Setting up a VPN with ISA 2006
Posted on 2009-05-07
I am having real difficulties setting up a basic PPTP VPN connection through our ISA 2006 server. I wish to have external access to our network. Here is my configuration and what I have attempted. Sorry it's long.
Windows 2008 DC
Installed ISA 2006 Standard on Windows Server 2003 with all services packs , updates etc.
IP configuration on ISA:
IP - 172.16.1.25
SUB - 255.255.0.0
DNS - 172.16.1.1 & 172.16.1.4
IP - 192.168.1.26
SUB - 255.255.255.0
GATEWAY - 192.168.1.254 (router)
DNS - 188.8.131.52 & 184.108.40.206 (external DNS for internet access)
DISABLED Client for Microsoft Networks and File and Print Sharing on this NIC
I have enabled VPN Client Access. I had to remove the external DNS entries from the WAN NIC as ISA popped up with a message stating that it could not add the ISA server to AD. Once these entries were removed, it registered OK. They are back on the NIC as I am unsure on how to set forwarders up correctly under DNS.
Address assignment method is DHCP
Authentication is MS-CHAPv2
No RADIUS server
I have created a VPN Users group in AD and added my user to this group.
Under VPN Client Properties I have set 10 VPN user limit. Added the VPN Users group. Enabled PPTP.
In the Firewall Policy, I have setup the following 2 rules:
DHCP Request (VPN to Local Host)
Protocols: DHCP (request)
From: VPN Clients
To: Local Host
DHCP Reply (Internal to VPN)
Protocols: DHCP (reply)
To: VPN Clients
In the Routing and Remote Access, I have setup a DHCP Relay Agent and set the IP address of our DHCP server.
I have opened port 1723 on our router and have pointed it to the external NIC IP.
I have checked to see if ISA is listening for port 1723 using netstat and it is.
When I try to connect to the VPN, ISA logs display that it sees the external connection using PPTP protocol and was successful. Then there is a DHCP request that is denied Default Rule (not sure if this is the VPN client attempting to request a DHCP address or not). At the client end I receive an Error: 721 message.
I have looked far and wide for a solution but I cannot. Can any VPN/ISA gurus help please?