[isalist] Re: Error establishing a VPN to the ISA server
- From: "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>, <isalist@xxxxxxxxxxxxx>
- Date: Thu, 29 Jun 2006 10:38:13 +1000
http://www.ISAserver.org
-------------------------------------------------------
Good Point
From my experience over the last few years, the further up the management chain
the user is, the more important it is that any solution you provide falls into
the "plug THIS into THAT, then plug THAT into the OTHER THING"
With some I've even gone to color coding with colored leads and colored
stickers, so it's real simple, like, just plug the red bits together with the
red lead, plug the yellow bits together with the yellow lead. plug the green
bits together with the green lead.............
Even then, thay can still get it wrong...........................
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Thor (Hammer of God)
Sent: Thu 29/Jun/2006 03:57
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error establishing a VPN to the ISA server
Until the one you switch to is on a 10. network and all the work Tom did with
the internal IP stuff is all for naught. ;)
I'm telling ya... This is becoming way more and more common. I'm surprised to
see this dude's hotel on 192.168.110 (I really am) but it's actually becoming
more common for some of my people to be on conflicting nets, particularly when
they give you a 10.0.0.0 address on a 255.0.0.0 subnet. Hence the need for a
localized NAT solution- OWA/RCPoHTTP is fine when all you need is email stuff,
but when you've got to be RDP'ing into multiple servers, accessing SQL boxes,
hitting VoIP equipment, etc., publishing scenarios just don't cut it...
I've tried lots of different things at varying degrees of complexity (like a
virtual pc install, Kerio routing tricks, KY jelly, etc) but I've found that
keeping things limited to the "plug THIS into THAT, then plug THAT into the
OTHER THING" mentality is the best.
That's really why most of my mobile people have the high speed EVDO solutions
(we use verizon) so that we don't really have to worry about it. Hotel
connections are usually way faster, but EVDO works all the time (most of the
time, anyway).
I can actually envision a market for a little USB device that NAT's the
connection all the time for the true "road warrior" that spends a lot of time
on other people's networks.
t
On 6/28/06 7:51 AM, "Jonathon J. Howey" <Jonathon@xxxxxxxx> spoketh to all:
A non-technical solution: Wouldn't it of been easier to tell the
Directory to switch hotels? :p
But then that wouldn't be any fun for you guys...
Jonathon J. Howey
MENSE Inc.
P 780.409.5620
F 780.409.5621
D 780.409.5628
C 780.965.8363
Jonathon@xxxxxxxx
Defining the Future of Transportation
www.MENSE.ca <http://www.mense.ca/> <http://www.mense.ca/>
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: June 28, 2006 8:31 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error establishing a VPN to the ISA server
Nice tip!
Thanks!
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 28, 2006 9:19 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error establishing a VPN to the ISA
server
You'll still hit it. The router will be given the local IP
just like a lappy would, and you'll hit it via the NAT'd connection. Do it
all the time.
t
On 6/28/06 6:51 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
spoketh to all:
What if that broadband router has to interact with a
log on page?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Glenn P. JOHNSTON
Sent: Tuesday, June 27, 2006 11:18 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: Error establishing
a VPN to the ISA server
Plan is, I am going to take;
1.
2. A linksys 4 port BB router, to plug
in between the hotels BB, and his notebook, which I think will do the trick
nicely.
3.
4.
5. A wireless broadband card, just in
case.
6.
7.
8. A second notebook with the companys
SOE on it, also just in case.
9.
10.
11. My Wife, it will be a nice little day
or two away for us.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf
of Thor (Hammer of God)
Sent: Wed 28/Jun/2006 14:06
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error establishing a
VPN to the ISA server
http://www.ISAserver.org
-------------------------------------------------------
You gonna add a new IP to the server, bring a
little NAT router, or both? ;)
t
On 6/27/06 9:00 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh
to all:
> I don't believe it.
>
> I've just been offered a return first class
plane ticket, a nights
> accomodation, 2 nights if need be, all
expenses + how ever many hours it takes
> at my normal hourly rate to go see the
director in person and fix this for him
> so he can get his e-mail !
>
> "Well I'll loose a whole day on this",
"Fine, then charge us for every hour
> your away, just get it fixed !"
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Thor (Hammer of God)
> Sent: Wed 28/Jun/2006 13:45
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error establishing a
VPN to the ISA server
>
>
>
> http://www.ISAserver.org
>
-------------------------------------------------------
>
> OWA would be a great "backup" solution in
the rare case where the local
> Ethernet LAN is the same logical subnet as
their own offices, even if he
> couldn't sync. But, in your case of having
a jackass for a client, you're
> kind of stuck.
>
> An easier thing to do would be to get a
little Linksys NAT router to stick
> in between. Plug the hotel ethernet to the
"Internet" port, and plug the
> laptop into a "LAN" port. That way he'll
get a local 192.168.1 address and
> have no problems. Plus, there is no
configuration needed at all. The
> defaults will work just fine. Just plug it
in and go.
>
> t
>
>
> On 6/27/06 8:29 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh
> to all:
>
>> I'm told he refuses to use OWA as he can't
sync his mail with the OST on his
>> notebook. There is just no helping some
people, no matter how hard you try to
>> be helpful and solve their problem, they
just refuse all help on principle !
>>
>> Also they passed on to me, that in his
yelling and screaming his demanding to
>> know 'Why someone did not realise this
would happen, and get it fixed before
>> hand, so I can get my e-mail"
>>
>> I really feel sorry for the IT guy at the
site, his early 20's, finished a
>> development oriented IT degree last year,
is quite bright really, but is
>> still
>> just learning the finer points of the
winserver environment, supporting XP
>> etc, and it working toward his MCSE, having
passed the first 2 exams in the
>> last couple of months. He reports to this
Director, and from what I can see,
>> gets one hell of a serve from him as soon
as anything a little bit odd
>> occurs.
>>
>> I can't see a away around this, without
the Director having to do something
>> out of the ordinary, which apparently, is
just not an option, and have just
>> told them that.
>>
>> I've suggested the only possibly way, I
can see, is to go out and purchase a
>> wireless broadband card from someone local,
get it on the net, set up a
>> notebook with it and his e-mail, and get it
express couriered to him. He'd
>> have it early eveing or first thing in the
morning.
>>
>> There was a chocking sound on the other
end of the phone, "but then he'd have
>> to carry 2 notebooks back ! " and "What do
I do if he gets it and it does not
>> work ?" ..................................
>>
>> Find another job came to mind..
>>
>> ________________________________
>>
>> From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Thor (Hammer of God)
>> Sent: Wed 28/Jun/2006 12:49
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Error establishing
a VPN to the ISA server
>>
>>
>>
>> http://www.ISAserver.org
>>
-------------------------------------------------------
>>
>> Well, it would have worked other than the
gw on the hotel being the same as
>> the SBS box... Bad luck there. But, I've
had to do this several times for
>> the exact same scenario with my people.
Seems the Marriott and I thought
>> alike in our IP schemes ;)
>>
>> You could always just add another IP
address to the SBS box (well, you could
>> if it were a "regular" server install-- I
don't know what you'd have to go
>> through on SBS to do that.) That would
work, though.
>>
>> Not much we can do about a guy who wants
to scream more than get the job
>> done, though. I'd tell him that if he
wanted his email to STFU and do what
>> was needed. It's not like it is anyone's
"fault." There are other options
>> you have, but they would all require him
doing *something*.
>>
>> I'm assuming that OWA is not an option for
some reason?
>>
>> t
>>
>>
>> On 6/27/06 7:37 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh
>> to all:
>>
>>> The internal IP of the SBS server is
192.168.110.2, G/W on the hotel BB
>>> service is also 192.168.110.2
unfortunately !
>>>
>>> I tried the static route on my home ADSL
service by changing the internal
>>> private IP to match the Hotel's to play
with, and everything else works, I
>>> can
>>> get to the internet and other clients
networks fine, but I can not get to
>>> anything on the remote network after the
tunnel is connected, of the client
>>> with the problem.
>>>
>>> Putting the static route in I doubt will
work anyway, the fellow will
>>> probably
>>> just yell and scream as soon as he is asked
to do anything remotely
>>> technical,
>>> expecting it to be magically fixed from
this end.
>>>
>>> ________________________________
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx on
behalf of Thor (Hammer of God)
>>> Sent: Wed 28/Jun/2006 12:27
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Error establishing
a VPN to the ISA server
>>>
>>>
>>>
>>> http://www.ISAserver.org
>>>
-------------------------------------------------------
>>>
>>> All he has to do is set a static route
for the SBS box's IP to the gateway
>>> address of the VPN endpoint.
>>>
>>> IOW, if the SBS box is 192.168.110.101,
and his PPP VPN interface got
>>> assigned something like 192.168.110.11
from the RRAS server (do an IP config
>>> to see what ip his PPP adapter is, or look
at the RRAS properties of the
>>> connection) then you would have him do a:
>>>
>>> ROUTE -p add 192.168.110.101 mask
255.255.255.255 192.168.110.11
>>>
>>> That way, when he attempts to access the
SBS server, the request will route
>>> down the VPN rather than broadcasting on
the "local" 192.168.110.x network.
>>>
>>> t
>>>
>>>
>>> On 6/27/06 7:13 PM, "Glenn P. JOHNSTON"
<glenn.johnston@xxxxxxxxxxx> spoketh
>>> to all:
>>>
>>>> http://www.ISAserver.org
>>>>
-------------------------------------------------------
>>>>
>>>> Hi,
>>>>
>>>> Maybe, maybe not directly and ISA
question, and I've posted this in an SBS
>>>> forum as well, but you people are pretty
bright & I thought you might have
>>>> some worth while input on this.
>>>>
>>>> One of my clients has an issue with VPN
tunnel. This has been inplace since
>>>> Sunday afternoon, but they only rang me
this morning.
>>>>
>>>> One of their directors is at a week long
conference, and the Hotel where he
>>>> is
>>>> staying, has provides an in room
broadband service.
>>>> The BroadBand in the hotel is using a
192.168.110.0/24 address range, the
>>>> internal address of the clients network
at the office is also a
>>>> 192.168.110.0/24 range.
>>>>
>>>> The VPN tunnel establishes fine, and
the VPN connector on his notebook get
>>>> an
>>>> address, of course, in the
192.168.110.100 to 192.168.110.199 range of the
>>>> DHCP server on the SBS server.
>>>>
>>>> Once the tunnel is established, he can
acess nothing on the SBS. This is to
>>>> be
>>>> expected as the address ranges are the
same, does anyone have any bright
>>>> idea's on how to get around this. The
Director is yelling and screaming
>>>> about
>>>> not being able to get his e-mail.
>>>>
>>>> Unfortunately he is out out direct reach
in another state, and has very
>>>> little
>>>> tolerance for such problems.
>>>>
>>>> Regards
>>>> Glenn
>>>>
------------------------------------------------------
>>>> List Archives:
//www.freelists.org/archives/isalist/
>>>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>>>> ISA Server Articles and Tutorials:
>>>>
http://www.isaserver.org/articles_tutorials/
>>>> ISA Server Blogs:
http://blogs.isaserver.org/
>>>>
------------------------------------------------------
>>>> Visit TechGenix.com for more information
about our other sites:
>>>> http://www.techgenix.com
>>>>
------------------------------------------------------
>>>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>>
>>>>
>>>>
>>>
>>>
>>>
------------------------------------------------------
>>> List Archives:
//www.freelists.org/archives/isalist/
>>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>>> ISA Server Articles and Tutorials:
>>> http://www.isaserver.org/articles_tutorials/
>>> ISA Server Blogs:
http://blogs.isaserver.org/
>>>
------------------------------------------------------
>>> Visit TechGenix.com for more information
about our other sites:
>>> http://www.techgenix.com
>>>
------------------------------------------------------
>>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>>> Report abuse to listadmin@xxxxxxxxxxxxx
>>>
>>>
>>>
>>
>>
>>
------------------------------------------------------
>> List Archives:
//www.freelists.org/archives/isalist/
>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs:
http://blogs.isaserver.org/
>>
------------------------------------------------------
>> Visit TechGenix.com for more information
about our other sites:
>> http://www.techgenix.com
>>
------------------------------------------------------
>> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>>
>
>
>
------------------------------------------------------
> List Archives:
//www.freelists.org/archives/isalist/
> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs:
http://blogs.isaserver.org/
>
------------------------------------------------------
> Visit TechGenix.com for more information
about our other sites:
> http://www.techgenix.com
>
------------------------------------------------------
> To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information
about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
