Solved

ISA Server 2004 and outbound VPN Access

Posted on 2004-10-25
5,430 Views
Last Modified: 2013-11-16
I have recently setup a windows 2003 server running ISA 2004.  All of the publishing seems to be working perfectly, as well as email and normal Internet access from the internal network.  Where I am having an issue, though, is the ability to establish a VPN connection via PPTP from a Windows XP workstation from behind the ISA Server to an external VPN Server.  When I attempt to make the connection, I get an Error 619.

I'm assuming this is an ISA Server configuration issue.  Does anyone know how to properly allow outbound PPTP access?
0
Question by:arhame
    29 Comments
     
    LVL 8

    Expert Comment

    by:Emptyone
    You have to make a rule that allows PPTP outbound from LAN to External Network
    0
     
    LVL 8

    Author Comment

    by:arhame
    That had already been done.  I had created an access policy that was set to Allow | Selected Protocols:PPTP | From:Internal | To:External | Users:All.

    Still didn't work though.  Any other ideas?

    I did quite a bit of reading on the isaserver.org board and I haven't been the only one to see this error and over there, a clear answer was never given on how or what else could be causing this issue.
    0
     
    LVL 8

    Expert Comment

    by:Emptyone
    Are they using the the ISA server as gateway?
    0
     
    LVL 8

    Author Comment

    by:arhame
    Yes, and they are also running the new firewall client.
    0
     
    LVL 8

    Expert Comment

    by:Emptyone
    Have you tried without the client? I'm using it like you have it set up, but without the FC
    0
     
    LVL 8

    Author Comment

    by:arhame
    I've tried disabling the firewall client also with the same results.  I had read multiple articles on the isaserver.org website on this issue, and, a resolve was never pointed out for anyone who was experiencing this same issue.  So, I was kinda curious if there was some other setting that I had missed, such as with ISA2000 where you had to enable the PPTP filter, not just creating a firewall rule for it.

    Also, when I created PPTP outbound connections with ISA2000, if I entered the remote networks IP Address range into my LAT, I didn't have to disable the firewall client in order for it to work.  I'm curious if I also need to create my remote VPN servers offices as different networks in my ISA2004 setup
    0
     
    LVL 8

    Expert Comment

    by:Emptyone
    All I did was to make the rule you made, but I also included L2TP and IPSec NAT-T client
    0
     
    LVL 8

    Author Comment

    by:arhame
    For grins, I tried adding those to my PPTP Outbound rule,and still having the same results.

    Any other suggestions?
    0
     
    LVL 8

    Expert Comment

    by:Emptyone
    Have you tried to monitor the server and see if it denies traffic when you try to connect with the VPN?
    0
     
    LVL 8

    Author Comment

    by:arhame
    When I turn on logging, I notice 3 connections.  2 PPTP Initiated connections to destination ports 1723 and 0 coming from my workstation IP address and the Source Network being Internal and Destination Network being external.  The third connection shows the PPTP connection being closed.
    0
     
    LVL 8

    Expert Comment

    by:Emptyone
    Have you had a look on this site and the VPN deployment kit?

    http://www.microsoft.com/isaserver/techinfo/Guidance/2004/vpn.asp
    0
     
    LVL 8

    Author Comment

    by:arhame
    Yes, and I followed the PPTP instructions to the letter in chapter 6 on outbound pptp
    0
     
    LVL 8

    Author Comment

    by:arhame
    One thing I've noticed while reading through some of the MS documentation and noticing their screen captures, is, that the little icon next to the Protocols field of the firewall policy page, next to pptp is different than the one on the screen captures.  The one I'm seeing on my isa2004 server, is a little icon that looks like an open book on top of a network connection.  On the screen captures, it appears as two blue arrows pointing in opposite directions.  Not sure if this information is relevant or not, but figure it couldn't hurt.
    0
     
    LVL 8

    Author Comment

    by:arhame
    Ok, still trying to troubleshoot this issue.

    I've completely uninstalled ISA 2004 and reinstalled it.  I recreated all of my firewall policy rules and once again, everything is working perfectly except for outbound pptp connections and i get the same error 619.  I know this isn't a router issue, because before this upgrade, I was running ISA 2000 and everything was working correctly.

    Any more reccomendations?
    0
     
    LVL 8

    Author Comment

    by:arhame
    This evening I completely reinstalled Windows 2003 Server and ISA 2004 on the ISA Box and even with a clean setup, I am still getting the same issues.  The quickstart guide suggests running DNS and DHCP on your ISA Server, but, is this absolutely necessary?  We are already running DNS with forwarders and DHCP on another server in the organization.  Besides that, and according to the documentation, everything else is setup properly.  Any ideas?
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Set your xp client's default gateway to the IP address of the ISA server. This makes it a Secure Nat client (SNAT). Then attempt your vpn connection outbound.

    Just something to try!!!!
    0
     
    LVL 8

    Author Comment

    by:arhame
    All of the workstations are already SecureNAT clients.  Thanks for the attempt though.
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    I am assuming then that you have utilized the www.isaserver.org for researching this? It is the BEST website for ISA
    0
     
    LVL 8

    Author Comment

    by:arhame
    Yes, i started there first.

    Here is the thread on their website:

    http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000315

    0
     
    LVL 8

    Author Comment

    by:arhame
    One thing that I'm doing, that I'm not quite sure if it's making a difference or not, is not running DNS on the ISA Server itself.  Instead, I'm using my existing internal DNS Server which is located on a Domain Controller that has forwarders pointing to my ISP's DNS Servers.
    0
     
    LVL 8

    Author Comment

    by:arhame
    Still plowing through this:

    Update:
    What I've done now, is to completely built another ISA Server to see if I could resolve this issue. I did a default installation of Windows 2003 Server on a machine with dual NIC's. I did NOT install DNS nor DHCP on the box as I would like to utilize our already existing DNS and DHCP Servers.

    On the external NIC, I configured it with one of our public IP's/subnet masks, using the the IP address of our router (which it is connected to) as the Default Gateway. No IP was entered for a DNS Server.

    On the internal NIC, I configured it with a static IP's that falls in the realm of our internal IP address range and subnet mask (192.168.0.20/255.255.255.0). No default gateway was configured and the DNS Server was configured to our internal DNS Server (192.168.0.1). Our internal DNS Server and DHCP Server serves up addresses for the 192.168.0.x range, is active directory integrated, and uses forwarders that points to our ISP's DNS servers for external name resolution. Do not use recursion for this domain is checked.

    On any of the workstations, the new firewall client is installed and is pointing at the isa server. Their default gateways are pointing to the isa server and the dns server setting is pointing to our internal dns server.

    On the ISA Server, I have created an access rule that allows all outbound protocols from Internal to External with All Users selected as the users. Also, I have created another rule called PPTP outbound which allows the pptp protocol from Internal to External with users set to All Users.

    When I turn on monitoring, and attempt to establish a PPTP session from one of the workstations behind the ISA 2004 server to a remote ISA 2000 server acting as a VPN server to a remote network, I see 3 items:
    1. Destination IP of the VPN server I'm trying to conect, Destination port:1723, Protocol:PPTP, Action:Initiated Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External
    2. Destination IP of the VPN server I'm trying to conect, Destination port:0, Protocol:PPTP, Action:Initiated Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External
    3. 1. Destination IP of the VPN server I'm trying to conect, Destination port:1723, Protocol:PPTP, Action:Closed Connection Connection, Rule:Allow Access, Client IP:machine IP from which I'm tryint to establish the VPN, Source Network:Internal, Destination Network:External

    On the client machine, I get an almost immediate "Error 619: A connection to the remote computer could not be established, so the port used for this connection was closed."

    On the original box, before the upgrade, we were running Windows 2003 server and ISA 2000 with no problems. I would really love to stick with 2004 because every single other aspect of it has been outstanding.
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Your external NIC on ISA has to have the DNS servers of your ISP to resolve anything out on the net.
    Humor me and add that to your ISA and test again. Some connections are done via the ISA server itself, it is not going to consult the internal NIC to ask for a DNS server to find an external site.

    Still reading your entry over again...........
    0
     
    LVL 8

    Author Comment

    by:arhame
    I had tried that earlier also, and still same results.  Just for grins, I reconfigured as you suggested, rebooted both the isa server and workstation, and same end result.

    Now, on all of the remote ISA 2000 servers that we connet to, we do not have dns servers set on the external interface and, do not have any issues.  I could have sworn that I read somewhere that you were not supposed to setup a dns entry on the external interface, or is this wrong?
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    OK, sorry for the trouble.
    all the docs I have read on isaserver.org say to. In fact, one of mine Tom Schinder physically connected to on a major issue I was having and agreed with it. It may have a lot to do with what your doing with it.

    HMMMMM
    so isa 2k no problem, but 2004 does.
    On Tom's post he mentioned protocol rule with not authentication. I noticed you asked what he meant. Sadly, I haven't went to isa 2004 yet, so I am not sure.
    I won't give up on you though. I will keep digging
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Just for kicks and giggles, have you ran the Allow VPN Connections wizard?
    It creates packet filters for client side PPTP is why I ask
    0
     
    LVL 9

    Expert Comment

    by:TannerMan
    Another thought just to try some testing
    Try creating the VPN connection FROM the ISA server itself....after hours, because it can interrupt normal routing because the default gateway changes to the vpn connection's remote network.
    Just wonder if the ISA itself can do it.

    0
     
    LVL 8

    Author Comment

    by:arhame
    Ok, let me address all the posts.
    I'll begin doing that as far as the DNS setting goes on the external interface.  It's been quite a while since I took the 70-227 test and may have mis-understood.

    Yes, I've already been through the VPN Connection wizard because the users here can connect from home to work with no issues through the new ISA 2004 server.

    And, for trying the vpn connection from the ISA server itself, I get an Error 800:  Unable to establish the VPN connection.  I had tried that one a couple of days also.

    Thanks for trying though, and I appreciate anything else you might could come up with.

    Note:  I get the same message  (from ISA Server and from internal workstations) when I try to any VPN server, not just one in particular.  I have about a dozen or so that I VPN into on a normal basis.
    0
     
    LVL 8

    Author Comment

    by:arhame
    I had a wild idea last night and gave Time Warner (Road Runner) the Cable Internet provider here a call.  I had a technician out here today and he ran some very thorough diagnostics on the router and it was showing to be working flawlessly.  So, I asked him if we could change out the router to another brand just for grins.  Reluctantly, he agreed.  As soon as he finished getting the new router provisioned, and plugged back in, Guess what happened.  PPTP Connections worked.

    He said afterwards, that he has seen other instances of where certain types of cable routers would not work well with certain firewalls.  Well, one of the unix boxes that we have also was experiencing disconnect issues when a connection would sit idle for over 3 minutes.  As soon as the new router was put into place, that ceased also.

    So, perhaps the others that are experiencing this issue also are having conflicts with their routers.
    0
     

    Accepted Solution

    by:
    PAQed with points refunded (500)

    CetusMOD
    Community Support Moderator
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT Security CISA, CISSP & CISM Certification

    Master the advanced techniques required to protect network resources from external threats with the IT Cyber Security bundle. Built around industry best-practice guidelines, the IT Cyber Security bundle consists of three in-depth courses.

    I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video discusses moving either the default database or any database to a new volume.

    931 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now