Yup, was going on your article at http://www.isaserver.org/tutorials/2004rightstart.html The worst part is, I'd already been to and glossed (can't say I read it - as I clearly only glossed over it :( Anthony. _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 24 August 2005 23:54 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Anthony, 1. Remove the external DNS server 2. Put an internal DNS server on the internal interface 3. Confirm that the internal DNS server can resolve Internet host names and AD names 4. Move the internal interface to the top of the interface list Restart the ISA firewall. I remember the first time I lost my domain connectivity because of the evil external DNS setting :) Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls _____ From: Anthony Michaud [mailto:anthonym@xxxxxxxxxxxxxx] Sent: Wednesday, August 24, 2005 8:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Gak! Ok, I'm going to re-read your article! _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 24 August 2005 23:38 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Anthony, Your DNS setting are not correct! A whipping will be ready for you in the morning. Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls _____ From: Anthony Michaud [mailto:anthonym@xxxxxxxxxxxxxx] Sent: Wednesday, August 24, 2005 8:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Tom, Disabling VPN client support (or enabling it) does not change the status of the RRAS service. I'll disable in ISA, disable RRAS, then enable. DNS settings are "correct" as far as I know. Both NIC's have DNS servers for internal / external servers respectively. The Authentication (windows users) is listing a GUID, not resolving the group name or Domain - so this may indicate an issue? Any idea's on where to look next? Anthony. _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 24 August 2005 23:25 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Anthony, Disable VPN client support in the ISA firewall console. That should disable RRAS IIRC. If not, manually disable the RRAS server and then configure VPN client connectivity in the ISA firewall console again. Also, what are the DNS settings on the ISA firewall interfaces? Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls _____ From: Anthony Michaud [mailto:anthonym@xxxxxxxxxxxxxx] Sent: Wednesday, August 24, 2005 8:19 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Tom, Sorry - its getting close to midnight - those would be the helpful details. I have configured (and unconfigured) RRAS services through the RRAS MMC snapin as part of fault finding. At one stage I was able to have a VPN Connection inbound up and stable - but I think that this may have been a fluke or a connection to the RRAS server without ISA being involved (possibly during an ISA service restart). I'm getting this event happening at every connect attempt. Logon Failure: Reason: An error occurred during logon User Name: HGS Domain: ELGXINT Logon Type: 3 Logon Process: IAS Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: Status code: 0xC000005E Substatus code: 0x0 Caller User Name: TOR$ Caller Domain: ELGXINT Caller Logon ID: (0x0,0x3E7) Caller Process ID: 836 Transited Services: - Source Network Address: - Source Port: - Outbound is possibly related: I'm getting a "Initiated Connection" to dest. port 1723, then the same to dest. port 0, then a closed connection almost immediately afterwards. In addition to this, I'm finding Kerberos items in the event log, that looks like http://support.microsoft.com/?kbid=890477 <http://support.microsoft.com/?kbid=890477> although I'm not sure if this is relevant. I have not applied ISA SP1 this time around, but it appears that the SP1 is not relevant. Many thanks, Anthony _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, 24 August 2005 23:08 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Anthony, What ball are you following? Where are you see failures? thanks! Tom www.isaserver.org Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls _____ From: Anthony Michaud [mailto:anthonym@xxxxxxxxxxxxxx] Sent: Wednesday, August 24, 2005 8:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] Problematic VPN Access via ISA2004 http://www.ISAserver.org Hi Guys, Looking for some assistance, reference, 2x4 blocks of timber etc :) I am attempting to configure VPN access (inbound and outbound) on an ISA server 2004, running on a fresh W2k3 slipstreamed SP1 installation. Celeron 2.6Ghz, 1Gb RAM, <cough>realtek<cough> NIC's Can someone point me at some detailed documentation for setting this up? I'm following the bouncing ball (or what I thought was the bouncing ball) and its hit a rock and I've now lost the ball!