[isalist] Re: Error establishing a VPN to the ISA server
- From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 16:45:04 -0700
http://www.ISAserver.org
-------------------------------------------------------
Or what about a hotel that does not tell you that you can not send outbound
e-mail but instead quietly grabs it and sends it through its own proxy which
then causes havoc with SPF records and such because now that outbound
message is not going through your server but the hotels server.
John T
eServices For You
"Seek, and ye shall find!"
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of
> Glenn P. JOHNSTON
> Sent: Wednesday, June 28, 2006 4:29 PM
> To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> The linksys unit Tom's link points at is infact the unit I have taken to
the Director in
> Melbourne.
>
> It's working a treat.
>
> But his still yelling and screaming, now about having to carry and extra
500grams of
> weight home !
>
> What an A. Hole !
>
> I'm also suprised to see them using a 192.168.110.x range, the reason I
suggest
> them using something well away from the common, 192.168.0.x, 192.168.1.x
or
> 192.168.2.x range was that most home BB routers 'out of the box' use these
ranges,
> as do the hotels I've come across in the past. I assumed, incorrectly.
that we'd be
> pretty safe moving well out of these common addresses ranges
>
> Another one we came across a few weeks back, was the inability to
establish a VPN
> link, this user was far more willing to be of assistance in sorting the
issue. Turns out
> the hotel's BB service was locked down, only allowing port 80 or 443
through.
> Everything else was blocked.
>
> Fortunately, in that instance the user was quite happy to use OWA for a
few days. So
> it was only a minor issue.
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
> Sent: Thu 29/Jun/2006 06:59
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
>
> Or maybe this one?
>
> http://www-
>
au.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=AU%2FLayout&ci
d
> =1130279436183&packedargs=site%3DAU&pagename=Linksys%2FCommon%2FVisit
> orWrapper
>
> 4x1 inches.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thomas W Shinder
> Sent: Wednesday, June 28, 2006 3:48 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
>
> OK, like Thor said, you can only access the SBS box. Is this the
only
> requirement?
>
> One option is to enable RDP connections to the SBS box, then within
that RDP
> session, create a second RDP session to the destination box.
>
> Pretty suboptimal. I'll go with Tim's idea and get a NAT device out
to the boss.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Wednesday, June 28, 2006 2:19 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
>
>
> Or you can assign VPN clients the autonet address in your
VPN server
> configuration. I'm preparing an article on how to do this.
>
>
>
> Tom
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA
> Sent: Wednesday, June 28, 2006 1:20 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
>
>
> Why not just create two VPN's, one with 1 subnet and the
other one
> with another subnet, you won't have this problem again no matter on which
hotel
> your customer stay.
>
> For us OWA/RPC HTTP don't work because we use RSA to
authenticate
> user on OWA.
>
>
>
> Regards
>
> Diego R. Pietruszka
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 28, 2006 1:57 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
>
>
> Until the one you switch to is on a 10. network and all the
work Tom did
> with the internal IP stuff is all for naught. ;)
>
> I'm telling ya... This is becoming way more and more common.
I'm
> surprised to see this dude's hotel on 192.168.110 (I really am) but it's
actually
> becoming more common for some of my people to be on conflicting nets,
particularly
> when they give you a 10.0.0.0 address on a 255.0.0.0 subnet. Hence the
need for a
> localized NAT solution- OWA/RCPoHTTP is fine when all you need is email
stuff, but
> when you've got to be RDP'ing into multiple servers, accessing SQL boxes,
hitting
> VoIP equipment, etc., publishing scenarios just don't cut it...
>
> I've tried lots of different things at varying degrees of
complexity (like a
> virtual pc install, Kerio routing tricks, KY jelly, etc) but I've found
that keeping things
> limited to the "plug THIS into THAT, then plug THAT into the OTHER THING"
mentality
> is the best.
>
> That's really why most of my mobile people have the high
speed EVDO
> solutions (we use verizon) so that we don't really have to worry about it.
Hotel
> connections are usually way faster, but EVDO works all the time (most of
the time,
> anyway).
>
> I can actually envision a market for a little USB device
that NAT's the
> connection all the time for the true "road warrior" that spends a lot of
time on other
> people's networks.
>
> t
>
>
> On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx>
> spoketh to all:
>
> A non-technical solution: Wouldn't it of been easier to tell
the Directory
> to switch hotels? :p
>
> But then that wouldn't be any fun for you guys...
>
> Jonathon J. Howey
> MENSE Inc.
> P 780.409.5620
> F 780.409.5621
> D 780.409.5628
> C 780.965.8363
> Jonathon@xxxxxxxx
>
> Defining the Future of Transportation
> www.MENSE.ca <http://www.mense.ca/> <http://www.mense.ca/>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thomas W Shinder
> Sent: June 28, 2006 8:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
> Nice tip!
> Thanks!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor (Hammer of
God)
> Sent: Wednesday, June 28, 2006 9:19 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
>
> You'll still hit it. The router will be given the local IP
just like a lappy
> would, and you'll hit it via the NAT'd connection. Do it all the time.
>
> t
>
>
> On 6/28/06 6:51 AM, "Thomas W Shinder"
<tshinder@xxxxxxxxxxx>
> spoketh to all:
>
>
>
> What if that broadband router has to interact with a log on
page?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-
> bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf
Of Glenn
> P. JOHNSTON
> Sent: Tuesday, June 27, 2006 11:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: Error establishing a VPN to the
ISA server
>
>
>
> Plan is, I am going to take;
>
>
>
>
> 1.
> 2. A linksys 4 port BB router, to plug in between the
hotels BB,
> and his notebook, which I think will do the trick nicely.
> 3.
> 4.
> 5. A wireless broadband card, just in case.
> 6.
> 7.
> 8. A second notebook with the companys SOE on it,
also just in
> case.
> 9.
> 10.
> 11. My Wife, it will be a nice little day or two away
for us.
>
>
>
>
>
>
>
>
> ________________________________
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor
(Hammer of God)
> Sent: Wed 28/Jun/2006 14:06
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA
server
>
>
>
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You gonna add a new IP to the server, bring a little NAT
router, or
> both? ;)
>
> t
>
>
> On 6/27/06 9:00 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
>
> > I don't believe it.
> >
> > I've just been offered a return first class plane
ticket, a nights
> > accomodation, 2 nights if need be, all expenses + how
ever many
> hours it takes
> > at my normal hourly rate to go see the director in
person and fix
> this for him
> > so he can get his e-mail !
> >
> > "Well I'll loose a whole day on this", "Fine, then
charge us for every
> hour
> > your away, just get it fixed !"
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor
(Hammer of
> God)
> > Sent: Wed 28/Jun/2006 13:45
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Error establishing a VPN to the
ISA server
> >
> >
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > OWA would be a great "backup" solution in the rare case
where the
> local
> > Ethernet LAN is the same logical subnet as their own
offices, even if
> he
> > couldn't sync. But, in your case of having a jackass
for a client,
> you're
> > kind of stuck.
> >
> > An easier thing to do would be to get a little Linksys
NAT router to
> stick
> > in between. Plug the hotel ethernet to the "Internet"
port, and plug
> the
> > laptop into a "LAN" port. That way he'll get a local
192.168.1
> address and
> > have no problems. Plus, there is no configuration
needed at all.
> The
> > defaults will work just fine. Just plug it in and go.
> >
> > t
> >
> >
> > On 6/27/06 8:29 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> > to all:
> >
> >> I'm told he refuses to use OWA as he can't sync his
mail with the
> OST on his
> >> notebook. There is just no helping some people, no
matter how
> hard you try to
> >> be helpful and solve their problem, they just refuse
all help on
> principle !
> >>
> >> Also they passed on to me, that in his yelling and
screaming his
> demanding to
> >> know 'Why someone did not realise this would happen,
and get it
> fixed before
> >> hand, so I can get my e-mail"
> >>
> >> I really feel sorry for the IT guy at the site, his
early 20's, finished
> a
> >> development oriented IT degree last year, is quite
bright really,
> but is
> >> still
> >> just learning the finer points of the winserver
environment,
> supporting XP
> >> etc, and it working toward his MCSE, having passed the
first 2
> exams in the
> >> last couple of months. He reports to this Director, and
from what I
> can see,
> >> gets one hell of a serve from him as soon as anything a
little bit
> odd
> >> occurs.
> >>
> >> I can't see a away around this, without the Director
having to do
> something
> >> out of the ordinary, which apparently, is just not an
option, and
> have just
> >> told them that.
> >>
> >> I've suggested the only possibly way, I can see, is to
go out and
> purchase a
> >> wireless broadband card from someone local, get it on
the net,
> set up a
> >> notebook with it and his e-mail, and get it express
couriered to
> him. He'd
> >> have it early eveing or first thing in the morning.
> >>
> >> There was a chocking sound on the other end of the
phone, "but
> then he'd have
> >> to carry 2 notebooks back ! " and "What do I do if he
gets it and it
> does not
> >> work ?" ..................................
> >>
> >> Find another job came to mind..
> >>
> >> ________________________________
> >>
> >> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor
(Hammer of
> God)
> >> Sent: Wed 28/Jun/2006 12:49
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Error establishing a VPN to the
ISA server
> >>
> >>
> >>
> >> http://www.ISAserver.org
> >> -------------------------------------------------------
> >>
> >> Well, it would have worked other than the gw on the
hotel being
> the same as
> >> the SBS box... Bad luck there. But, I've had to do this
several
> times for
> >> the exact same scenario with my people. Seems the
Marriott and
> I thought
> >> alike in our IP schemes ;)
> >>
> >> You could always just add another IP address to the SBS
box
> (well, you could
> >> if it were a "regular" server install-- I don't know
what you'd have
> to go
> >> through on SBS to do that.) That would work, though.
> >>
> >> Not much we can do about a guy who wants to scream more
than
> get the job
> >> done, though. I'd tell him that if he wanted his email
to STFU and
> do what
> >> was needed. It's not like it is anyone's "fault."
There are other
> options
> >> you have, but they would all require him doing
*something*.
> >>
> >> I'm assuming that OWA is not an option for some reason?
> >>
> >> t
> >>
> >>
> >> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> >> to all:
> >>
> >>> The internal IP of the SBS server is 192.168.110.2,
G/W on the
> hotel BB
> >>> service is also 192.168.110.2 unfortunately !
> >>>
> >>> I tried the static route on my home ADSL service by
changing
> the internal
> >>> private IP to match the Hotel's to play with, and
everything else
> works, I
> >>> can
> >>> get to the internet and other clients networks fine,
but I can not
> get to
> >>> anything on the remote network after the tunnel is
connected, of
> the client
> >>> with the problem.
> >>>
> >>> Putting the static route in I doubt will work anyway,
the fellow
> will
> >>> probably
> >>> just yell and scream as soon as he is asked to do
anything
> remotely
> >>> technical,
> >>> expecting it to be magically fixed from this end.
> >>>
> >>> ________________________________
> >>>
> >>> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor
(Hammer of
> God)
> >>> Sent: Wed 28/Jun/2006 12:27
> >>> To: isalist@xxxxxxxxxxxxx
> >>> Subject: [isalist] Re: Error establishing a VPN to the
ISA server
> >>>
> >>>
> >>>
> >>> http://www.ISAserver.org
> >>>
-------------------------------------------------------
> >>>
> >>> All he has to do is set a static route for the SBS
box's IP to the
> gateway
> >>> address of the VPN endpoint.
> >>>
> >>> IOW, if the SBS box is 192.168.110.101, and his PPP
VPN
> interface got
> >>> assigned something like 192.168.110.11 from the RRAS
server
> (do an IP config
> >>> to see what ip his PPP adapter is, or look at the RRAS
properties
> of the
> >>> connection) then you would have him do a:
> >>>
> >>> ROUTE -p add 192.168.110.101 mask 255.255.255.255
> 192.168.110.11
> >>>
> >>> That way, when he attempts to access the SBS server,
the
> request will route
> >>> down the VPN rather than broadcasting on the "local"
> 192.168.110.x network.
> >>>
> >>> t
> >>>
> >>>
> >>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> >>> to all:
> >>>
> >>>> http://www.ISAserver.org
> >>>>
-------------------------------------------------------
> >>>>
> >>>> Hi,
> >>>>
> >>>> Maybe, maybe not directly and ISA question, and I've
posted
> this in an SBS
> >>>> forum as well, but you people are pretty bright & I
thought you
> might have
> >>>> some worth while input on this.
> >>>>
> >>>> One of my clients has an issue with VPN tunnel. This
has been
> inplace since
> >>>> Sunday afternoon, but they only rang me this
morning.
> >>>>
> >>>> One of their directors is at a week long conference,
and the
> Hotel where he
> >>>> is
> >>>> staying, has provides an in room broadband service.
> >>>> The BroadBand in the hotel is using a
192.168.110.0/24
> address range, the
> >>>> internal address of the clients network at the office
is also a
> >>>> 192.168.110.0/24 range.
> >>>>
> >>>> The VPN tunnel establishes fine, and the VPN
connector on his
> notebook get
> >>>> an
> >>>> address, of course, in the 192.168.110.100 to
> 192.168.110.199 range of the
> >>>> DHCP server on the SBS server.
> >>>>
> >>>> Once the tunnel is established, he can acess nothing
on the
> SBS. This is to
> >>>> be
> >>>> expected as the address ranges are the same, does
anyone
> have any bright
> >>>> idea's on how to get around this. The Director is
yelling and
> screaming
> >>>> about
> >>>> not being able to get his e-mail.
> >>>>
> >>>> Unfortunately he is out out direct reach in another
state, and
> has very
> >>>> little
> >>>> tolerance for such problems.
> >>>>
> >>>> Regards
> >>>> Glenn
> >>>>
------------------------------------------------------
> >>>> List Archives:
//www.freelists.org/archives/isalist/
> >>>> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >>>> ISA Server Articles and Tutorials:
> >>>> http://www.isaserver.org/articles_tutorials/
> >>>> ISA Server Blogs: http://blogs.isaserver.org/
> >>>>
------------------------------------------------------
> >>>> Visit TechGenix.com for more information about our
other
> sites:
> >>>> http://www.techgenix.com
> >>>>
------------------------------------------------------
> >>>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> >>>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>> ------------------------------------------------------
> >>> List Archives:
//www.freelists.org/archives/isalist/
> >>> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >>> ISA Server Articles and Tutorials:
> >>> http://www.isaserver.org/articles_tutorials/
> >>> ISA Server Blogs: http://blogs.isaserver.org/
> >>> ------------------------------------------------------
> >>> Visit TechGenix.com for more information about our
other sites:
> >>> http://www.techgenix.com
> >>> ------------------------------------------------------
> >>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> >>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>
> >>>
> >>>
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives:
//www.freelists.org/archives/isalist/
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our
other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >
> >
> > ------------------------------------------------------
> > List Archives:
//www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other
sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
