• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

SBS Server 2003 Premium w/ISA2004 won't allow NetGear ProSafe VPN client to connnect; can access rest of LAN

I am using the NetGear PoSafe VPN Client, SafeNet SoftRemote 10.5.1 (Build 8) to connect to a NetGear FVS124G VPN.

I get in successfully to the LAN which is, and I can access all other hosts except the Microsoft Small Business Server 2003 Premium Edition.  I cannot access it at all no matter what I do and how many different ways I try to re-configure its ISA Server 2004 Firewall.  

I have also tried giving it its own ip address through the FVS124G on the network.  The ip address given is per the Preferred Virtual Adapter in the Security Policy Editor.  I have also updated the policy on the FVS124G which allows me to successfully get in.

I can also see all the Denied requests on the ISA Server 2004 monitor for the client to the SBS2003 Server no matter what rules I give it and assignment of the network to localhost, etc.

Is there anything that can be done?  How come ISA2004 won't allow my VPN client to connect no matter what I do?

Also, as an aside, would setting up a VPN Gateway to Gateway connection from my home to my office bypass this problem?

Thank you.
  • 8
  • 7
1 Solution
I just setup a Netgear Prosafe FVS338 VPN router. I had the best results with using the ModeConfig option and assigning VPN clients to seprate subent.
I then when into the SBS server and granted full access the VPN subnet.

Let me know if you need more info.
amozartAuthor Commented:
Since I just have the FVS124G I don't know that I have ModeConfig, but I could set up the FVS124G on a separate subnet from the SBS2003 subnet, say and keep the SBS2003 on the subnet.  

Then how do I configure ISA2004 on the SBS2003 server to allow traffic from this subnet since ISA2004 really wants to handle Microsoft VPN clients dynamically as such.   Do I put in a separate NIC on the ISA2004/SBS2003 server for the new subnet?  Do I set it up as routed or as NAT?  Then what rules do I need to write to get this to work?  Thank you.
Ok let us back track here.
I am going to assume your network is set up as follows:
ISP Internet connects to WAN port on FVS124G and all other clients connect to the FVS124G LAN ports?

Does your SBS server have 1 or 2 NICs?
Is you SBS server handling DHCP or your router?

You shuold not have to buy another NIC for your SBS server.
Login into your Netgear Router and click on the VPN link. See if there is a sub-menu called Mode Config.

The mode config will do all of the routing if it is avialble to you.  

Let me know...
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

amozartAuthor Commented:
Yes, ModeConfig does exist.
Right now the FVS124G is set to and the SBS2003/ISA2004 server is set to
Do I need to assign the FVS124G LAN to another subnet?
If I use ModeConfig, do I need to make changes to either the IKE or firewall policies?
What do I enter for the Traffic Tunnel Security Level and Traffic Tunnel Security Level settings in ModeConfig assuming that I just used the totally standard autogenerated IKE and VPN policies?
Once the NetGear changes are done, then what network (routed or NAT'd) do I create in ISA2004 on the SBS2003 Server?  What rules do I create on the ISA2004 server?

Thank you very much for you help.
amozartAuthor Commented:
My SBS2003/ISA server has 3 NICs.
DHCP is being handled by the NetGear.
amozartAuthor Commented:
Oh, and there are 2 ISPs involved, one fast and one slow.  Thus the desire to connect on the FVS124G faster one as opposed to the SBS2003/ISA2004 slower one.

The slow one is more stable (satellite).
The faster one is a shared co-op T1.
Well cosidering you have a FVS124G, I would have both ISPs connect directly to the FVS124G. The fast connection would be primary and the slow stable connection would be secondary. This would allow you to bypass the SBS2003 ISA all together. Only connect the SBS' internal LAN network connection, this would of course alter your configuration a bit.

The Mode Config option allows you to specify a range (or pool) of addresses that your VPN clients will use (in my case I used to range). The only trick is to make sure you use your SBS server's IP ( address as the DNS (and WINS) Server in you Mode Config setup. The local IP would be with the Loacl Subnet mask of All else is in mode config can be left at defualt.

The IKE policy would be default except you use the Mode Config Record you created.
Use both FQDN for Local and Remote.
The IKE SA Parameters can be left defualt but remember to create a Pre-shared key.
You do not have to create a VPN policy as your Mode Config is the policy.

You can then tell ISA to allow any one from the network access to server apps.
Your VPN client will act as they connected directly to your LAN (except they will be slower due to encryption).

amozartAuthor Commented:
Ok, so if I understand correctly, in mode config I will create a first pool of say to
I will put in as the WINS Server and the DNS server.
For PFS I will keep as none.
For Local Address:
For Local Subnet Mask:
for SA Lifetime:  blank
for Authentication algorithm:  none????  shouldn't it be SHA-1?
for Encyrption alogorithm:  none????    shouldn't ig be 3DES

Then on ISA server for the network:
is it a perimeter network?
is it routed or NAT'd?
Or is it part of internal somehow?  
But don't I need to set up some routing on the SBS2003/ISA2004, so that it knows how to return responses to the network that was created on the FVS124G?

Thanks again.  

It looks like your defaalts may be different. Use the following:
PFS Key Group: DH Group 2 (1024 bit)
SA Liftetime: 3600 Seconds
Encryp Alg: 3DES
Integrity Alg: SHA-1

You said, you have 3 NICs in your SBS. As long as the NIC that is connected to your internal network ( is connected to the LAN side of your FVS124G, your ISA Firewall should let it through.
You will need to to go into the SBS IIS Manger and edit the Dierctory Security to allow ( for your Web Sites.

I am a bit confused on your SBS nic configurations.
Are all 3 NICs being used?
Is the default gateway for the interface set as
amozartAuthor Commented:

Default gateway for the SBS Server and the Server IP itself is
I use in the client machines because it is faster.

So I guess you are saying that the SBS2003/ISA2004 server will see the traffic as traffic with the exception of IIS websites?

P. S.  Have to step out for awhile.  Thanks again.

The interface would need to address as the default gateway. The server will should it as another subnet on your internal LAN.  

Is there a reason you are running two different routers?  I think it would make your life some much simpler if you just had your FVS124G be your router and you could eliminate the IAS on the SBS server. The FVS124G allows for 2 Internet connections, you can use one as primary and one for fail over load balance.

I am leaving now as well, I should be back tommorow.
amozartAuthor Commented:
Good morning,
I got my own approach to work.  
On my ProSafe VPN Client I set up my preferred internal network ip address to be and set up under the remote IP area.

Then I did a few of things for Microsoft ISA Server in SBS2003.  I got the ISA2004 Server Service Pack 3 because I had read somewhere that ISA wasn't properly handling traffic bound to the Internal adapter.  Then I found and applied this info from the KB article at Microsoft:  http://www.microsoft.com/technet/isa/2004/plan/ts_networks.mspx#Unable
Unable to Access Hosts on Defined Networks
Problem: You have ISA Server installed on a computer with two network adapters. Your infrastructure consists of four subnets connected by routers on the Internal network. You have created networks for each subnet, but traffic is not flowing between ISA Server and some of the networks.

Cause: All IP addresses behind an ISA Server network adapter are considered as part of the same network. So even if you have routed subnets, ISA Server treats them as a single network. You should only create ISA Server networks for interfaces connected to ISA Server. (The only exception to this is networks representing remote VPN sites.)

Solution: Remove the network objects you have defined for any routed subnets. Add the IP address ranges for these subnets into the Internal network definition. If you require access rules to control traffic between the Internal network and these remote subnets, create a subnet network object and use this as an access rule element. You can create network objects on the Toolbox tab of the Firewall Policy node in ISA Server Management. The other alternative is to add additional network adapters to the ISA Server computer.

So I ended up adding the subnet to the Internal network and removed all other rules and objects that I had created in an attempt to get it to work.

It was interesting, too, that it did not work at first, but I went away and left my machine with ping -t running.  Eventually ISA2004 started accepting the traffic as proper, and I am now able to do what I need.
Congradualtions, it sounds like you found a way to fix it for your setup.
Honestly our server has two NICs in it but I just shut the one off, after installing the VPN gateway. It seemed superfluous to have the ISA Gateway/Firewall running when I could just use a Gateway device (FVS338) to provide my Internet Access, Firewall and VPN. We only have single gateway (except for the subent I defined for the VPN clients). So your setup is a bit more complicated then mine.

Please let me know your results, as I have added this question to my knowledge base for future reference.

amozartAuthor Commented:
For now I am so pressed for time that I just have to stick with my solution since it is now working perfectly for my needs.

So can you close this ticket then?
I cannot close this. Only you or a moderator can.
If you click on "Accept as Soultion" it will close it.

Best regards and good luck.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now