RE: Problematic VPN Access via ISA2004
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 24 Aug 2005 08:53:53 -0500
Hi Anthony,
1. Remove the external DNS server
2. Put an internal DNS server on the internal interface
3. Confirm that the internal DNS server can resolve Internet host names
and AD names
4. Move the internal interface to the top of the interface list
Restart the ISA firewall.
I remember the first time I lost my domain connectivity because of the
evil external DNS setting :)
Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Anthony Michaud [mailto:anthonym@xxxxxxxxxxxxxx]
Sent: Wednesday, August 24, 2005 8:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN Access via ISA2004
http://www.ISAserver.org
Gak! Ok, I'm going to re-read your article!
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, 24 August 2005 23:38
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN Access via
ISA2004
http://www.ISAserver.org
Hi Anthony,
Your DNS setting are not correct! A whipping will be
ready for you in the morning.
Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Anthony Michaud
[mailto:anthonym@xxxxxxxxxxxxxx]
Sent: Wednesday, August 24, 2005 8:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN Access
via ISA2004
http://www.ISAserver.org
Hi Tom,
Disabling VPN client support (or enabling it)
does not change the status of the RRAS service. I'll disable in ISA,
disable RRAS, then enable.
DNS settings are "correct" as far as I know.
Both NIC's have DNS servers for internal / external servers
respectively.
The Authentication (windows users) is listing a
GUID, not resolving the group name or Domain - so this may indicate an
issue?
Any idea's on where to look next?
Anthony.
________________________________
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, 24 August 2005 23:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN
Access via ISA2004
http://www.ISAserver.org
Hi Anthony,
Disable VPN client support in the ISA
firewall console. That should disable RRAS IIRC. If not, manually
disable the RRAS server and then configure VPN client connectivity in
the ISA firewall console again.
Also, what are the DNS settings on the
ISA firewall interfaces?
Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA
Server 2004
http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Anthony Michaud
[mailto:anthonym@xxxxxxxxxxxxxx]
Sent: Wednesday, August 24, 2005 8:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN
Access via ISA2004
http://www.ISAserver.org
Hi Tom,
Sorry - its getting close to midnight -
those would be the helpful details.
I have configured (and unconfigured)
RRAS services through the RRAS MMC snapin as part of fault finding. At
one stage I was able to have a VPN Connection inbound up and stable -
but I think that this may have been a fluke or a connection to the RRAS
server without ISA being involved (possibly during an ISA service
restart).
I'm getting this event happening at
every connect attempt.
Logon Failure:
Reason: An error occurred during
logon
User Name: HGS
Domain: ELGXINT
Logon Type: 3
Logon Process: IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Status code: 0xC000005E
Substatus code: 0x0
Caller User Name: TOR$
Caller Domain: ELGXINT
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 836
Transited Services: -
Source Network Address: -
Source Port: -
Outbound is possibly related: I'm
getting a "Initiated Connection" to dest. port 1723, then the same to
dest. port 0, then a closed connection almost immediately afterwards.
In addition to this, I'm finding
Kerberos items in the event log, that looks like
http://support.microsoft.com/?kbid=890477
<http://support.microsoft.com/?kbid=890477> although I'm not sure if
this is relevant.
I have not applied ISA SP1 this time
around, but it appears that the SP1 is not relevant.
Many thanks,
Anthony
________________________________
From: Thomas W Shinder
[mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, 24 August 2005 23:08
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Problematic VPN
Access via ISA2004
http://www.ISAserver.org
Hi Anthony,
What ball are you following?
Where are you see failures?
thanks!
Tom
www.isaserver.org
Tom and Deb Shinder's Configuring ISA
Server 2004
http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Anthony Michaud
[mailto:anthonym@xxxxxxxxxxxxxx]
Sent: Wednesday, August 24, 2005 8:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Problematic VPN
Access via ISA2004
http://www.ISAserver.org
Hi Guys,
Looking for some assistance, reference,
2x4 blocks of timber etc :)
I am attempting to configure VPN access
(inbound and outbound) on an ISA server 2004, running on a fresh W2k3
slipstreamed SP1 installation.
Celeron 2.6Ghz, 1Gb RAM,
<cough>realtek<cough> NIC's
Can someone point me at some detailed
documentation for setting this up? I'm following the bouncing ball (or
what I thought was the bouncing ball) and its hit a rock and I've now
lost the ball!
Any assistance would be greatly
appreciated.
Anthony.
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
