Access problems using ISA 2006 VPN

I have ISA 2006 installed.  Until this point, it has been in its own workgroup.  We are changing that to being a member of a domain.  I didn't want that server to have access to my domain if it gets hacked so I set it up as a child domain of my existing one.  

When I try and connect, I get the following error in the server logs of the ISA server: "The user %username% has connected and failed to authenticate on port VPN5-9.  The line has been disconnected."

When I use the users/group on the ISA server, I can connect.  When I try and connect to the domain, it does not work.  I've added my domain group to the local group (no luck) and to the VPN group directly with no luck.

Any thoughts??

spguymonAsked:
Who is Participating?
 
Keith AlabasterEnterprise ArchitectCommented:
ISA Server has never been hacked in its history in any of its versions. However, if you open ports and people use them then that is a different story but it will not be ISA's failing.

I've never tried putting in a child domain with ISA (wouldn't see the point) so will have to do this by 'feel' so to speak.

Have you performed all the updates for ISA2006?
Is this client access tyou are trying to perform or site-to-site?
pptp or l2tp over ipsec?

What rules have you added for vpn clients to internal?
if you open the gui, select monitoring - logging, click start query, what do you see at the connection point?
Is anything being lissted in the sessions tab under monitoring?
0
 
spguymonAuthor Commented:
I thought that I read in the white papers that came with the disk that had the ISA Software on it that there was an inherent risk and that it was best to have that just in case.

Yes, all updates are on for ISA 2006 and for the MS Server 2003 R2 OS.
This is a client access that I am trying to do.
I am using pptp for now but would like to move to l2tp.

For rules for the VPN Clients to the internal Network I am allowing everything.  I would like to scope that down but that will come after I get this working.  I would really enjoy some pointers on what to and what not to allow for a vpn client.  

I'm not sure what you mean by the connection point.  Is there a field that I need to have selected when I am monitoring?

With the sessions tab, when I log on with the local account on the ISA server, it connects just fine and I will see myself in the connections.  When I try and log in using the domain account, I do not see anybody in the connections.

Thanks for the interest!!
0
 
Keith AlabasterEnterprise ArchitectCommented:
Connection point - the point where the connection is attemped from the client and the ISA server will either enter an entry in its session table (or doesn't of course).

When the client attempts access, how is the domain\username being entered?
Do these users have remote-access enabled in their user profiles within AD?
0
 
spguymonAuthor Commented:
I don't remember where I ran across this article but there are issues if you try and change domain membership after ISA is installed.  After unloading ISA, adding it to the domain, reloading ISA it worked.

thanks for all comments!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.