E Zero 
Canada
Member since
7/10/2007
Registered Users
Posts: 150
 |
| 8/03/2007 05:00 PM |
|
I am trying to test my VPN connection and I can't seem to create a VPN connection. I ran the RRAS wizard and setup up VPN. When I try to create a connection the ISA 2004 Firewall gives me this message:
Denied Connection:
Log type: Firewall service
Status:
Rule: SBS Internet Access Rule
Source: Internal (192.168.1.110:54957)
Destination: External...
Protocol: PPTP
User
It is allways denying the VPN access. Any ideas?
|
|
|
|
|
|
Michael Patrick
United States
Member since
10/26/2005
Platinum Membership
Posts: 1912
|
| 8/03/2007 05:49 PM |
|
| How about creating a rule to allow VPN (using PPTP) from internal to External and placing it above the SBS Internet Access Rule (Which should be on the bottom of the list and the one that will block anything that is not configured before that. |
|
Michael Patrick
"Technology Interpreter Extraordinaire"
CAD, BIM & SBS |
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/03/2007 06:03 PM |
|
Hmm. I am trying to understand what you are trying to do. Are you wanting to VPN out from a workstation behind the SBS or are you trying to VPN from a remote location into the SBS server? If the first option: is the ISA Firewall Client installed on the workstation, as you shouldn't need to anything else than that? If the second option: please elaborate.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/03/2007 06:38 PM |
|
| The above error was happening when I was trying the first option. I also tried the second option remotely and got a message saying something like 'the server is not responding'... |
|
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/05/2007 11:40 PM |
|
| It seems that I can connect to the VPN if I use the local address, but if I am somewhere else and I try to use our public IP to access the VPN it will say that the server is not responding. My router, which controls the internet, has the DMZ setup for our win2k3 server. I able to connect to our internal POS system using our IP because I have a 'server publishing rule', but if I try to connect to VPN using our IP it says that the server is not responding. The router is not blocking anything since the DMZ is setup for our server. |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/06/2007 01:12 AM |
|
Hi E,
Please, post an ipconfig /all from the server and a workstation. Open a command prompt by opening Start -> Run from the Start Menu and type cmd. From the command prompt type ipconfig /all >ip.txt. Attach this file to your answer.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/06/2007 10:42 PM |
|
Windows IP Configuration
Host Name . . . . . . . . . . . . : bomba-server
Primary Dns Suffix . . . . . . . : Bomba.lan
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : Bomba.lan
Ethernet adapter External Internet Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Server Adapter
Physical Address. . . . . . . . . : 00-07-E9-0E-2B-B1
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.2.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.2
DNS Servers . . . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Disabled
Ethernet adapter Internal LAN Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Network Connection
Physical Address. . . . . . . . . : 00-19-D1-40-DC-48
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.1
Primary WINS Server . . . . . . . : 192.168.1.1
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 01:12 AM |
|
Hi E,
Please elaborate on the 'DMZ setup for our win2k3 server' and the 'server publishing rule'. By default, you should only have to run the RRAS and CEICW wizard and make sure that port 1723 and GRE protocol 47 are being forwarded from the router to have VPN working.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 04:44 AM |
|
Our router allows the input of a "DMZ host IP address" which allows that specifc IP address to be completely exposed to the internet. This DMZ host IP address is currently the address of our Win2K3 machine. This exposes the win2k3 machine to the internet and allows the win2k3 machine it to use it's own firewall to protect itself. This also means that there is no need to forward any ports from the router since the Win2K3 machine is completely exposed to the internet, does it not?
The server publishing rule was created so that we may access an internal POS system which is connected to using SSH Telnet. Therefore the server publishing rule allows SSH trafic to be forwarded to the internal IP address of our POS system. This works fine.
Internally both an SSH connection and a VPN connection can be made no problem. But externaly, when I use our public IP address only an SSH connection is successfull but the VPN connection is not. When I try to create an external VPN connection it will tell me that the server is not responding. It's weird that the SSH connection gets through but the VPN connection does not.
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 05:00 PM |
|
Hi E,
I would never use the DMZ port on a router. You can Message me privately and give the IP of the VPN host and some valid user credentials that is allowed to VPN in, so I can try and see if it should be working.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 06:03 PM |
|
| I have looked at the logs of both the router and the ISA firewall. The router is allowing the traffic through. When the ISA firewall recieves the VPN request it opens a connection and then closes it right away. It is not denying the connection yet it closes it immediately. |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 07:22 PM |
|
Hi E,
I am getting error 721, which can mean that GRE protocol 47 is not being passed through by the router. Check your router for that, also known as PPTP pass through.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 07:35 PM |
|
| I enabled the PPTP pass through but it still does not work |
|
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 09:18 PM |
|
This problem also occurs when i try to send files using FTP. I can create an FTP connection but when i try to send a file the ISA firewall will open a connectin port for the 'sending of the file' and then close it immediately. I am not sure why this opening and closing is hapening for VPN either
:( |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 09:49 PM |
|
Hi E,
What kind of router do you have? I am not a big fan of running FTP server on SBS, and if you have got it running, I sure hope you have implemented our article on how to do that secure. Port 21 is not listening from outside, so maybe you will have to rerun CEICW and enable FTP if you still want to use that. If you haven't changed anything manually in ISA, VPN should work unless your router is having a problem with it.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 09:57 PM |
|
Linksys BEFSR41 V3
Etherfast Cable/DSL router
I'm not hosting an FTP site. What I was trying to do was from a client desktop use FTP to send files to an external FTP site. |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 10:02 PM |
|
Hi E,
You should be able to use FTP from a workstation if that workstation has got the ISA Firewall Client installed and if it is NOT set to auto discovery. Check the Linksys website to see if there is a firmware update.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
E Zero
Canada
Member since
7/10/2007
Registered Users
Posts: 150
|
| 8/07/2007 10:13 PM |
|
| I have updated the firmware on the router and still the VPN will not work.
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12507
|
| 8/07/2007 10:36 PM |
|
Hi E,
2 options for you: you take the router away from the DMZ port and use port forwarding to see if that resolves it. Other option is to use our remote support service.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Stan Guinn
Texas, USA
Member since
12/29/2005
Platinum Membership
Posts: 1913
|
| 8/07/2007 10:39 PM |
|
~ Linksys BEFSR41 <- I wouldn't be surprised if this turns out to be your problem. I have wasted so many hours trying to get Linksys routers to VPN.
Check your Event Viewer, Application Logs and look for Event ID 721. If it is in there, you probably will not get this router to work VPN for you. |
|
|
|
|
|