
>>>> 9.
>>>> 10.
>>>> 11. My Wife, it will be a nice little day or two away for us.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>> Sent: Wed 28/Jun/2006 14:06
>>>> To: isalist@xxxxxxxxxxxxx
>>>> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>
>>>>
>>>>
>>>>
>>>> http://www.ISAserver.org
>>>> -------------------------------------------------------
>>>>
>>>> You gonna add a new IP to the server, bring a little NAT router, or
>>>> both? ;)
>>>>
>>>> t
>>>>
>>>>
>>>> On 6/27/06 9:00 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>> spoketh
>>>> to all:
>>>>
>>>>> > I don't believe it.
>>>>> >
>>>>> > I've just been offered a return first class plane ticket, a nights
>>>>> > accomodation, 2 nights if need be, all expenses + how ever many hours
>>>>> it takes
>>>>> > at my normal hourly rate to go see the director in person and fix this
>>>>> for him
>>>>> > so he can get his e-mail !
>>>>> >
>>>>> > "Well I'll loose a whole day on this", "Fine, then charge us for every
>>>>> hour
>>>>> > your away, just get it fixed !"
>>>>> >
>>>>> >
>>>>> >
>>>>> > ________________________________
>>>>> >
>>>>> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
>>>>> > Sent: Wed 28/Jun/2006 13:45
>>>>> > To: isalist@xxxxxxxxxxxxx
>>>>> > Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>> >
>>>>> >
>>>>> >
>>>>> > http://www.ISAserver.org
>>>>> > -------------------------------------------------------
>>>>> >
>>>>> > OWA would be a great "backup" solution in the rare case where the
>>>>> local
>>>>> > Ethernet LAN is the same logical subnet as their own offices, even if
>>>>> he
>>>>> > couldn't sync. But, in your case of having a jackass for a client,
>>>>> you're
>>>>> > kind of stuck.
>>>>> >
>>>>> > An easier thing to do would be to get a little Linksys NAT router to
>>>>> stick
>>>>> > in between. Plug the hotel ethernet to the "Internet" port, and plug
>>>>> the
>>>>> > laptop into a "LAN" port. That way he'll get a local 192.168.1
>>>>> address and
>>>>> > have no problems. Plus, there is no configuration needed at all. The
>>>>> > defaults will work just fine. Just plug it in and go.
>>>>> >
>>>>> > t
>>>>> >
>>>>> >
>>>>> > On 6/27/06 8:29 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>>> spoketh
>>>>> > to all:
>>>>> >
>>>>>> >> I'm told he refuses to use OWA as he can't sync his mail with the
>>>>>> OST on his
>>>>>> >> notebook. There is just no helping some people, no matter how hard
>>>>>> you try to
>>>>>> >> be helpful and solve their problem, they just refuse all help on
>>>>>> principle !
>>>>>> >>
>>>>>> >> Also they passed on to me, that in his yelling and screaming his
>>>>>> demanding to
>>>>>> >> know 'Why someone did not realise this would happen, and get it
>>>>>> fixed before
>>>>>> >> hand, so I can get my e-mail"
>>>>>> >>
>>>>>> >> I really feel sorry for the IT guy at the site, his early 20's,
>>>>>> finished a
>>>>>> >> development oriented IT degree last year, is quite bright really,
>>>>>> but is
>>>>>> >> still
>>>>>> >> just learning the finer points of the winserver environment,
>>>>>> supporting XP
>>>>>> >> etc, and it working toward his MCSE, having passed the first 2 exams
>>>>>> in the
>>>>>> >> last couple of months. He reports to this Director, and from what I
>>>>>> can see,
>>>>>> >> gets one hell of a serve from him as soon as anything a little bit
>>>>>> odd
>>>>>> >> occurs.
>>>>>> >>
>>>>>> >> I can't see a away around this, without the Director having to do
>>>>>> something
>>>>>> >> out of the ordinary, which apparently, is just not an option, and
>>>>>> have just
>>>>>> >> told them that.
>>>>>> >>
>>>>>> >> I've suggested the only possibly way, I can see, is to go out and
>>>>>> purchase a
>>>>>> >> wireless broadband card from someone local, get it on the net, set
>>>>>> up a
>>>>>> >> notebook with it and his e-mail, and get it express couriered to
>>>>>> him. He'd
>>>>>> >> have it early eveing or first thing in the morning.
>>>>>> >>
>>>>>> >> There was a chocking sound on the other end of the phone, "but then
>>>>>> he'd have
>>>>>> >> to carry 2 notebooks back ! " and "What do I do if he gets it and it
>>>>>> does not
>>>>>> >> work ?" ..................................
>>>>>> >>
>>>>>> >> Find another job came to mind..
>>>>>> >>
>>>>>> >> ________________________________
>>>>>> >>
>>>>>> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of
>>>>>> God)
>>>>>> >> Sent: Wed 28/Jun/2006 12:49
>>>>>> >> To: isalist@xxxxxxxxxxxxx
>>>>>> >> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >> http://www.ISAserver.org
>>>>>> >> -------------------------------------------------------
>>>>>> >>
>>>>>> >> Well, it would have worked other than the gw on the hotel being the
>>>>>> same as
>>>>>> >> the SBS box... Bad luck there. But, I've had to do this several
>>>>>> times for
>>>>>> >> the exact same scenario with my people. Seems the Marriott and I
>>>>>> thought
>>>>>> >> alike in our IP schemes ;)
>>>>>> >>
>>>>>> >> You could always just add another IP address to the SBS box (well,
>>>>>> you could
>>>>>> >> if it were a "regular" server install-- I don't know what you'd have
>>>>>> to go
>>>>>> >> through on SBS to do that.) That would work, though.
>>>>>> >>
>>>>>> >> Not much we can do about a guy who wants to scream more than get the
>>>>>> job
>>>>>> >> done, though. I'd tell him that if he wanted his email to STFU and
>>>>>> do what
>>>>>> >> was needed. It's not like it is anyone's "fault." There are other
>>>>>> options
>>>>>> >> you have, but they would all require him doing *something*.
>>>>>> >>
>>>>>> >> I'm assuming that OWA is not an option for some reason?
>>>>>> >>
>>>>>> >> t
>>>>>> >>
>>>>>> >>
>>>>>> >> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
>>>>>> spoketh
>>>>>> >> to all:
>>>>>> >>
>>>>>>> >>> The internal IP of the SBS server is 192.168.110.2, G/W on the
>>>>>>> hotel BB
>>>>>>> >>> service is also 192.168.110.2 unfortunately !
>>>>>>> >>>
>>>>>>> >>> I tried the static route on my home ADSL service by changing the
>>>>>>> internal
>>>>>>> >>> private IP to match the Hotel's to play with, and everything else
>>>>>>> works, I
>>>>>>> >>> can
>>>>>>> >>> get to the internet and other clients networks fine, but I can not
>>>>>>> get to
>>>>>>> >>> anything on the remote network after the tunnel is connected, of
>>>>>>> the client
>>>>>>> >>> with the problem.
>>>>>>> >>>
>>>>>>> >>> Putting the static route in I doubt will work anyway, the fellow
>>>>>>> will
>>>>>>> >>> probably
>>>>>>> >>> just yell and scream as soon as he is asked to do anything
>>>>>>> remotely
>>>>>>> >>> technical,
>>>>>>> >>> expecting it to be magically fixed from this end.
>>>>>>> >>>
>>>>>>> >>> ________________________________
>>>>>>> >>>
>>>>>>> >>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of
>>>>>>> God)
>>>>>>> >>> Sent: Wed 28/Jun/2006 12:27
>>>>>>> >>> To: isalist@xxxxxxxxxxxxx
>>>>>>> >>> Subject: [isalist] Re: Error establishing a VPN to the ISA
>>>>>>> server
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> http://www.ISAserver.org
>>>>>>> >>> -------------------------------------------------------
>>>>>>> >>>
>>>>>>> >>> All he has to do is set a static route for the SBS box's IP to the
>>>>>>> gateway
>>>>>>> >>> address of the VPN endpoint.
>>>>>>> >>>
>>>>>>> >>> IOW, if the SBS box is 192.168.110.101, and his PPP VPN interface
got
>>>>>>> >>> assigned something like 192.168.110.11 from the RRAS server (do an
>>>>>>> IP config
>>>>>>> >>> to see what ip his PPP adapter is, or look at the RRAS properties
>>>>>>> of the
>>>>>>> >>> connection) then you would have him do a:
>>>>>>> >>>
>>>>>>> >>> ROUTE -p add 192.168.110.101 mask 255.255.255.255 192.168.110.11
>>>>>>> >>>
>>>>>>> >>> That way, when he attempts to access the SBS server, the request
>>>>>>> will route
>>>>>>> >>> down the VPN rather than broadcasting on the "local" 192.168.110.x
>>>>>>> network.
>>>>>>> >>>
>>>>>>> >>> t
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON"
>>>>>>> <glenn.johnston@xxxxxxxxxxx> spoketh
>>>>>>> >>> to all:
>>>>>>> >>>
>>>>>>>> >>>> http://www.ISAserver.org
>>>>>>>> >>>> -------------------------------------------------------
>>>>>>>> >>>>
>>>>>>>> >>>> Hi,
>>>>>>>> >>>>
>>>>>>>> >>>> Maybe, maybe not directly and ISA question, and I've posted this
>>>>>>>> in an SBS
>>>>>>>> >>>> forum as well, but you people are pretty bright & I thought you
>>>>>>>> might have
>>>>>>>> >>>> some worth while input on this.
>>>>>>>> >>>>
>>>>>>>> >>>> One of my clients has an issue with VPN tunnel. This has been
>>>>>>>> inplace since
>>>>>>>> >>>> Sunday afternoon, but they only rang me this morning.
>>>>>>>> >>>>
>>>>>>>> >>>> One of their directors is at a week long conference, and the
>>>>>>>> Hotel where he
>>>>>>>> >>>> is
>>>>>>>> >>>> staying, has provides an in room broadband service.
>>>>>>>> >>>> The BroadBand in the hotel is using a 192.168.110.0/24 address
>>>>>>>> range, the
>>>>>>>> >>>> internal address of the clients network at the office is also a
>>>>>>>> >>>> 192.168.110.0/24 range.
>>>>>>>> >>>>
>>>>>>>> >>>> The VPN tunnel establishes fine, and the VPN connector on his
>>>>>>>> notebook get
>>>>>>>> >>>> an
>>>>>>>> >>>> address, of course, in the 192.168.110.100 to 192.168.110.199
>>>>>>>> range of the
>>>>>>>> >>>> DHCP server on the SBS server.
>>>>>>>> >>>>
>>>>>>>> >>>> Once the tunnel is established, he can acess nothing on the SBS.
>>>>>>>> This is to
>>>>>>>> >>>> be
>>>>>>>> >>>> expected as the address ranges are the same, does anyone have
>>>>>>>> any bright
>>>>>>>> >>>> idea's on how to get around this. The Director is yelling and
>>>>>>>> screaming
>>>>>>>> >>>> about
>>>>>>>> >>>> not being able to get his e-mail.
>>>>>>>> >>>>
>>>>>>>> >>>> Unfortunately he is out out direct reach in another state, and
>>>>>>>> has very
>>>>>>>> >>>> little
>>>>>>>> >>>> tolerance for such problems.
>>>>>>>> >>>>
>>>>>>>> >>>> Regards
>>>>>>>> >>>> Glenn
>>>>>>>> >>>> ------------------------------------------------------
>>>>>>>> >>>> List Archives: //www.freelists.org/archives/isalist/
>>>>>>>> >>>> ISA Server Newsletter:
>>>>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>>>>> >>>> ISA Server Articles and Tutorials:
>>>>>>>> >>>> http://www.isaserver.org/articles_tutorials/
>>>>>>>> >>>> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>>>> >>>> ------------------------------------------------------
>>>>>>>> >>>> Visit TechGenix.com for more information about our other
>>>>>>>> sites:
>>>>>>>> >>>> http://www.techgenix.com
>>>>>>>> >>>> ------------------------------------------------------
>>>>>>>> >>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>>>> >>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>>> >>>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> ------------------------------------------------------
>>>>>>> >>> List Archives: //www.freelists.org/archives/isalist/
>>>>>>> >>> ISA Server Newsletter:
>>>>>>> http://www.isaserver.org/pages/newsletter.asp
>>>>>>> >>> ISA Server Articles and Tutorials:
>>>>>>> >>> http://www.isaserver.org/articles_tutorials/
>>>>>>> >>> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>>> >>> ------------------------------------------------------
>>>>>>> >>> Visit TechGenix.com for more information about our other sites:
>>>>>>> >>> http://www.techgenix.com
>>>>>>> >>> ------------------------------------------------------
>>>>>>> >>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>>> >>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>> >>
>>>>>> >>
>>>>>> >> ------------------------------------------------------
>>>>>> >> List Archives: //www.freelists.org/archives/isalist/
>>>>>> >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>>>> >> ISA Server Articles and Tutorials:
>>>>>> >> http://www.isaserver.org/articles_tutorials/
>>>>>> >> ISA Server Blogs: http://blogs.isaserver.org/
>>>>>> >> ------------------------------------------------------
>>>>>> >> Visit TechGenix.com for more information about our other sites:
>>>>>> >> http://www.techgenix.com
>>>>>> >> ------------------------------------------------------
>>>>>> >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>>> >> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>> >
>>>>> >
>>>>> > ------------------------------------------------------
>>>>> > List Archives: //www.freelists.org/archives/isalist/
>>>>> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>>> > ISA Server Articles and Tutorials:
>>>>> > http://www.isaserver.org/articles_tutorials/
>>>>> > ISA Server Blogs: http://blogs.isaserver.org/
>>>>> > ------------------------------------------------------
>>>>> > Visit TechGenix.com for more information about our other sites:
>>>>> > http://www.techgenix.com
>>>>> > ------------------------------------------------------
>>>>> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>>> > Report abuse to listadmin@xxxxxxxxxxxxx
>>>>> >
>>>>> >
>>>>> >
>>>>
>>>>
>>>> ------------------------------------------------------
>>>> List Archives: //www.freelists.org/archives/isalist/
>>>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>>>> ISA Server Articles and Tutorials:
>>>> http://www.isaserver.org/articles_tutorials/
>>>> ISA Server Blogs: http://blogs.isaserver.org/
>>>> ------------------------------------------------------
>>>> Visit TechGenix.com for more information about our other sites:
>>>> http://www.techgenix.com
>>>> ------------------------------------------------------
>>>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>
>>>
>>
>
Other related posts:
