Discussion:
connect a remote office with ISA
(too old to reply)
tester
2004-09-16 17:21:16 UTC
Permalink
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.

Now the folks in that 192.168.168.0/24 range cannot connect or ping to
everyone in our 192.168.1.0/24 range, so I cannot do a
server/connectcomputer to join them to the sbs domain.

I know I need to mostlikely create some kind of route or rule to tell ISA
that those folks are "local" but I can't seem to figure it out.
I added an entry in the LAT for them and restarted the micorsoft firewall
service (that IS the right one no?) (Do I have to restart the service after
making a change?)
I know I'm not too far off on this one


FWIW,
If I change my gateway on a workstation in the main office to be the old
setting, I can again ping the remote stations so I know the tunnel is still
active and running just fine. I was using remote desktop to those
workstations to test this stuff out.
I plan to put an 03 dc there shortly, my old w2k dc will be upgraded to 03
and made a dc in the sbs domain and placed there for authntication (good
idea right?)

thanks.
Justin Crosby [MSFT]
2004-09-16 20:32:57 UTC
Permalink
Can you provide us with a network diagram and the results of an ipconfig
/all and a route print from the server and a client on both sides?

Best Regards,


Justin Crosby, MCSE
Microsoft Online Support Engineer

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Newsgroups: microsoft.public.isa,microsoft.public.windows.server.sbs
Subject: connect a remote office with ISA
Date: Thu, 16 Sep 2004 10:21:16 -0700
Organization: Posted via Supernews, http://www.supernews.com
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Lines: 28
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigane
ws.com!news.glorb.com!sn-xit-02!sn-xit-04!sn-xit-01!sn-post-01!supernews.com
!corp.supernews.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.sbs:107245
microsoft.public.isa:50702
X-Tomcat-NG: microsoft.public.windows.server.sbs
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.
Now the folks in that 192.168.168.0/24 range cannot connect or ping to
everyone in our 192.168.1.0/24 range, so I cannot do a
server/connectcomputer to join them to the sbs domain.
I know I need to mostlikely create some kind of route or rule to tell ISA
that those folks are "local" but I can't seem to figure it out.
I added an entry in the LAT for them and restarted the micorsoft firewall
service (that IS the right one no?) (Do I have to restart the service after
making a change?)
I know I'm not too far off on this one
FWIW,
If I change my gateway on a workstation in the main office to be the old
setting, I can again ping the remote stations so I know the tunnel is still
active and running just fine. I was using remote desktop to those
workstations to test this stuff out.
I plan to put an 03 dc there shortly, my old w2k dc will be upgraded to 03
and made a dc in the sbs domain and placed there for authntication (good
idea right?)
thanks.
tester
2004-09-16 20:52:18 UTC
Permalink
I can work on that, the folks at the other office have gone home, so I might
not be able to get the route print. (They are road warriers and use
laptops.

I will try that in the AM
Post by Justin Crosby [MSFT]
Can you provide us with a network diagram and the results of an ipconfig
/all and a route print from the server and a client on both sides?
Best Regards,
Justin Crosby, MCSE
Microsoft Online Support Engineer
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Newsgroups: microsoft.public.isa,microsoft.public.windows.server.sbs
Subject: connect a remote office with ISA
Date: Thu, 16 Sep 2004 10:21:16 -0700
Organization: Posted via Supernews, http://www.supernews.com
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Lines: 28
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!border2.nntp.dca.giganews.com!border1.nntp.dca.giganews.com!nntp.gigane
ws.com!news.glorb.com!sn-xit-02!sn-xit-04!sn-xit-01!sn-post-01!supernews.com
Post by Justin Crosby [MSFT]
!corp.supernews.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.sbs:107245
microsoft.public.isa:50702
X-Tomcat-NG: microsoft.public.windows.server.sbs
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.
Now the folks in that 192.168.168.0/24 range cannot connect or ping to
everyone in our 192.168.1.0/24 range, so I cannot do a
server/connectcomputer to join them to the sbs domain.
I know I need to mostlikely create some kind of route or rule to tell ISA
that those folks are "local" but I can't seem to figure it out.
I added an entry in the LAT for them and restarted the micorsoft firewall
service (that IS the right one no?) (Do I have to restart the service
after
making a change?)
I know I'm not too far off on this one
FWIW,
If I change my gateway on a workstation in the main office to be the old
setting, I can again ping the remote stations so I know the tunnel is still
active and running just fine. I was using remote desktop to those
workstations to test this stuff out.
I plan to put an 03 dc there shortly, my old w2k dc will be upgraded to 03
and made a dc in the sbs domain and placed there for authntication (good
idea right?)
thanks.
Carlos Delgado (Costa Rica)
2004-09-17 00:33:02 UTC
Permalink
Hello:

Are you able to PING or communicate with the other office directly from the
ISA Server? If not, maybe you need to define a static persistent route on the
ISA's routing table for it to be able to reach the other network.

I assume you want the ISA to control access to Internet and also route
requests to the other office through the VPN, right?

Regards,
Post by tester
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.
Now the folks in that 192.168.168.0/24 range cannot connect or ping to
everyone in our 192.168.1.0/24 range, so I cannot do a
server/connectcomputer to join them to the sbs domain.
I know I need to mostlikely create some kind of route or rule to tell ISA
that those folks are "local" but I can't seem to figure it out.
I added an entry in the LAT for them and restarted the micorsoft firewall
service (that IS the right one no?) (Do I have to restart the service after
making a change?)
I know I'm not too far off on this one
FWIW,
If I change my gateway on a workstation in the main office to be the old
setting, I can again ping the remote stations so I know the tunnel is still
active and running just fine. I was using remote desktop to those
workstations to test this stuff out.
I plan to put an 03 dc there shortly, my old w2k dc will be upgraded to 03
and made a dc in the sbs domain and placed there for authntication (good
idea right?)
thanks.
unknown
2004-09-17 13:24:21 UTC
Permalink
Post by tester
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.
Is the VPN still running on the same "hardware-to-hardware" equipment? If
this is so and the VPN itself has not really changed, then what has happen
is that you have improperly altered the LAN's routing scheme. Typically it
means you made the ISA the Client's Default Gateway when it should not be.
They should not use the ISA as their Default Gateway unless this is a single
subnet LAN and you intend to run the clients *specifically* as SecureNAT
Clients. The Default Gateway Setting is not relevant to Web or Firewall
Clients.

Including the remote LAN's IP Block into the LAT is the correct thing to do
assuming you meant their private address block and not their public one.
Also if you access the remote equipment using some type of internal FQDN
then that FQDN needs to be added to the ISA's LDT.

The ISA will also have to have a static route added to itself for the remote
LAN that points to the VPN Device, but that is only if the ISA needs to
contact the Remote LAN or the remote LAN needs to use the ISA. IT would
also need the static route if you are somehow using the ISA box route LAN
traffic,...but you should not be doing that.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
tester
2004-09-17 16:02:28 UTC
Permalink
well I'll be a horse's back side.
That is the exactly what happened.
I did not think the client's default gateway had changed, perhaps SBS client
did that?
how do I get that changed back w/out static addresses for all clients?

Right now the hardware firewall is the dhcp server (I know that is not
right, but I cannot get sbs to give out addresses.)

The sbs server is the authorized dhcp server, but does not process or
receive the requests. Could be the switchs we are running on are not
passing the broadcast correctly, could be because they are all 10/100
clients and the server is on a gb switch connected back to the 100. But no
matter how I set it up I cannot get clients to obtain a dhcp address from
the server. (YEs I shut off the firewall's dhcp server, and made sure that
only the sbs server had that service running.)
Post by unknown
Post by tester
Prior to ISA I had a remote office 192.168.168.0/24 they use a t1 and we
have a vpn route to each other (hardware to hardware) everything went fine
until I migrated us to sbs2003 premium with ISA.
Is the VPN still running on the same "hardware-to-hardware" equipment? If
this is so and the VPN itself has not really changed, then what has happen
is that you have improperly altered the LAN's routing scheme. Typically it
means you made the ISA the Client's Default Gateway when it should not be.
They should not use the ISA as their Default Gateway unless this is a single
subnet LAN and you intend to run the clients *specifically* as SecureNAT
Clients. The Default Gateway Setting is not relevant to Web or Firewall
Clients.
Including the remote LAN's IP Block into the LAT is the correct thing to do
assuming you meant their private address block and not their public one.
Also if you access the remote equipment using some type of internal FQDN
then that FQDN needs to be added to the ISA's LDT.
The ISA will also have to have a static route added to itself for the remote
LAN that points to the VPN Device, but that is only if the ISA needs to
contact the Remote LAN or the remote LAN needs to use the ISA. IT would
also need the static route if you are somehow using the ISA box route LAN
traffic,...but you should not be doing that.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
unknown
2004-09-17 18:29:43 UTC
Permalink
Post by tester
well I'll be a horse's back side.
That is the exactly what happened.
I did not think the client's default gateway had changed, perhaps SBS client
did that?
No. The hardware firewall did that. You either have to adjust the hardware
firewall to give out the correct network config, or you will have to use
static settings until you get the SBS/DHCP to work right. The SBS/DHCP is
the best way to go once you get it working.

Why SBS/DHCP isn't working?...I have no idea right now, but I know that
Switches have nothing to do with it and will not effect this. That is
probably a question for a different news group. DHCP is passive,..the
clients do the heavy lifting, ..they send out a DHCP Query via broadcasting,
the Server then just replies to the request when it receives it.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
tester
2004-09-17 18:40:09 UTC
Permalink
actually switches can be configured (if they are managed switches, which
these are) to not forward broadcast messages. cuts down on traffic in vlans
etc.
Post by Justin Crosby [MSFT]
Post by tester
well I'll be a horse's back side.
That is the exactly what happened.
I did not think the client's default gateway had changed, perhaps SBS
client
Post by tester
did that?
No. The hardware firewall did that. You either have to adjust the hardware
firewall to give out the correct network config, or you will have to use
static settings until you get the SBS/DHCP to work right. The SBS/DHCP is
the best way to go once you get it working.
Why SBS/DHCP isn't working?...I have no idea right now, but I know that
Switches have nothing to do with it and will not effect this. That is
probably a question for a different news group. DHCP is passive,..the
clients do the heavy lifting, ..they send out a DHCP Query via
broadcasting,
Post by Justin Crosby [MSFT]
the Server then just replies to the request when it receives it.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
unknown
2004-09-17 18:56:03 UTC
Permalink
Post by tester
actually switches can be configured (if they are managed switches, which
these are) to not forward broadcast messages. cuts down on traffic in vlans
etc.
mmm....not that I ever heard of unless you are dealing with a switch that
has the ability to double as a router, known as a "Layer3 Switch" and your
LAN is divided into Layer3 segments that you haven't told me about. This
*will* cause DHCP to fail by the way,...DHCP won't function over
segmentation or VLANs unless the router is configured to forward the DHCP
requests.

VLANs must have a Layer3 Routing Device to function,...switches are only
Layer2. Our router here is actually a Layer3 Switch and cost about
$10,000.00 after the fiberoptic module was added in. I have about 6 VLANs (3
in actual use) and the Device acts as our central LAN Router.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Continue reading on narkive:
Loading...