WIN2k3 Server VPN set up (Using ISA)

I have a Windows 2003 server with the following setup

Standard Edition (with sp1)
Two NICs connected to a Linksys RV082 router
router is connected to cable modem
DHCP and DNS set up on server, not router

I hope that's enough info to get started helping me.

Here's my issue: I am trying to set up a VPN (first time). I was able to get it set up on the router, but my boss doesn't want it that way, so that is no longer an option. I installed ISA on the server and tried to set it up that way, but my clients can't connect. And whenever I enable the RRAS and MS ISA Server control services on the server, I lose my ability to access anything on the network or internet from the server and all attached workstations. So I've had to disable those.

I have a scenario walkthrough that I got from the ISA section of the MS website, and followed it to the letter, several times. I'm not sure where I'm going wrong, but any help would be appreciated.

TIA
Ap
cogentlogikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
Try this walkthrough for ISA (I'll assume 2004):

http://www.msfirewall.org/isa2004kits.htm

Go there ^^ and get the VPN kit.  It has lots of docs and walkthroughs from start to finish.
0
cogentlogikAuthor Commented:
Cleaner,
     I appreciated your response, and learned a lot looking over those documents. However, we have now decided to go away fro ISA, and just use built-in RRAS to set up the VPN. I was able to get it working using PPTP, but I need to be able to use L2TP/IPSec. I have been playing with it for a bit, but can't get the VPN to connect when I change the setting to L2TP/IPSec. I get an error 792. I looked around the site, but didn't find anything that helped. Do I need to set my server up as a CA? How exactly do I do that? Do I need to change the IP Security Policies on the server and/or client? I could really use a pointer in the right direction.

TIA
Ap
0
TheCleanerCommented:
yes, you'll need a CA (or at least an enterprise CA) to get it to work.

See my posts here:

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21778511.html

It's basically the same process regardless...

Also
http://www.alt-tab.info/?p=7
http://www.alt-tab.info/?p=10
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

cogentlogikAuthor Commented:
Cleaner,
    You're awesome. I got the CA running. Turns out that I had done it correctly. But on my client machine, I was logged on the the network with cached info. So I tried to connect again, and got the same error. At any rate, In this http://www.alt-tab.info/?p=10 link you posted, I was able to get up to step 4 with no trouble. But the next screen I get doesn't have the options listed in step five. Any idea why that is?
0
TheCleanerCommented:
Those steps are only necessary if the machine isn't on the domain, otherwise it will auto-enroll.

What does it show?  Are there any options listed at all?
0
cogentlogikAuthor Commented:
It shows a page that says "Advanced Certificate Request" at the top and has three fields:

Certificate Template - (With a drop-down box)
Key Options
Additional Options

Does any of that sound familiar?
0
TheCleanerCommented:
Yeah, do the cert template and does it show anything in the drop down box?
0
cogentlogikAuthor Commented:
Option in drop-down are:
User
Basic EFS
Administrator
EFS Recovery Agent
Web Server
Subordinate Certification Authority
0
TheCleanerCommented:
Ah...yeah the "alt-tab" website is a little off...see here:

http://www.isaserver.org/img/upl/vpnkitbeta2/webenrollenterprise.htm

Basically choose administrator, then continue on the steps...

Follow the link from isaserver.org starting with the phrase:

Requesting a Machine Certificate from the Enterprise CA Web Enrollment Site

 
0
cogentlogikAuthor Commented:
Cleaner,

Hate to keep beating this issue up, but I followed those steps, sucessfully, and now, without having made any other changes, I'm getting a different error when trying to connect. It's error 678: The remote computer did not respond. I can connect with no problems if I change the connection type to PPTP. Any ideas?

TIA
Ap
0
TheCleanerCommented:
Run the ISA monitor and set it for the rules for the VPN.  Then try and connect and see what the monitoring log shows.  Post it here and we'll figure it out.
0
cogentlogikAuthor Commented:
Good Morning,

I can't do that, unless it's necessary. I uninstalled ISA. Everytime I install it, I lose my internet connectivity. I know it blocks all traffic by default, but I don't have time or energy to configure the firewall. (unless I need to in order to get this working). Is there another path we can take? If not, I'll install ISA, and do as you instructed.

TIA
Ap
0
TheCleanerCommented:
Oops...my fault, I keep looking at the title, and forget that you are no longer using ISA.

Personally if you own it, I would HIGHLY HIGHLY recommend using it over the simple RRAS.  It's much more secure.

and that first link I showed you is a complete walkthrough for setting up the VPN.

Also, don't be worried about the "blocks all traffic by default" because during the setup it will create rules to allow outbound web access, etc. as you deem fit.

HOWEVER, YOU NEED TO PLAN WELL IF YOU ARE GOING THIS ROUTE, BECAUSE YOU WILL NEED TO CREATE RULES FOR EMAIL, ETC. ETC. IF THIS IS GOING TO BE A MAIN FIREWALL ON YOUR MAIN INTERNET CIRCUIT.


But back to just RRAS,

It's obviously hard for me to see what's been done, changed, etc. so I'm really limited to trying and pointing you in the right direction.  You could in essense uninstall RRAS, reinstall it, and then follow the walkthroughs straight from MS http://technet2.microsoft.com/WindowsServer/en/Library/fe8e1d66-959c-476e-8b8f-6b44d511c8251033.mspx

Also, make sure that IPSEC is enabled on both the server and the client.

http://www.windowsitpro.com/Article/ArticleID/15307/15307.html  (just make sure it's not been DISABLED, basically)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheCleanerCommented:
Got it all resolved?
0
cogentlogikAuthor Commented:
Somewhat.... I went away from all my original settings, Slicked the drive, and loaded SBS 2003 on it. Playing with that now, hoping that some of the dumbed-down, built-in features can help me get this up. Thanks for all your help.
0
TheCleanerCommented:
:)  ok.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.