We help IT Professionals succeed at work.

VPN PPTP Isa 2004 Small business server 2003

2,090 Views
Last Modified: 2008-11-17
I have ran the Internet connection wizard and cannot get VPN to work totally.  I have RAS enabled and have went through the step by step VPN configuration in ISA 2004.  If I use the SBS vpn connection manager on a machine inside the LAN it connects fine just can't connect from the internet to the SBS.  I imagine it is something to do with the firwall rules etc, but I have no idea what to configure there.  I have a DLink DI-524 consumer grade router behind the DSL modem (bridged).  I have 1723 forwarded on the router to the SBS.  I have tried connecting and watching the real time log and notice 1723 success and IKE 500 failed.  Don't know if I needed that or not so I forwarded 500 on the router to the sbs as well.  About a minute later the 1723 closes.  Nothing happens in the middle.  Could someone give me a quick list of the necessary rules for a simple PPTP VPN connection.  I don't know what else it would be.
Comment
Watch Question

You need to enable VPN passthrough on the Tools / Misc menu.

Here's a copy of the manual if you don't have one.

http://www.students.sbc.edu/kennedy07/Setup/DI-524%20Manual.pdf

Author

Commented:
That has been enabled since the beginning.  ISA logging shows me trying to connect, but doesn't try to do anything else.  It closes within a minute and starts over when the connection manager on the client tries to retry.  Port 1723 is forwarded on the router.  Does this port still need forwarding with VPN pass through enabled?  
You can try forwarding port 47 tcp and udp, but it's a long shot. I know it doesn't make sense but I've heard claims that it can be a work around. You shouldn't have to since the router purports to support GRE but it's worth a shot.

It sounds like you have done everything right other than that. Do you have access to any other brand or model routers to test with?

Also, make sure you have the latest firmware on the router.

Just went poking around my server and I do have rules allowing all outbound from VPN Clients to Internal and from Internal to VPN Clients. Basically the floodgates are open allowing all outbound protocols both ways between the two..

Hope that helps.

Author

Commented:
Firmware has been the latest and I have even tried using DMZ.  I have tried creating additional rules to allow traffic both ways like you mentioned.  The default rules are still there too.  I don't know what else to try.  You might be right about the router though because it is old and cheap.  I will have to try mine from the house to see if it will work.  It is a Dlink 4100 and the datasheet mentions PPTP.  From what I was reading with the DI-524 the VPN pass through feature seem to be more for VPN clients behind the router on the LAN and not the Internet side.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Did you run the Remote Access Configuration Wizard?

That has to be run in addition to the CEICW.  You don't otherwise need to do any manual configuration in ISA.

Then on your router you do need to enable PPTP VPN Passthrough on this screen: http://support.dlink.com/emulators/di524/tools_misc.html

The feature is for both inbound and outbound... it enables GRE Protocol 47 which is required for VPN connections.

Jeff
TechSoEasy

Author

Commented:
VPN pass through has been enabled from the beginning and I have ran that remote access config three times with no luck externally.  Could you give me the basic default ISA rules that should be there after the CEICW is ran?  That way I know I'm not missing something.  I would run it from home, but I am a hour away from the server and origianally when I ran the CEICW I still had to manually config some things to get the internet connection to work right.  I just don't want to cause the server to not be availiable being so far away.  Since I can connect internally I would think the problem has to be with ISA rules or the router is just messed up in that area.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
"Can you give me the basic default ISA rules that should be there after the CEICW is ran?  "

No... because your specific configuration may be different.  So, instead, just delete ALL the ISA rules and run the CEICW again to recreate them.

You should never have to manually change anything in ISA to get the Internet Connection to work right.  So you probably didn't have things set correctly to begin with.

But before even doing any of that... how telling us what the exact error you are getting when trying to connect via VPN externally.  Also, are you using the SBS Connection Manager or have you manually created a VPN Connection?  Have you tried connecting from more than one location?

Jeff
TechSoEasy

Author

Commented:
There is no error it just doesn't connect.  The ISA logging shows it successfully connect to port 1723 and then it closes within a minute after.  There is no error except on the client side in the connection manager as error 800.  I have tried creating the connection manually and with the connection manager on multiple comupters, but from the same location.  I am connecting through a Westell 2100 dsl modem.  I have tried a direct connection with ip passthough enabled for the computer as well as tried it with the static nat.  Same 800 error.  Next attempt might be to bridge the dsl modem with my dlink 4100 and try that way with the dlink handling everything.  

As far as manually changing ISA rules for the internet stuff to work right I am referring to the web publishing and mail server etc.  I used a 3rd part SSL cert and even though I told the CEICW to use it with my external domain name it used the publishing.domain.local, so I couldn't use RWW, OWA, and my mail server wasn't recieving mail.  So I had to manually change all the rules to use my external domain name for the host header.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
" There is no error except on the client side in the connection manager as error 800"

That's the error I was asking for.  Please see http://support.microsoft.com/kb/886621

Jeff
TechSoEasy

Author

Commented:
Sorry, it was 7am and I didn't know you were talking about the client error I thought you were talking about ISA server logs.  As far as that link the instructions were for ISA 2000, but all of that stuff is enabled and like I said before I have ran that configure remote access wizard 3 times.  There isn't anything to that wizard you can really mess up.  Enable VPN access and FQDN.  Maybe in the FQDN I should put my local domain name instead of my external and it works backwards.  All I know is it conects fine internally assinging IP's and such.  My guess is it's the ISA even though I have done the wizards and gone through the vpn steps in ISA.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
No, the FQDN you put is your EXTERNAL Internet FQDN as it says on the wizard page.

If everything is correct within ISA, then I would suspect that it's a problem with your router not having GRE Protocol 47 enabled.  

To check though... can you connect to your server via Remote Web Workplace?  http://FQDN/remote ?

Jeff
TechSoEasy

Author

Commented:
Yeah I can connect to RWW over the net.  I did use my external FQDN duing the wizard.  Everything has been working except for VPN.  I just randomly decided to check it and here I am.  

Since I can connect through RWW does that mean the router is fine?    

One other thing I did today was disable the remote access in the remote access wizard and then disabled the routing and remote access service.  I then started the service over by reconfiguring to let external clients in.  At the end of the wizard it told me that the DHCP relay agent would need to be configured.  I then gave the DHCP relay agent the internal IP of my SBS which host the normal DHCP server.  After that I re-ran the Remote access wizard and nothing is any different.  I was hoping that relay agent was the problem.  Like I said the ISA logging shows 1723 as a success but nothing happens for about a minute and then it closes.  It is almost like it doesn't give an IP to the VPN client.  I don't really know that, but it's a guess.
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
"Since I can connect through RWW does that mean the router is fine?"

No, it means that your FQDN is correct though, and that you are able to get through the router to your server on port 443.

Glad you gave the rest of the info though...

I think what you are saying is that you ran the Configure and Enable Routing and Remote Access Wizard from the RRAS Snap-in rather than the SBS's Configure Remote Access Wizard from the Internet and Email Snap-in?

It's important to remember that because SBS contains numerous components which would be on separate servers in larger networks, you need to use the SBS tools in order to make them all work together... otherwise you may end up with conflicting settings.  So if you ran the RRAS config wizard directly that's not the right way to do this.

If you ran the SBS's Configure Remote Access Wizard and you got the DHCP Relay Agent screen your DHCP Server on the SBS isn't configured correctly.  That should have been done automatically when you first installed the server.  But if there was another DHCP Server on the network then the SBS's would shut down.  So, first make sure that there is no other DHCP server running (ie, your router) and then follow the steps at the bottom of this page to restore DHCP properly to your SBS:  http://sbsurl.com/dhcp

Jeff
TechSoEasy
Principal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Still working on this...haven't had time with the holidays.

Author

Commented:
Well I tried everything suggested her and it didn't work for me no matter what I did.  Today I just happen to be working on one of out external sales guy's laptop and it had the small business connection manager installed.  I clicked on it and it connected almost instantly.  I haven't changed anything since the last time or maybe it was a fluke with the connection manager on the other laptop.  Either way it is working for the moment.  Thanks for the help and I wish I could verify what the fix was but I can't.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.