[isalist] Re: Error establishing a VPN to the ISA server
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 18:54:58 -0500
http://www.ISAserver.org
-------------------------------------------------------
Looks like I'm going to need to get me one of those. I've been lucky the
last couple of years though -- I haven't encountered any hotels that
didn't allow outbound PPTP and/or L2TP/IPSec.
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Glenn P. JOHNSTON
> Sent: Wednesday, June 28, 2006 6:29 PM
> To: isalist@xxxxxxxxxxxxx; isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> The linksys unit Tom's link points at is infact the unit I
> have taken to the Director in Melbourne.
>
> It's working a treat.
>
> But his still yelling and screaming, now about having to
> carry and extra 500grams of weight home !
>
> What an A. Hole !
>
> I'm also suprised to see them using a 192.168.110.x range,
> the reason I suggest them using something well away from the
> common, 192.168.0.x, 192.168.1.x or 192.168.2.x range was
> that most home BB routers 'out of the box' use these ranges,
> as do the hotels I've come across in the past. I assumed,
> incorrectly. that we'd be pretty safe moving well out of
> these common addresses ranges
>
> Another one we came across a few weeks back, was the
> inability to establish a VPN link, this user was far more
> willing to be of assistance in sorting the issue. Turns out
> the hotel's BB service was locked down, only allowing port 80
> or 443 through. Everything else was blocked.
>
> Fortunately, in that instance the user was quite happy to use
> OWA for a few days. So it was only a minor issue.
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thomas W Shinder
> Sent: Thu 29/Jun/2006 06:59
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the ISA server
>
>
> Or maybe this one?
>
> http://www-au.linksys.com/servlet/Satellite?c=L_Product_C2&chi
> ldpagename=AU%2FLayout&cid=1130279436183&packedargs=site%3DAU&
> pagename=Linksys%2FCommon%2FVisitorWrapper
>
> 4x1 inches.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, June 28, 2006 3:48 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN to the
> ISA server
>
>
> OK, like Thor said, you can only access the SBS box. Is
> this the only requirement?
>
> One option is to enable RDP connections to the SBS box,
> then within that RDP session, create a second RDP session to
> the destination box.
>
> Pretty suboptimal. I'll go with Tim's idea and get a
> NAT device out to the boss.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, June 28, 2006 2:19 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN
> to the ISA server
>
>
>
> Or you can assign VPN clients the autonet
> address in your VPN server configuration. I'm preparing an
> article on how to do this.
>
>
>
> Tom
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of D
> PIETRUSZKA USWRN INTERLINK INFRA
> Sent: Wednesday, June 28, 2006 1:20 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN
> to the ISA server
>
>
>
> Why not just create two VPN's, one with 1
> subnet and the other one with another subnet, you won't have
> this problem again no matter on which hotel your customer stay.
>
> For us OWA/RPC HTTP don't work because we use
> RSA to authenticate user on OWA.
>
>
>
> Regards
>
> Diego R. Pietruszka
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, June 28, 2006 1:57 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN
> to the ISA server
>
>
>
> Until the one you switch to is on a 10. network
> and all the work Tom did with the internal IP stuff is all
> for naught. ;)
>
> I'm telling ya... This is becoming way more and
> more common. I'm surprised to see this dude's hotel on
> 192.168.110 (I really am) but it's actually becoming more
> common for some of my people to be on conflicting nets,
> particularly when they give you a 10.0.0.0 address on a
> 255.0.0.0 subnet. Hence the need for a localized NAT
> solution- OWA/RCPoHTTP is fine when all you need is email
> stuff, but when you've got to be RDP'ing into multiple
> servers, accessing SQL boxes, hitting VoIP equipment, etc.,
> publishing scenarios just don't cut it...
>
> I've tried lots of different things at varying
> degrees of complexity (like a virtual pc install, Kerio
> routing tricks, KY jelly, etc) but I've found that keeping
> things limited to the "plug THIS into THAT, then plug THAT
> into the OTHER THING" mentality is the best.
>
> That's really why most of my mobile people have
> the high speed EVDO solutions (we use verizon) so that we
> don't really have to worry about it. Hotel connections are
> usually way faster, but EVDO works all the time (most of the
> time, anyway).
>
> I can actually envision a market for a little
> USB device that NAT's the connection all the time for the
> true "road warrior" that spends a lot of time on other
> people's networks.
>
> t
>
>
> On 6/28/06 7:51 AM, "Jonathon J. Howey"
> <Jonathon@xxxxxxxx> spoketh to all:
>
> A non-technical solution: Wouldn't it of been
> easier to tell the Directory to switch hotels? :p
>
> But then that wouldn't be any fun for you guys...
>
> Jonathon J. Howey
> MENSE Inc.
> P 780.409.5620
> F 780.409.5621
> D 780.409.5628
> C 780.965.8363
> Jonathon@xxxxxxxx
>
> Defining the Future of Transportation
> www.MENSE.ca <http://www.mense.ca/>
> <http://www.mense.ca/>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thomas
> W Shinder
> Sent: June 28, 2006 8:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a VPN
> to the ISA server
>
> Nice tip!
> Thanks!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, June 28, 2006 9:19 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a
> VPN to the ISA server
>
>
> You'll still hit it. The router will be given
> the local IP just like a lappy would, and you'll hit it via
> the NAT'd connection. Do it all the time.
>
> t
>
>
> On 6/28/06 6:51 AM, "Thomas W Shinder"
> <tshinder@xxxxxxxxxxx> spoketh to all:
>
>
>
> What if that broadband router has to interact
> with a log on page?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> <http://www.isaserver.org/> <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7> <http://tinyurl.com/3xqb7>
> MVP -- ISA Firewalls
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Glenn
> P. JOHNSTON
> Sent: Tuesday, June 27, 2006 11:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: RE: [isalist] Re: Error establishing
> a VPN to the ISA server
>
>
>
> Plan is, I am going to take;
>
>
>
>
> 1.
> 2. A linksys 4 port BB router, to plug
> in between the hotels BB, and his notebook, which I think
> will do the trick nicely.
> 3.
> 4.
> 5. A wireless broadband card, just in case.
> 6.
> 7.
> 8. A second notebook with the companys
> SOE on it, also just in case.
> 9.
> 10.
> 11. My Wife, it will be a nice little day
> or two away for us.
>
>
>
>
>
>
>
>
> ________________________________
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf
> of Thor (Hammer of God)
> Sent: Wed 28/Jun/2006 14:06
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a
> VPN to the ISA server
>
>
>
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You gonna add a new IP to the server, bring a
> little NAT router, or both? ;)
>
> t
>
>
> On 6/27/06 9:00 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
>
> > I don't believe it.
> >
> > I've just been offered a return first class
> plane ticket, a nights
> > accomodation, 2 nights if need be, all
> expenses + how ever many hours it takes
> > at my normal hourly rate to go see the
> director in person and fix this for him
> > so he can get his e-mail !
> >
> > "Well I'll loose a whole day on this",
> "Fine, then charge us for every hour
> > your away, just get it fixed !"
> >
> >
> >
> > ________________________________
> >
> > From: isalist-bounce@xxxxxxxxxxxxx on
> behalf of Thor (Hammer of God)
> > Sent: Wed 28/Jun/2006 13:45
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Error establishing a
> VPN to the ISA server
> >
> >
> >
> > http://www.ISAserver.org
> >
> -------------------------------------------------------
> >
> > OWA would be a great "backup" solution in
> the rare case where the local
> > Ethernet LAN is the same logical subnet as
> their own offices, even if he
> > couldn't sync. But, in your case of having
> a jackass for a client, you're
> > kind of stuck.
> >
> > An easier thing to do would be to get a
> little Linksys NAT router to stick
> > in between. Plug the hotel ethernet to the
> "Internet" port, and plug the
> > laptop into a "LAN" port. That way he'll
> get a local 192.168.1 address and
> > have no problems. Plus, there is no
> configuration needed at all. The
> > defaults will work just fine. Just plug it
> in and go.
> >
> > t
> >
> >
> > On 6/27/06 8:29 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> > to all:
> >
> >> I'm told he refuses to use OWA as he can't
> sync his mail with the OST on his
> >> notebook. There is just no helping some
> people, no matter how hard you try to
> >> be helpful and solve their problem, they
> just refuse all help on principle !
> >>
> >> Also they passed on to me, that in his
> yelling and screaming his demanding to
> >> know 'Why someone did not realise this
> would happen, and get it fixed before
> >> hand, so I can get my e-mail"
> >>
> >> I really feel sorry for the IT guy at the
> site, his early 20's, finished a
> >> development oriented IT degree last year,
> is quite bright really, but is
> >> still
> >> just learning the finer points of the
> winserver environment, supporting XP
> >> etc, and it working toward his MCSE, having
> passed the first 2 exams in the
> >> last couple of months. He reports to this
> Director, and from what I can see,
> >> gets one hell of a serve from him as soon
> as anything a little bit odd
> >> occurs.
> >>
> >> I can't see a away around this, without
> the Director having to do something
> >> out of the ordinary, which apparently, is
> just not an option, and have just
> >> told them that.
> >>
> >> I've suggested the only possibly way, I
> can see, is to go out and purchase a
> >> wireless broadband card from someone local,
> get it on the net, set up a
> >> notebook with it and his e-mail, and get it
> express couriered to him. He'd
> >> have it early eveing or first thing in the
> morning.
> >>
> >> There was a chocking sound on the other
> end of the phone, "but then he'd have
> >> to carry 2 notebooks back ! " and "What do
> I do if he gets it and it does not
> >> work ?" ..................................
> >>
> >> Find another job came to mind..
> >>
> >> ________________________________
> >>
> >> From: isalist-bounce@xxxxxxxxxxxxx on
> behalf of Thor (Hammer of God)
> >> Sent: Wed 28/Jun/2006 12:49
> >> To: isalist@xxxxxxxxxxxxx
> >> Subject: [isalist] Re: Error establishing
> a VPN to the ISA server
> >>
> >>
> >>
> >> http://www.ISAserver.org
> >>
> -------------------------------------------------------
> >>
> >> Well, it would have worked other than the
> gw on the hotel being the same as
> >> the SBS box... Bad luck there. But, I've
> had to do this several times for
> >> the exact same scenario with my people.
> Seems the Marriott and I thought
> >> alike in our IP schemes ;)
> >>
> >> You could always just add another IP
> address to the SBS box (well, you could
> >> if it were a "regular" server install-- I
> don't know what you'd have to go
> >> through on SBS to do that.) That would
> work, though.
> >>
> >> Not much we can do about a guy who wants
> to scream more than get the job
> >> done, though. I'd tell him that if he
> wanted his email to STFU and do what
> >> was needed. It's not like it is anyone's
> "fault." There are other options
> >> you have, but they would all require him
> doing *something*.
> >>
> >> I'm assuming that OWA is not an option for
> some reason?
> >>
> >> t
> >>
> >>
> >> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> >> to all:
> >>
> >>> The internal IP of the SBS server is
> 192.168.110.2, G/W on the hotel BB
> >>> service is also 192.168.110.2 unfortunately !
> >>>
> >>> I tried the static route on my home ADSL
> service by changing the internal
> >>> private IP to match the Hotel's to play
> with, and everything else works, I
> >>> can
> >>> get to the internet and other clients
> networks fine, but I can not get to
> >>> anything on the remote network after the
> tunnel is connected, of the client
> >>> with the problem.
> >>>
> >>> Putting the static route in I doubt will
> work anyway, the fellow will
> >>> probably
> >>> just yell and scream as soon as he is asked
> to do anything remotely
> >>> technical,
> >>> expecting it to be magically fixed from this end.
> >>>
> >>> ________________________________
> >>>
> >>> From: isalist-bounce@xxxxxxxxxxxxx on
> behalf of Thor (Hammer of God)
> >>> Sent: Wed 28/Jun/2006 12:27
> >>> To: isalist@xxxxxxxxxxxxx
> >>> Subject: [isalist] Re: Error establishing
> a VPN to the ISA server
> >>>
> >>>
> >>>
> >>> http://www.ISAserver.org
> >>>
> -------------------------------------------------------
> >>>
> >>> All he has to do is set a static route
> for the SBS box's IP to the gateway
> >>> address of the VPN endpoint.
> >>>
> >>> IOW, if the SBS box is 192.168.110.101,
> and his PPP VPN interface got
> >>> assigned something like 192.168.110.11
> from the RRAS server (do an IP config
> >>> to see what ip his PPP adapter is, or look
> at the RRAS properties of the
> >>> connection) then you would have him do a:
> >>>
> >>> ROUTE -p add 192.168.110.101 mask
> 255.255.255.255 192.168.110.11
> >>>
> >>> That way, when he attempts to access the
> SBS server, the request will route
> >>> down the VPN rather than broadcasting on
> the "local" 192.168.110.x network.
> >>>
> >>> t
> >>>
> >>>
> >>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON"
> <glenn.johnston@xxxxxxxxxxx> spoketh
> >>> to all:
> >>>
> >>>> http://www.ISAserver.org
> >>>>
> -------------------------------------------------------
> >>>>
> >>>> Hi,
> >>>>
> >>>> Maybe, maybe not directly and ISA
> question, and I've posted this in an SBS
> >>>> forum as well, but you people are pretty
> bright & I thought you might have
> >>>> some worth while input on this.
> >>>>
> >>>> One of my clients has an issue with VPN
> tunnel. This has been inplace since
> >>>> Sunday afternoon, but they only rang me
> this morning.
> >>>>
> >>>> One of their directors is at a week long
> conference, and the Hotel where he
> >>>> is
> >>>> staying, has provides an in room
> broadband service.
> >>>> The BroadBand in the hotel is using a
> 192.168.110.0/24 address range, the
> >>>> internal address of the clients network
> at the office is also a
> >>>> 192.168.110.0/24 range.
> >>>>
> >>>> The VPN tunnel establishes fine, and
> the VPN connector on his notebook get
> >>>> an
> >>>> address, of course, in the
> 192.168.110.100 to 192.168.110.199 range of the
> >>>> DHCP server on the SBS server.
> >>>>
> >>>> Once the tunnel is established, he can
> acess nothing on the SBS. This is to
> >>>> be
> >>>> expected as the address ranges are the
> same, does anyone have any bright
> >>>> idea's on how to get around this. The
> Director is yelling and screaming
> >>>> about
> >>>> not being able to get his e-mail.
> >>>>
> >>>> Unfortunately he is out out direct reach
> in another state, and has very
> >>>> little
> >>>> tolerance for such problems.
> >>>>
> >>>> Regards
> >>>> Glenn
> >>>>
> ------------------------------------------------------
> >>>> List Archives:
> //www.freelists.org/archives/isalist/
> >>>> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >>>> ISA Server Articles and Tutorials:
> >>>> http://www.isaserver.org/articles_tutorials/
> >>>> ISA Server Blogs: http://blogs.isaserver.org/
> >>>>
> ------------------------------------------------------
> >>>> Visit TechGenix.com for more information
> about our other sites:
> >>>> http://www.techgenix.com
> >>>>
> ------------------------------------------------------
> >>>> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> >>>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> ------------------------------------------------------
> >>> List Archives:
> //www.freelists.org/archives/isalist/
> >>> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >>> ISA Server Articles and Tutorials:
> >>> http://www.isaserver.org/articles_tutorials/
> >>> ISA Server Blogs: http://blogs.isaserver.org/
> >>>
> ------------------------------------------------------
> >>> Visit TechGenix.com for more information
> about our other sites:
> >>> http://www.techgenix.com
> >>>
> ------------------------------------------------------
> >>> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> >>> Report abuse to listadmin@xxxxxxxxxxxxx
> >>>
> >>>
> >>>
> >>
> >>
> >>
> ------------------------------------------------------
> >> List Archives:
> //www.freelists.org/archives/isalist/
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server Articles and Tutorials:
> >> http://www.isaserver.org/articles_tutorials/
> >> ISA Server Blogs: http://blogs.isaserver.org/
> >>
> ------------------------------------------------------
> >> Visit TechGenix.com for more information
> about our other sites:
> >> http://www.techgenix.com
> >>
> ------------------------------------------------------
> >> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >>
> >
> >
> >
> ------------------------------------------------------
> > List Archives:
> //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> >
> ------------------------------------------------------
> > Visit TechGenix.com for more information
> about our other sites:
> > http://www.techgenix.com
> >
> ------------------------------------------------------
> > To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
>
>
> ------------------------------------------------------
> List Archives:
> //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information
> about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
