Outbound VPN calls through ISA Server 2004

silchester
silchester used Ask the Experts™
on
We have a Small Business Server 2003 which has been running sucessfully for several years.
However since we changed our router it does not allow us to create a VPN connection to external equipment.

Although it appears that the ISA server is inhibiting the tunnel, the only item we have changed is the router. The router is setup as a DMX Host with IP address set as the Servers IP address.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
If the only thing you changed was the router, then that is where I would start.
I assume it has the same IP as the old router.
Are the interfaces set up the same as the old router? Does it have the same trunks and routes set up?
Do you get any errors on the router?

Author

Commented:
The router is different but I have now set it up similar to the router before. I utilise port forwarding
and have specified PPTP.

However the VPN client is initiated from the PC on the SBS network so I do not see how I could have affected it?

The ISA Server is reporting the PPTP connection is blocked?

All very confusing.

Commented:
If the vpn uses a different iP range, it will go through the router.
Make sure that port 1723 is open on the router. That is the port used by PPTP.
 
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
My network is 192.168.16.x, wherease the VPN is 192.168.1.x. So that is OK and has not changed.

Port 1723 is is also open. At the moment the firewall has been disabled on the router.

I have set up the Router to Port foward to the servers IP address.


port-forward.bmp

Commented:
Is that a two way route?
1723 is open to the server, but how about back to the 192.168.16 and 192.168.1 ranges?
 

Author

Commented:
All external traffic from the server is routed via its default gateway which is the routers IP address,

Commented:
Your screen shot shows the port open on one port, which I assume is the inbound port.
It does not show the port open on the outgoing port.
The server is telling you that the port is blocked outgoing.
 

Author

Commented:
On the router the Port Forward option is aimed at forwarding external (internat) traffic to an IP address on the internal network.

Our structure is a single router that connects to an ethernet card on teh Server. The internal network is on a 2nd network card on the server.

Therefore the server is also acting a Firewall for the system.

Any outgoing network traffic from our PC goes via the Server (SBS2k3) and ISA server and then through the default gateway which is the routers IP address. The router currently does not have teh firewall enabled and as such I would expect it to pass through.

Am I not understanding something?

Commented:
No, I wasn't.
I am out of ideas, sorry.
Most Valuable Expert 2011

Commented:
Only SecureNAT Clients can make outbound VPN connections.  
Web Proxy and Firewall Clients will not,...will never happen,...impossible.
Why? Because VPN requires GRE and the Web Proxy and Firewall Service are restricted to only TCP and UDP.

ISA is not going to report the connection as blocked if the ISA is not the one doing the blocking.

If the outer NAT Box is where the problem is, then the ISA will report the connection as failed,...not denied.   The exact words used in the ISA log are important.

The outer NAT box is either allowing PPTP outbound,...or it is not.  There is no "forwarding", reverse NATing or anything else.   Just PPTP outbound,...either is,..or is not.

Author

Commented:
Many thanks for the comment.

I read what teh ISA server is saying, but cannot understand why as nothing has supposedly changed, only the router.

I tried connecting to the router directly and the VPN connection works fine, therefore I think it must be the ISA server.

I have attached a copy of the ISA XML export file and a the log file for teh firewall. The example of VPN is to IP address 217..36.222.13 from my client PC 192.168.16.12.
isa201010.xml
isa201010.xml
Most Valuable Expert 2011
Commented:
The XML files are useless to me.
Do not past raw log files into a post either,...that is just as useless.
Just explain what the log actually say.
Only SecureNAT Client can make outbound VPN Connections.
SecureNAT Clients cannot authenticate so that Access Rule must be anonymous.
If the Firewall Client is instaled on the same workstation then it must be disabled temporarily in order to use the VPN.
Knowing those things,...combined with what you see in the Logs should be enough for you to sort it out.
 

Author

Commented:
Used onother source external to experts-exchange to assist

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial