?
Solved

Unable to Map Drives Over Site-To-Site VPN (ISA 2006)

Posted on 2009-12-16
12
Medium Priority
?
482 Views
Last Modified: 2012-05-08
ISA 2006 at both ends.  Windows 2003 domain at the Central Site.

The Remote Site is connected (PPTP) and can access the mail server using Outlook and can ping and Remote Desktop to any computer in the domain, in the Central Site, and can be pinged, and can be remote-desktop'd into from the Central Site.

But the Workstation at the Remote Site is unable to map to any shares published on computers in the Central Site and is unable to browse any of those computers in Network Neighborhood.

The problem is definitely in the site-to-site connector because if I take the remote computer off the local site-to-site network at the remote end, and just put it out on the internet and do a standard vpn-dialup-type (connect to corporate network) connection to the Central Site, everything works fine, including mapping to shares in the Central Site.

I've been over and over and over the site-to-site connection (and, in fact have a 2nd site-to-site connection to the same Central Site that is working fine).  But I can't find anything wrong.

Any help would be greatly appreciated.
0
Comment
Question by:gateguard
  • 7
  • 5
12 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 2000 total points
ID: 26065698
I've been over and over and over the site-to-siteconnection (and, in fact have a 2nd site-to-site connection to the sameCentral Site that is working fine).  But I can't find anything wrong.

How would you do this if it was a private lease Line  (or a very very log Ethernet cable) instead of VPN?   It would be the same answer.   The fact that the WAN link happens to be VPN is really not relevant.  It would also be the same answer if this was happening between two Subnets located within the same phyical Room with a LAN Router sitting between them.

I can't be anymore specific than that because I know next to nothing about the rest of the network design and infrastucture.  But my goal here is to get you looking in the right places and thinking about the right things.

0
 

Author Comment

by:gateguard
ID: 26081495
The network design and infrastructure is pretty simple:

Windows7 Workstation
LinksysRouter (providing DHCP)
InsideNic of ISA-remote
OutsideNic of ISA-remote
ISP Cable Connection
VPN Tunnel (PPTP)
ISP Broadband Connection
OutsideNic of ISA-Central
InsideNic of ISA-Central
LinksysSwitch
DomainController (with DFS share)

This is on the link that's not working.  On a separate link, to a separate remote site, everything is the same except Server2003 on the remote computer.

But I don't think this is a Windows 7 problem, because if I plug the Windows 7 machine directly into the ISP Cable Modem and then use dial-up vpn to get to the ISA-Central, everything works.

Also (and this is something new that I just discovered), the Windows 7 machine is unable to attach to (or even see) a folder share that I set up on the ISA-remote machine, though a share on the Windows 7 machine is accessible from the ISA server.

So it's something on the ISA server (the remote, not the central) that is preventing any kind of folder sharing or browsing... even though things like email connection and remote desktop and pinging are all available.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26081703
There is a couple design issues that I see,...may or may not be related to the actual problem,...but need to be addressed anyway.

1. The Linksys should never be providing DHCP.  Each Site needs at least one DC,...the DC needs to be running DNS, DHCP, and optionally WINS.   The Windows DHCP interacts directly with the Windows DNS which is, in turn, associated with Active Directory and authentication.  A proper DNS Scheme must be designed that accomidates the WAN design and the two sites interacting together properly.  It may be reguired that you use Active Directory Sites and Services to configure and maintain the Active Directory Replication that may need to occur over the slow WAN link between the DCs.

2.  Never ever ever ever ever "file share" with  the ISA's.  It is a firewall product and needs to be treated that way.  The OS is to be hardened and locked down,...most of which is automatically done when the ISA software is installed (hence why your file sharing fails).   You wouldn't be trying to have "file shares" on a Cisco PIX or an Cisco ASA,...MS ISA is no different,...the fact that it is run on a "PC" is completely irrelevant.  In fact you can even buy ISA in a "appliance format" now.

3. You appear to have an ISA at each site at each end ot the Tunnel. That's good.  But remember that traffic will never flow between the two sites correctly unless the Access Rules on both ISA's agree.   If one ISA says something is allowed and the other says it is not allowed,...then it is not allowed.  Also each direction is treated separately unless the Access Rules are set to be bi-directional.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:gateguard
ID: 26082159
Thanks, pwindell.  I'm very interested in the points you bring up.

1. This remote site is actually the CEO's home and it's not so convenient having an entire other computer to be a DC in his small office at home.  I actually have DNS (secondary) installed on the ISA server.  Is that bad?  It is working at the other remote site, which also doesn't have a DC, though the DHCP server there is a windows server, not a linksys router.

2. The only reason I created that file share on the ISA server was for testing purposes, just to see if the file access problem was something vpn-related (seems not to be) or something more general.

3. I have All Outgoing Protocols enabled in both directions on the 4 access rules for the VPN connection (2 rules on each machine).  I also have All Outgoing Protocols enabled (for now) on an access rule on the ISA server (remote) relating to Internal->LocalHost.  Out of habit, I never set up bi-directional access rules but always use a separate Access Rule for each direction, LocalHost->Internal, for example.  Is that wrong?

Thanks for your thoughts on this, and thanks for all your help.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26082356
Ok,...I'm going to give you the cheapest, simplest, most straight forward, most dependable way to handle this.  Anything else is going to be such a mess that I don't think I'll want to get involved (I do this for free after all)

1. Yank the ISA out of his house and bring it back to the Main office and give it a useful job where it can earn its keep for the thousands of $$$$ you had to pay for it (it is a legal copy right?)

2. Forget the whole Site-to-Site VPN thing.  It is almost a pointless thing here in this case

3. Leave the Linksys box where it is,...it is just fine as a "home-user firewall".  Go ahead and let it handle DNS & DHCP.

4. On the ISA at the main office configure it to allow Remote Access VPN (not the same as a Site-to-Site VPN).  Configure it to use the regular in-house DHCP to supply the TCP/IP configuration to the incomming VPN Users (that is very important!!).  Do not use a Static Address Pool.

5. The the guy's machine setup the Dialup Networking for the Remote Access VPN.  Tell him to never leave the checkbox set to "remember passord".  You don't need the little brats (or dogs and cats) running around the house to get on the Office LAN by clicking on an Icon to "see what it would do".

6. When the guy gets on his machine at home he can either activate the VPN after he reaches his Desktop or the can also do it during the main login by checking the checkbox at the Ctrl-Alt-Del prompt that says "Connect using Dialup connection".  The VPN Connectiod will take over the DNS and routing when it connects,...so he will have all the same access he would at work (just it runs slower),...but it is important that the machine he is using be a Domain Member and that he logs in with his domain level account..

How depenable is this?  Well,..we are an NBC Affiliate TV News Station.  I run two remote news offices this way,...and one is in the Capitol Building accross from the governer's office.  I've been running it this way for years because there is not enough personel with enough equipment at those offices to justify the high cost of doing a full Site-to-Site (and doing it "right").

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26082390
Remember that you have to create Access Rules to allow the VPN Users to access the internal LAN.  If you fail to do that they will:

Dailup successfully -----connect successfully----authenticate successfully----and then successfully,... go nowhere.
0
 

Author Comment

by:gateguard
ID: 26084417
The thing is, this setup was working before.  Then there was a hard-disk crash and I rebuilt the machine and imported the saved configuration file for ISA2006.

As far as going back to on-demand vpn connection, I don't really think that's an option.  He likes the site-to-site, the way the connection NEVER gets interrupted (which is true, unless there's and ISP outage) so I've just got to make this work the way it is... and the way it worked before.

I'm taking what you say under advisement but I know this can work... I'm starting to think the problem is with the import of the previous ISA configuration xml file.  Maybe I just just uninstall, reinstall and rebuild from scratch.

0
 
LVL 29

Expert Comment

by:pwindell
ID: 26084444
Well I'm not going to get into a Site-to-site thing,...it is just a horrible idea.  Especially with everything being anonymous due to the fact that their is no Domain and no DC at the "remote end",...and then being exposed to dogs cats, kids, neighbors and whatever else comes into that house,...it is a horribly uncontrolled environment..

You welcome to let him read my posts if you want,...he can get mad at me all he wants,...I don't work there.  :-)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26084482
Oh,..yea,..and then the kids screw around on Limewire or some other non-sense,...infect thier machine,...spead it to every machine in the house,...then spread it over the open VPN into the business LAN.   Words just can't describe the kind of disaster you are begging for.

When something bad finally happens,...it will eventually,...you don't think the CEO is going to take the blame? It will be you who takes the heat because they will tell you that you should have been prepared and protected the business LAN against such a thing.
0
 

Author Comment

by:gateguard
ID: 26106068
The problem turned out to be Symantec Endpoint.  Even when I temporarily turned off the features, it seems it still blocked some connectivity through the firewall.

When I un-installed Symantec Endpoint and installed a previous version of Symantec AntiVirus (Symantec 9), then the problems all went away.

Thanks for all your help and for your essay on the dangers of site-to-site from someone's home, a situation that is, afraid, unchangeable in the current case.

I would like to point out that I myself use on-demand vpn from my home and sometimes forget to disconnect and the connection stays up for days.  I don't see how that's any more or less secure than site-to-site.

Employees are non-secure, by definition.  All the great security restrictions in the world don't stop an employee from taking a hammer to the computer... an extreme example, but you I hope you get my drift, which is you secure things as best you can (anti-virus, firewalls, spyware detectors, password policies, access restrictions on resources, etc) and you keep a watchful eye on the place and you can't depend on some iron-clad rule NO SITE-TO-SITE CONNECTIONS FROM CEO HOMES to save your bacon.

Nothing will save your bacon.  Nothing but eternal vigilance.  (The price of bacon?)  If you think by mandating some extreme injunction against one type of connection you are protecting yourself from all harm, then you are living in a dream world.

Anyway, thanks again for all your help, and I hope anyone who stumbles on this problem because they are also having it reads the bottom line:

UNINSTALL SYMANTEC ENDPOINT AND INSTALL SOME OTHER ANTIVIRUS SOLUTION

0
 

Author Comment

by:gateguard
ID: 26106106
By the way, the Linksys is still providing DHCP on this remote leg of the network and all is working fine.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 26106583
I would like to point out that I myself use on-demand vpn from my home and sometimes forget to disconnect and the connection stays up for days.  I don't see how that's any more or less secure than site-to-site.

Big difference,...it doesn't "route through".  Other machines on the LAN can't route through the Remote Access VPN of the machine that is dialed in.  So it is more secure.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question