ISA Server 2004 and outbound VPN Access

You have to make a rule that allows PPTP outbound from LAN to External Network

That had already been done.  I had created an access policy that was set to Allow | Selected Protocols:PPTP | From:Internal | To:External | Users:All.

Still didn't work though.  Any other ideas?

I did quite a bit of reading on the isaserver.org board and I haven't been the only one to see this error and over there, a clear answer was never given on how or what else could be causing this issue.

Are they using the the ISA server as gateway?

Yes, and they are also running the new firewall client.

Have you tried without the client? I'm using it like you have it set up, but without the FC

I've tried disabling the firewall client also with the same results.  I had read multiple articles on the isaserver.org website on this issue, and, a resolve was never pointed out for anyone who was experiencing this same issue.  So, I was kinda curious if there was some other setting that I had missed, such as with ISA2000 where you had to enable the PPTP filter, not just creating a firewall rule for it.

Also, when I created PPTP outbound connections with ISA2000, if I entered the remote networks IP Address range into my LAT, I didn't have to disable the firewall client in order for it to work.  I'm curious if I also need to create my remote VPN servers offices as different networks in my ISA2004 setup

All I did was to make the rule you made, but I also included L2TP and IPSec NAT-T client

For grins, I tried adding those to my PPTP Outbound rule,and still having the same results.

Any other suggestions?

Have you tried to monitor the server and see if it denies traffic when you try to connect with the VPN?

When I turn on logging, I notice 3 connections.  2 PPTP Initiated connections to destination ports 1723 and 0 coming from my workstation IP address and the Source Network being Internal and Destination Network being external.  The third connection shows the PPTP connection being closed.

Have you had a look on this site and the VPN deployment kit?

http://www.microsoft.com/isaserver/techinfo/Guidance/2004/vpn.asp

Yes, and I followed the PPTP instructions to the letter in chapter 6 on outbound pptp

One thing I've noticed while reading through some of the MS documentation and noticing their screen captures, is, that the little icon next to the Protocols field of the firewall policy page, next to pptp is different than the one on the screen captures.  The one I'm seeing on my isa2004 server, is a little icon that looks like an open book on top of a network connection.  On the screen captures, it appears as two blue arrows pointing in opposite directions.  Not sure if this information is relevant or not, but figure it couldn't hurt.

Ok, still trying to troubleshoot this issue.

I've completely uninstalled ISA 2004 and reinstalled it.  I recreated all of my firewall policy rules and once again, everything is working perfectly except for outbound pptp connections and i get the same error 619.  I know this isn't a router issue, because before this upgrade, I was running ISA 2000 and everything was working correctly.

Any more reccomendations?

This evening I completely reinstalled Windows 2003 Server and ISA 2004 on the ISA Box and even with a clean setup, I am still getting the same issues.  The quickstart guide suggests running DNS and DHCP on your ISA Server, but, is this absolutely necessary?  We are already running DNS with forwarders and DHCP on another server in the organization.  Besides that, and according to the documentation, everything else is setup properly.  Any ideas?

Set your xp client's default gateway to the IP address of the ISA server. This makes it a Secure Nat client (SNAT). Then attempt your vpn connection outbound.

Just something to try!!!!

All of the workstations are already SecureNAT clients.  Thanks for the attempt though.

I am assuming then that you have utilized the www.isaserver.org for researching this? It is the BEST website for ISA

Yes, i started there first.

Here is the thread on their website:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000315

One thing that I'm doing, that I'm not quite sure if it's making a difference or not, is not running DNS on the ISA Server itself.  Instead, I'm using my existing internal DNS Server which is located on a Domain Controller that has forwarders pointing to my ISP's DNS Servers.

Still plowing through this:

Update:
What I've done now, is to completely built another ISA Server to see if I could resolve this issue. I did a default installation of Windows 2003 Server on a machine with dual NIC's. I did NOT install DNS nor DHCP on the box as I would like to utilize our already existing DNS and DHCP Servers.

On the external NIC, I configured it with one of our public IP's/subnet masks, using the the IP address of our router (which it is connected to) as the Default Gateway. No IP was entered for a DNS Server.

On the internal NIC, I configured it with a static IP's that falls in the realm of our internal IP address range and subnet mask (192.168.0.20/255.255.255.0). No default gateway was configured and the DNS Server was configured to our internal DNS Server (192.168.0.1). Our internal DNS Server and DHCP Server serves up addresses for the 192.168.0.x range, is active directory integrated, and uses forwarders that points to our ISP's DNS servers for external name resolution. Do not use recursion for this domain is checked.

On any of the workstations, the new firewall client is installed and is pointing at the isa server. Their default gateways are pointing to the isa server and the dns server setting is pointing to our internal dns server.

On the ISA Server, I have created an access rule that allows all outbound protocols from Internal to External with All Users selected as the users. Also, I have created another rule called PPTP outbound which allows the pptp protocol from Internal to External with users set to All Users.

When I turn on monitoring, and attempt to establish a PPTP session from one of the workstations behind the ISA 2004 server to a remote ISA 2000 server acting as a VPN server to a remote network, I see 3 items:
1. Destination IP of the VPN server I'm trying to conect, Destination port:1723, Protocol:PPTP, Action:Initiated Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External
2. Destination IP of the VPN server I'm trying to conect, Destination port:0, Protocol:PPTP, Action:Initiated Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External
3. 1. Destination IP of the VPN server I'm trying to conect, Destination port:1723, Protocol:PPTP, Action:Closed Connection Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External

On the client machine, I get an almost immediate "Error 619: A connection to the remote computer could not be established, so the port used for this connection was closed."

On the original box, before the upgrade, we were running Windows 2003 server and ISA 2000 with no problems. I would really love to stick with 2004 because every single other aspect of it has been outstanding.

Your external NIC on ISA has to have the DNS servers of your ISP to resolve anything out on the net.
Humor me and add that to your ISA and test again. Some connections are done via the ISA server itself, it is not going to consult the internal NIC to ask for a DNS server to find an external site.

Still reading your entry over again...........

I had tried that earlier also, and still same results.  Just for grins, I reconfigured as you suggested, rebooted both the isa server and workstation, and same end result.

Now, on all of the remote ISA 2000 servers that we connet to, we do not have dns servers set on the external interface and, do not have any issues.  I could have sworn that I read somewhere that you were not supposed to setup a dns entry on the external interface, or is this wrong?

OK, sorry for the trouble.
all the docs I have read on isaserver.org say to. In fact, one of mine Tom Schinder physically connected to on a major issue I was having and agreed with it. It may have a lot to do with what your doing with it.

HMMMMM
so isa 2k no problem, but 2004 does.
On Tom's post he mentioned protocol rule with not authentication. I noticed you asked what he meant. Sadly, I haven't went to isa 2004 yet, so I am not sure.
I won't give up on you though. I will keep digging

Just for kicks and giggles, have you ran the Allow VPN Connections wizard?
It creates packet filters for client side PPTP is why I ask

Another thought just to try some testing
Try creating the VPN connection FROM the ISA server itself....after hours, because it can interrupt normal routing because the default gateway changes to the vpn connection's remote network.
Just wonder if the ISA itself can do it.

Ok, let me address all the posts.
I'll begin doing that as far as the DNS setting goes on the external interface.  It's been quite a while since I took the 70-227 test and may have mis-understood.

Yes, I've already been through the VPN Connection wizard because the users here can connect from home to work with no issues through the new ISA 2004 server.

And, for trying the vpn connection from the ISA server itself, I get an Error 800:  Unable to establish the VPN connection.  I had tried that one a couple of days also.

Thanks for trying though, and I appreciate anything else you might could come up with.

Note:  I get the same message  (from ISA Server and from internal workstations) when I try to any VPN server, not just one in particular.  I have about a dozen or so that I VPN into on a normal basis.

I had a wild idea last night and gave Time Warner (Road Runner) the Cable Internet provider here a call.  I had a technician out here today and he ran some very thorough diagnostics on the router and it was showing to be working flawlessly.  So, I asked him if we could change out the router to another brand just for grins.  Reluctantly, he agreed.  As soon as he finished getting the new router provisioned, and plugged back in, Guess what happened.  PPTP Connections worked.

He said afterwards, that he has seen other instances of where certain types of cable routers would not work well with certain firewalls.  Well, one of the unix boxes that we have also was experiencing disconnect issues when a connection would sit idle for over 3 minutes.  As soon as the new router was put into place, that ceased also.

So, perhaps the others that are experiencing this issue also are having conflicts with their routers.