Solved

Troubleshoot VPN to Windows 2003 SBS Premium with ISA 2004 and Trend Micro WFBS

Posted on 2010-08-18
8
718 Views
Last Modified: 2012-05-10
I've been painstakingly creating a virtual duplicate of our physical Windows 2003 Small Business Server Premium, and I've finally got everything working except the VPN connections. This is despite having restored an exact backup of the ISA 2004 configuration from the physical server (known good) to the virtual server.

When attempting to connect via VPN to the virtual server using a laptop that can connect to the physical server without a problem, the connection times out and a message is displayed saying that the L2TP security could not be negotiated.

Research led me to suspect that Trend Micro Worry-Free Business Security might be the factor, so I tried disabling the Trend Micro Personal Firewall Service, which may have been adding layers of confusion and over-restriction on top of the ISA 2004 firewall. I still could not VPN in at that point (from a machine that VPN's into the physical server without a problem). So, I learned how to uninstall the Personal Firewall component of Trend Micro WFBS.

I will try standing up the virtual server tonight when our users are off the network. Until then, does anyone have any possible suggestions that could improve my chances of success with this VPN?

Thank you.

- Jason
0
Comment
Question by:upcjdidner
  • 5
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33468860
Define 'Cannot Connect' - do you get no result or an error message?
What do you see in the ISA real time log monitor? Is the client vpn traffic even getting to the virtual ISA/SBS box?
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33469022
Hmmm....

When I filter for Failed VPN connections or Initiated VPN Connections for the last 7 days, I get no results.

Do you think this supports the notion that the Trend Micro firewall was blocking VPN connection attempts before they even got to ISA?

Thanks,

Jason
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33469108
Yes - it is likely but your planned tests will prove that one way or another.
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 2

Author Comment

by:upcjdidner
ID: 33469600
I just ran the same logging query in ISA Server on the physical SBS server and sure enough, that one correctly lists the VPN connections. This further proves that my VPN connection attempts weren't even reaching ISA last night.

Do you suspect any other variables aside from the Trend Micro firewall?
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33470434
OK - here's what I have from the client: Error 792: The L2TP connection attempt failed because security negotiation timed out.

And from the ISA Server logging, each connection attempt yielded the following:

Action: Denied Connection
Client IP: 75.193.145.194
Protocol: IKE Client

The client is using a Verizon Wireless mobile broadband hotspot (with which I connect just fine to the physical server). When I do an IPConfig on my computer, I get the IP address 192.168.1.2. I suppose Verizon is NATing for me?

Your thoughts on a cause or remedy?
0
 
LVL 2

Accepted Solution

by:
upcjdidner earned 0 total points
ID: 33859052
With the help of a consultant we came to the conclusion that ISA wasn't designed to be a VPN device in a virtualized environment; we went with a dedicated VPN appliance sitting outside the virtual server, and that worked.

Thanks all for your input.

- Jason
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33859079
The resolution for this question may be instructive to other people with a similar issue. It would have saved me many hours if it was out there in a search result.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question