Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 355
  • Last Modified:

WIN2k3 Server VPN set up (Using ISA)

I have a Windows 2003 server with the following setup

Standard Edition (with sp1)
Two NICs connected to a Linksys RV082 router
router is connected to cable modem
DHCP and DNS set up on server, not router

I hope that's enough info to get started helping me.

Here's my issue: I am trying to set up a VPN (first time). I was able to get it set up on the router, but my boss doesn't want it that way, so that is no longer an option. I installed ISA on the server and tried to set it up that way, but my clients can't connect. And whenever I enable the RRAS and MS ISA Server control services on the server, I lose my ability to access anything on the network or internet from the server and all attached workstations. So I've had to disable those.

I have a scenario walkthrough that I got from the ISA section of the MS website, and followed it to the letter, several times. I'm not sure where I'm going wrong, but any help would be appreciated.

TIA
Ap
0
cogentlogik
Asked:
cogentlogik
  • 9
  • 7
1 Solution
 
TheCleanerCommented:
Try this walkthrough for ISA (I'll assume 2004):

http://www.msfirewall.org/isa2004kits.htm

Go there ^^ and get the VPN kit.  It has lots of docs and walkthroughs from start to finish.
0
 
cogentlogikAuthor Commented:
Cleaner,
     I appreciated your response, and learned a lot looking over those documents. However, we have now decided to go away fro ISA, and just use built-in RRAS to set up the VPN. I was able to get it working using PPTP, but I need to be able to use L2TP/IPSec. I have been playing with it for a bit, but can't get the VPN to connect when I change the setting to L2TP/IPSec. I get an error 792. I looked around the site, but didn't find anything that helped. Do I need to set my server up as a CA? How exactly do I do that? Do I need to change the IP Security Policies on the server and/or client? I could really use a pointer in the right direction.

TIA
Ap
0
 
TheCleanerCommented:
yes, you'll need a CA (or at least an enterprise CA) to get it to work.

See my posts here:

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21778511.html

It's basically the same process regardless...

Also
http://www.alt-tab.info/?p=7
http://www.alt-tab.info/?p=10
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
cogentlogikAuthor Commented:
Cleaner,
    You're awesome. I got the CA running. Turns out that I had done it correctly. But on my client machine, I was logged on the the network with cached info. So I tried to connect again, and got the same error. At any rate, In this http://www.alt-tab.info/?p=10 link you posted, I was able to get up to step 4 with no trouble. But the next screen I get doesn't have the options listed in step five. Any idea why that is?
0
 
TheCleanerCommented:
Those steps are only necessary if the machine isn't on the domain, otherwise it will auto-enroll.

What does it show?  Are there any options listed at all?
0
 
cogentlogikAuthor Commented:
It shows a page that says "Advanced Certificate Request" at the top and has three fields:

Certificate Template - (With a drop-down box)
Key Options
Additional Options

Does any of that sound familiar?
0
 
TheCleanerCommented:
Yeah, do the cert template and does it show anything in the drop down box?
0
 
cogentlogikAuthor Commented:
Option in drop-down are:
User
Basic EFS
Administrator
EFS Recovery Agent
Web Server
Subordinate Certification Authority
0
 
TheCleanerCommented:
Ah...yeah the "alt-tab" website is a little off...see here:

http://www.isaserver.org/img/upl/vpnkitbeta2/webenrollenterprise.htm

Basically choose administrator, then continue on the steps...

Follow the link from isaserver.org starting with the phrase:

Requesting a Machine Certificate from the Enterprise CA Web Enrollment Site

 
0
 
cogentlogikAuthor Commented:
Cleaner,

Hate to keep beating this issue up, but I followed those steps, sucessfully, and now, without having made any other changes, I'm getting a different error when trying to connect. It's error 678: The remote computer did not respond. I can connect with no problems if I change the connection type to PPTP. Any ideas?

TIA
Ap
0
 
TheCleanerCommented:
Run the ISA monitor and set it for the rules for the VPN.  Then try and connect and see what the monitoring log shows.  Post it here and we'll figure it out.
0
 
cogentlogikAuthor Commented:
Good Morning,

I can't do that, unless it's necessary. I uninstalled ISA. Everytime I install it, I lose my internet connectivity. I know it blocks all traffic by default, but I don't have time or energy to configure the firewall. (unless I need to in order to get this working). Is there another path we can take? If not, I'll install ISA, and do as you instructed.

TIA
Ap
0
 
TheCleanerCommented:
Oops...my fault, I keep looking at the title, and forget that you are no longer using ISA.

Personally if you own it, I would HIGHLY HIGHLY recommend using it over the simple RRAS.  It's much more secure.

and that first link I showed you is a complete walkthrough for setting up the VPN.

Also, don't be worried about the "blocks all traffic by default" because during the setup it will create rules to allow outbound web access, etc. as you deem fit.

HOWEVER, YOU NEED TO PLAN WELL IF YOU ARE GOING THIS ROUTE, BECAUSE YOU WILL NEED TO CREATE RULES FOR EMAIL, ETC. ETC. IF THIS IS GOING TO BE A MAIN FIREWALL ON YOUR MAIN INTERNET CIRCUIT.


But back to just RRAS,

It's obviously hard for me to see what's been done, changed, etc. so I'm really limited to trying and pointing you in the right direction.  You could in essense uninstall RRAS, reinstall it, and then follow the walkthroughs straight from MS http://technet2.microsoft.com/WindowsServer/en/Library/fe8e1d66-959c-476e-8b8f-6b44d511c8251033.mspx

Also, make sure that IPSEC is enabled on both the server and the client.

http://www.windowsitpro.com/Article/ArticleID/15307/15307.html  (just make sure it's not been DISABLED, basically)
0
 
TheCleanerCommented:
Got it all resolved?
0
 
cogentlogikAuthor Commented:
Somewhat.... I went away from all my original settings, Slicked the drive, and loaded SBS 2003 on it. Playing with that now, hoping that some of the dumbed-down, built-in features can help me get this up. Thanks for all your help.
0
 
TheCleanerCommented:
:)  ok.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now