Access problems using ISA 2006 VPN

Posted on 2007-10-15
Last Modified: 2008-11-17
I have ISA 2006 installed.  Until this point, it has been in its own workgroup.  We are changing that to being a member of a domain.  I didn't want that server to have access to my domain if it gets hacked so I set it up as a child domain of my existing one.  

When I try and connect, I get the following error in the server logs of the ISA server: "The user %username% has connected and failed to authenticate on port VPN5-9.  The line has been disconnected."

When I use the users/group on the ISA server, I can connect.  When I try and connect to the domain, it does not work.  I've added my domain group to the local group (no luck) and to the VPN group directly with no luck.

Any thoughts??

Question by:spguymon
    LVL 51

    Accepted Solution

    ISA Server has never been hacked in its history in any of its versions. However, if you open ports and people use them then that is a different story but it will not be ISA's failing.

    I've never tried putting in a child domain with ISA (wouldn't see the point) so will have to do this by 'feel' so to speak.

    Have you performed all the updates for ISA2006?
    Is this client access tyou are trying to perform or site-to-site?
    pptp or l2tp over ipsec?

    What rules have you added for vpn clients to internal?
    if you open the gui, select monitoring - logging, click start query, what do you see at the connection point?
    Is anything being lissted in the sessions tab under monitoring?

    Author Comment

    I thought that I read in the white papers that came with the disk that had the ISA Software on it that there was an inherent risk and that it was best to have that just in case.

    Yes, all updates are on for ISA 2006 and for the MS Server 2003 R2 OS.
    This is a client access that I am trying to do.
    I am using pptp for now but would like to move to l2tp.

    For rules for the VPN Clients to the internal Network I am allowing everything.  I would like to scope that down but that will come after I get this working.  I would really enjoy some pointers on what to and what not to allow for a vpn client.  

    I'm not sure what you mean by the connection point.  Is there a field that I need to have selected when I am monitoring?

    With the sessions tab, when I log on with the local account on the ISA server, it connects just fine and I will see myself in the connections.  When I try and log in using the domain account, I do not see anybody in the connections.

    Thanks for the interest!!
    LVL 51

    Expert Comment

    by:Keith Alabaster
    Connection point - the point where the connection is attemped from the client and the ISA server will either enter an entry in its session table (or doesn't of course).

    When the client attempts access, how is the domain\username being entered?
    Do these users have remote-access enabled in their user profiles within AD?

    Author Comment

    I don't remember where I ran across this article but there are issues if you try and change domain membership after ISA is installed.  After unloading ISA, adding it to the domain, reloading ISA it worked.

    thanks for all comments!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now