Solved

Troubleshoot VPN to Windows 2003 SBS Premium with ISA 2004 and Trend Micro WFBS

Posted on 2010-08-18
8
714 Views
Last Modified: 2012-05-10
I've been painstakingly creating a virtual duplicate of our physical Windows 2003 Small Business Server Premium, and I've finally got everything working except the VPN connections. This is despite having restored an exact backup of the ISA 2004 configuration from the physical server (known good) to the virtual server.

When attempting to connect via VPN to the virtual server using a laptop that can connect to the physical server without a problem, the connection times out and a message is displayed saying that the L2TP security could not be negotiated.

Research led me to suspect that Trend Micro Worry-Free Business Security might be the factor, so I tried disabling the Trend Micro Personal Firewall Service, which may have been adding layers of confusion and over-restriction on top of the ISA 2004 firewall. I still could not VPN in at that point (from a machine that VPN's into the physical server without a problem). So, I learned how to uninstall the Personal Firewall component of Trend Micro WFBS.

I will try standing up the virtual server tonight when our users are off the network. Until then, does anyone have any possible suggestions that could improve my chances of success with this VPN?

Thank you.

- Jason
0
Comment
Question by:upcjdidner
  • 5
  • 2
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33468860
Define 'Cannot Connect' - do you get no result or an error message?
What do you see in the ISA real time log monitor? Is the client vpn traffic even getting to the virtual ISA/SBS box?
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33469022
Hmmm....

When I filter for Failed VPN connections or Initiated VPN Connections for the last 7 days, I get no results.

Do you think this supports the notion that the Trend Micro firewall was blocking VPN connection attempts before they even got to ISA?

Thanks,

Jason
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33469108
Yes - it is likely but your planned tests will prove that one way or another.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 2

Author Comment

by:upcjdidner
ID: 33469600
I just ran the same logging query in ISA Server on the physical SBS server and sure enough, that one correctly lists the VPN connections. This further proves that my VPN connection attempts weren't even reaching ISA last night.

Do you suspect any other variables aside from the Trend Micro firewall?
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33470434
OK - here's what I have from the client: Error 792: The L2TP connection attempt failed because security negotiation timed out.

And from the ISA Server logging, each connection attempt yielded the following:

Action: Denied Connection
Client IP: 75.193.145.194
Protocol: IKE Client

The client is using a Verizon Wireless mobile broadband hotspot (with which I connect just fine to the physical server). When I do an IPConfig on my computer, I get the IP address 192.168.1.2. I suppose Verizon is NATing for me?

Your thoughts on a cause or remedy?
0
 
LVL 2

Accepted Solution

by:
upcjdidner earned 0 total points
ID: 33859052
With the help of a consultant we came to the conclusion that ISA wasn't designed to be a VPN device in a virtualized environment; we went with a dedicated VPN appliance sitting outside the virtual server, and that worked.

Thanks all for your input.

- Jason
0
 
LVL 2

Author Comment

by:upcjdidner
ID: 33859079
The resolution for this question may be instructive to other people with a similar issue. It would have saved me many hours if it was out there in a search result.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now