Windows 2003 and ISA 2000 SP2 - traffic blocked after VPN connecte

Hello.

I have a Windows 2003 server running ISA Server 2000 Service Pack 2 on my
local subnet. It runs fine, serves clients and a VPN, and is the 'main'
server in the enterprise.

Now I am trying to set up a new subnet at another site. The primary server
at this subnet also runs Windows 2003 and ISA 2000 SP2. When I attempt to
connect to the main server's VPN, it does connect -- but then ISA Server
blocks all outgoing traffic. Disconnecting the demand-dial interface in the
RRAS console restores connectivity to the Internet and local subnet, but of
course I cannot access the primary subnet anymore. The primary subnet has
Active Directory and the remote profiles, so it is important that it can
connect to the primary subnet. Is there a specific configuration option I
need to change to get the VPN connection to work properly? I did run the
local VPN wizard on the primary subnet and the remote VPN wizard on the new
subnet. I also tried establishing a VPN connection using the Network
Connections Control Panel and got the same results (and I have since deleted
the VPN connection from the Control Panel).

A basic network architecture diagram can be found at
http://76.26.0.123/NetArch.png .

I have Googled on phrases similar to "ISA Server 2000 blocks traffic after
connected to VPN" but I found no relevant results.

Here is the ipconfig /all output for both computers:
Primary subnet's server: http://pastebin.com/m2c358717
New subnet's server (with the blocked ISA): http://pastebin.com/m1eae6286

If you need any more information I will be glad to provide.

I would look closely at the options you are offered when setting up the
VPN. In Windows 2000 RRAS the VPN option was in fact a "VPN only" setting -
ie it set up the server to handle VPN traffic only and set packet filters to
block all other traffic. Sounds like the situation you have struck.

"Andrew Wilcox" <Andrew (E-Mail Removed)> wrote in message
news:0048D4DC-F792-4290-B38F-(E-Mail Removed)...
> Hello.
>
> I have a Windows 2003 server running ISA Server 2000 Service Pack 2 on my
> local subnet. It runs fine, serves clients and a VPN, and is the 'main'
> server in the enterprise.
>
> Now I am trying to set up a new subnet at another site. The primary
> server
> at this subnet also runs Windows 2003 and ISA 2000 SP2. When I attempt to
> connect to the main server's VPN, it does connect -- but then ISA Server
> blocks all outgoing traffic. Disconnecting the demand-dial interface in
> the
> RRAS console restores connectivity to the Internet and local subnet, but
> of
> course I cannot access the primary subnet anymore. The primary subnet has
> Active Directory and the remote profiles, so it is important that it can
> connect to the primary subnet. Is there a specific configuration option I
> need to change to get the VPN connection to work properly? I did run the
> local VPN wizard on the primary subnet and the remote VPN wizard on the
> new
> subnet. I also tried establishing a VPN connection using the Network
> Connections Control Panel and got the same results (and I have since
> deleted
> the VPN connection from the Control Panel).
>
> A basic network architecture diagram can be found at
> http://76.26.0.123/NetArch.png .
>
> I have Googled on phrases similar to "ISA Server 2000 blocks traffic after
> connected to VPN" but I found no relevant results.
>
> Here is the ipconfig /all output for both computers:
> Primary subnet's server: http://pastebin.com/m2c358717
> New subnet's server (with the blocked ISA): http://pastebin.com/m1eae6286
>
> If you need any more information I will be glad to provide.

The VPN server is running fine -- it is the VPN 'client' (the new subnet's
'departmental' server), running Windows Server 2003 (all servers are running
2003 here -- we removed our last legacy 2000 server two months ago), that is
having a problem. I did run a fine-toothed comb over the RRAS settings, IP
routing tables, et al and they are, to the best of my knowledge, correct.

The problem only presents itself when the VPN connection is active, as well;
it is fine when the connection is deactivated.

It is ISA Server 2000 that is actually blocking the packets. If you would
like some of the ISA IPP log I would be happy to pastebin it. Please advise.

Thanks,
Andrew

"Bill Grant" wrote:

> I would look closely at the options you are offered when setting up the
> VPN. In Windows 2000 RRAS the VPN option was in fact a "VPN only" setting -
> ie it set up the server to handle VPN traffic only and set packet filters to
> block all other traffic. Sounds like the situation you have struck.
>
> "Andrew Wilcox" <Andrew (E-Mail Removed)> wrote in message
> news:0048D4DC-F792-4290-B38F-(E-Mail Removed)...
> > I have a Windows 2003 server running ISA Server 2000 Service Pack 2 on my
> > local subnet. It runs fine, serves clients and a VPN, and is the 'main'
> > server in the enterprise.
> >
> > Now I am trying to set up a new subnet at another site. The primary
> > server
> > at this subnet also runs Windows 2003 and ISA 2000 SP2. When I attempt to
> > connect to the main server's VPN, it does connect -- but then ISA Server
> > blocks all outgoing traffic. Disconnecting the demand-dial interface in
> > the
> > RRAS console restores connectivity to the Internet and local subnet, but
> > of
> > course I cannot access the primary subnet anymore. The primary subnet has
> > Active Directory and the remote profiles, so it is important that it can
> > connect to the primary subnet. Is there a specific configuration option I
> > need to change to get the VPN connection to work properly? I did run the
> > local VPN wizard on the primary subnet and the remote VPN wizard on the
> > new
> > subnet. I also tried establishing a VPN connection using the Network
> > Connections Control Panel and got the same results (and I have since
> > deleted
> > the VPN connection from the Control Panel).
> >
> > A basic network architecture diagram can be found at
> > http://76.26.0.123/NetArch.png .
> >

It was the setup options in ISA 2000 that I suggested you look at. If
they are like the ones in RRAS 2000, using the simple VPN option will set up
packet filters to block all non-VPN traffic.

"Andrew Wilcox" <(E-Mail Removed)> wrote in message
news:198D634E-AA82-4931-A0F6-(E-Mail Removed)...
> The VPN server is running fine -- it is the VPN 'client' (the new subnet's
> 'departmental' server), running Windows Server 2003 (all servers are
> running
> 2003 here -- we removed our last legacy 2000 server two months ago), that
> is
> having a problem. I did run a fine-toothed comb over the RRAS settings,
> IP
> routing tables, et al and they are, to the best of my knowledge, correct.
>
> The problem only presents itself when the VPN connection is active, as
> well;
> it is fine when the connection is deactivated.
>
> It is ISA Server 2000 that is actually blocking the packets. If you would
> like some of the ISA IPP log I would be happy to pastebin it. Please
> advise.
>
> Thanks,
> Andrew
>
> "Bill Grant" wrote:
>
>> I would look closely at the options you are offered when setting up
>> the
>> VPN. In Windows 2000 RRAS the VPN option was in fact a "VPN only"
>> setting -
>> ie it set up the server to handle VPN traffic only and set packet filters
>> to
>> block all other traffic. Sounds like the situation you have struck.
>>
>> "Andrew Wilcox" <Andrew (E-Mail Removed)> wrote in
>> message
>> news:0048D4DC-F792-4290-B38F-(E-Mail Removed)...
>> > I have a Windows 2003 server running ISA Server 2000 Service Pack 2 on
>> > my
>> > local subnet. It runs fine, serves clients and a VPN, and is the
>> > 'main'
>> > server in the enterprise.
>> >
>> > Now I am trying to set up a new subnet at another site. The primary
>> > server
>> > at this subnet also runs Windows 2003 and ISA 2000 SP2. When I attempt
>> > to
>> > connect to the main server's VPN, it does connect -- but then ISA
>> > Server
>> > blocks all outgoing traffic. Disconnecting the demand-dial interface
>> > in
>> > the
>> > RRAS console restores connectivity to the Internet and local subnet,
>> > but
>> > of
>> > course I cannot access the primary subnet anymore. The primary subnet
>> > has
>> > Active Directory and the remote profiles, so it is important that it
>> > can
>> > connect to the primary subnet. Is there a specific configuration
>> > option I
>> > need to change to get the VPN connection to work properly? I did run
>> > the
>> > local VPN wizard on the primary subnet and the remote VPN wizard on the
>> > new
>> > subnet. I also tried establishing a VPN connection using the Network
>> > Connections Control Panel and got the same results (and I have since
>> > deleted
>> > the VPN connection from the Control Panel).
>> >
>> > A basic network architecture diagram can be found at
>> > http://76.26.0.123/NetArch.png .
>> >

You can't use RRAS on an ISA box for VPN.
You can't use RRAS for hardly anything on an ISA box.
ISA "takes over" RRAS and "owns & operates" RRAS behind the scenes.

So,...you'll have to leave RRAS alone.

ISA must *be* the VPN Server at both ends (since you have ISA at both ends).

You have to specifically setup a Site-to-Site VPN between the two ISA
Servers. This is not the same as Remote Access VPN and is more complex to
setup.

The Internal Network Definition Address Ranges on *both* ISA Servers need to
include the IP Ranges used on *both* LANs.

Here is the only remaining article that I can find on using ISA2000 at both
ends of a Site-to-Site VPN. ISA2000 is pretty much "dead", is 8 years old,
and getting very difficult to fine information about it.

ISA Server 2000 Branch Office Kit Chapter 3
http://www.isaserver.org/img/upl/isa...h/3isaboth.htm

I personallly differ with the article in a couple things.
1. I would skip #3. I do not do,..and do not recommend,... making the
ISA a DNS Server for the sake of the VPN. I recomend that all hosts on the
LANs use the AD/DNS for their DNS server and that the DNS Server uses the
ISP's DNS as a Forwarder and is allowed outbound access with the DNS
Protocol. If it is already a DNS server due to it being an SBS installation
then that is fine.
2. You can skip Step 4 if you use PPTP. There is also a way to use L2TP
without a Certificate. But if you have a Cert or want to buy one,..then
fine.

You may also fine shorter simpler details about Site-to-Site VPNs in the
built in ISA Help.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

The problem has been resolved! Thank you so much!

It seems the LAT was misconfigured. I did not realise both sites had to
have both sites IPs in the LAT.

Again, thank you very much for your assistance.

Andrew

"Phillip Windell" wrote:

> You can't use RRAS on an ISA box for VPN.
> You can't use RRAS for hardly anything on an ISA box.
> ISA "takes over" RRAS and "owns & operates" RRAS behind the scenes.
>
> So,...you'll have to leave RRAS alone.
>
> ISA must *be* the VPN Server at both ends (since you have ISA at both ends).
>
> You have to specifically setup a Site-to-Site VPN between the two ISA
> Servers. This is not the same as Remote Access VPN and is more complex to
> setup.
>
> The Internal Network Definition Address Ranges on *both* ISA Servers need to
> include the IP Ranges used on *both* LANs.
>
> Here is the only remaining article that I can find on using ISA2000 at both
> ends of a Site-to-Site VPN. ISA2000 is pretty much "dead", is 8 years old,
> and getting very difficult to fine information about it.
>
> ISA Server 2000 Branch Office Kit Chapter 3
> http://www.isaserver.org/img/upl/isa...h/3isaboth.htm
>
> I personallly differ with the article in a couple things.
> 1. I would skip #3. I do not do,..and do not recommend,... making the
> ISA a DNS Server for the sake of the VPN. I recomend that all hosts on the
> LANs use the AD/DNS for their DNS server and that the DNS Server uses the
> ISP's DNS as a Forwarder and is allowed outbound access with the DNS
> Protocol. If it is already a DNS server due to it being an SBS installation
> then that is fine.
> 2. You can skip Step 4 if you use PPTP. There is also a way to use L2TP
> without a Certificate. But if you have a Cert or want to buy one,..then
> fine.
>
> You may also fine shorter simpler details about Site-to-Site VPNs in the
> built in ISA Help.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

"Andrew Wilcox" <(E-Mail Removed)> wrote in message
news:47E3B658-B85C-43E4-B50B-(E-Mail Removed)...
> The problem has been resolved! Thank you so much!
>
> It seems the LAT was misconfigured. I did not realise both sites had to
> have both sites IPs in the LAT.

Yep. Once you join two IP Segment with a private link (VPN or otherwise)
then they are one big happy "internal" Network. Neither is "external" to
the other any longer.

I couldn't remember if ISA2000 used the term LAT or Internal Network
Definition (like ISA2004/6). That dates back a while,...I think I remember
starting some PCs with a pull-rope back when ISA2000 was in use.

Your name seems familar,...weren't you around in the NGs back in the days
when we were working with MS Proxy2?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------