condorcape
asked on
Microsoft VPN through ASA 5510
I've got a few clients on our internal network that need to connect out onto the net to other networks by using microsoft VPN. They use this to retrieve mail from the exchange server sitting externally.
It seems to find the server but fails at the authentication stage.
Do I need to create a NAT for this? Our internal address range is on DHCP so I can't create a static NAT.
What ports need to be opened?
It seems to find the server but fails at the authentication stage.
Do I need to create a NAT for this? Our internal address range is on DHCP so I can't create a static NAT.
What ports need to be opened?
cedarghost
No, NAT should be running on the other side of their connection. Just make sure ports 1723 TCP and 47 IP (for GRE) are open.
ASKER
TCP or UDP?
ASKER
Oh sorry, just saw you mentioned it :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great, I've managed to get it working!
Thanks a mill!
Thanks a mill!
Port connectivity should be taken care of by VPN, I would check for IP or DNS problems but you know your network best! Here's your info:
http://support.microsoft.com/kb/176466/
Communication between Exchange Client computers and Exchange Server computers
An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service.
The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer.
If security concerns for a network infrastructure require blocking of any ports other than the ones used, then the random assignment of ports for communication with the directory and the information store can become a roadblock. To avoid this, Exchange Server versions 4.0 and later allow you to statically allocate these ports.
At this juncture, for successful communication between client and server, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports. If you need to monitor traffic for analysis, these are the ports to monitor.
http://support.microsoft.com/kb/176466/
Communication between Exchange Client computers and Exchange Server computers
An Exchange Client computer on a LAN or WAN link uses remote procedure call (RPC) to communicate with an Exchange Server computer. The Exchange Server computer, an RPC- based application, uses TCP port 135, also referred to as the location service that helps RPC applications to query for the port number of a service.
The Exchange Server computer monitors port 135 for client connections to the RPC endpoint mapper service. After a client connects to a socket, the Exchange Server computer allocates the client two random ports to use to communicate with the directory and the information store. The client does not communicate with other components of the Exchange Server computer.
If security concerns for a network infrastructure require blocking of any ports other than the ones used, then the random assignment of ports for communication with the directory and the information store can become a roadblock. To avoid this, Exchange Server versions 4.0 and later allow you to statically allocate these ports.
At this juncture, for successful communication between client and server, the firewall needs to be configured to allow TCP connections to port 135 and all statically allocated ports. If you need to monitor traffic for analysis, these are the ports to monitor.
ASKER
Yeah, the problem is that the VPN wasn't being established.