Unable to access server resources via vpn

Hi

I am connecting a remote win xp pro pc to an sbs server via a vpn dialup
connection. The connection is made OK and ipconfig/all displays the
following;

....

PPP adapter MyVPNConnection

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.13
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.16.13
DNS Servers . . . . . . . . . . . : 192.168.16.2
Primary WINS Server . . . . . . . : 192.168.16.2

However when I try to ping 192.168.16.2 it fails. Also trying to access
network shares via \\192.168.16.2\MyShare fails too. How can I access the
server as if the client pc is connected to the LAN remotely?

Thanks

Regards

1) How have you set up the VPN? PPTP? IPSec? Client and server? third
party tools?
2) Are you running SBS 2000, 2003, 2003 R2, Standard, Premium?
3) Are you running a firewall between your server and the internet? ISA
(SBS Premium) or third party firewall?

It sounds like a firewall issue to me initially, but so many possibilities
still exist for exactly where the problem lies that there needs to be *A
LOT* more info before advice can be given...

-Cliff


"John" <info@nospam.infovis.co.uk> wrote in message
news:ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl...
> Hi
>
> I am connecting a remote win xp pro pc to an sbs server via a vpn dialup
> connection. The connection is made OK and ipconfig/all displays the
> following;
>
> ...
>
> PPP adapter MyVPNConnection
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> Physical Address. . . . . . . . . : 00-53-45-00-00-00
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.16.13
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . : 192.168.16.13
> DNS Servers . . . . . . . . . . . : 192.168.16.2
> Primary WINS Server . . . . . . . : 192.168.16.2
>
> However when I try to ping 192.168.16.2 it fails. Also trying to access
> network shares via \\192.168.16.2\MyShare fails too. How can I access the
> server as if the client pc is connected to the LAN remotely?
>
> Thanks
>
> Regards
>
>

Hi John

Stupid question on my part, and the answer is probably "no", but is
the local LAN also addressed with 192.168.16.x? You omitted that from
the ipconfig listing.

Have you checked the workstation firewall, both Microsoft and 3rd
party, to see if it's allowing traffic in/out of this 192.168.16.0
network?

Also, the default gateway means that all traffic, Internet and
otherwise, will go through this VPN connection. If that is not the
behavior that you want, then in the VPN client configuration, remove
the "Use default gateway on remote network" setting (Networking >
Internet Protocol properties > Advanced)

Let us know!
-e-

On Jul 16, 7:57*pm, "John" <i...@nospam.infovis.co.uk> wrote:
> Hi
>
> I am connecting a remote win xp pro pc to an sbs server via a vpn dialup
> connection. The connection is made OK and ipconfig/all displays the
> following;
>
> ...
>
> PPP adapter MyVPNConnection
>
> * * * * Connection-specific DNS Suffix *. :
> * * * * Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> * * * * Physical Address. . . . . . . . . : 00-53-45-00-00-00
> * * * * Dhcp Enabled. . . . . . . . . . . : No
> * * * * IP Address. . . . . . . . . . . . : 192.168.16.13
> * * * * Subnet Mask . . . . . . . . . . . : 255.255.255.255
> * * * * Default Gateway . . . . . . . . . : 192.168.16.13
> * * * * DNS Servers . . . . . . . . . . . : 192.168.16.2
> * * * * Primary WINS Server . . . . . . . : 192.168.16.2
>
> However when I try to ping 192.168.16.2 it fails. Also trying to access
> network shares via \\192.168.16.2\MyShare fails too. How can I access the
> server as if the client pc is connected to the LAN remotely?
>
> Thanks
>
> Regards

> 1) How have you set up the VPN? PPTP? IPSec? Client and server? third
> party tools?

PPTP, Server=sbs2003 remote access works OK via RWW, client=winxp dialup

> 2) Are you running SBS 2000, 2003, 2003 R2, Standard, Premium?

sbs 2003 premium

> 3) Are you running a firewall between your server and the internet? ISA
> (SBS Premium) or third party firewall?

ISA but it is configured for remote access

Thanks

Regards

Hello John,

Thank you for posting here. Let's also thank Cliff and Eric for the input.

According to your description, I understand that you unable to access any
resource on SBS after the VPN connection is established. If I have
misunderstood the problem, please don't hesitate to let me know.

Based on my research, I suggest we try the following steps to see if we can
resolve this issue:

I suggest we try the following steps to reconfigure the VPN on SBS and
remote clients to see if we can resolve this issue:

1) Disable RRAS

a. Schedule a network down time.

b. Please open Routing and Remote Access console on SBS thru run command
"rrasmgmt.msc"

c. Right click the SBSname (local), select Disable Routing and Remote
Access console

2) Run CEICW on SBS

You have to rerun the CEICW to make sure your SBS 2003 server have right
network configuration. Go through the follow KB and Rerun CEICW again
carefully.

How to configure Internet access in Windows Small Business Server 2003
http://support.microsoft.com/kb/825763/en-us

3) Run Remote Access wizard

a. On the Small Business Server 2003-based server, click To Do List in the
left pane of the Server Management console.

b. Under Network Tasks, click Configure Remote Access.

c. Click Next, click Enable Remote Access, click to select the VPN Access
check box, and then click Next.

d. Type the fully qualified public domain name (your public DNS name) of
your server, click Next, and then click Finish.

e. When the wizard is completed, click Close.

4) Then you can access RWW to download Connection Manager or copy the file
from SBS server c:\ClientApps\Connection Manager\SBSPackage.exe. Please
save the sbspackage.exe file in VPN client computer. Then double-click
SBSPackage.exe to run it. After this file run the "connect to small
business server" will be created and you can use it to connect VPN to your
SBS server.

If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:

1. Once the VPN connection is established, run command "ipconfig /all >
c:\ipconfig_sbs.txt" and "route print > c:\route_sbs.txt" on SBS, send the
files c:\ipconfig_sbs.txt and c:\route_sbs.txt to me at
v-terliu@microsoft.com

2. Once the VPN connection is established, run command "ipconfig /all >
c:\ipconfig_client.txt" and "route print > c:\route_client.txt" on
problematic VPN client, send the files c:\ipconfig_client.txt and
c:\route_client.txt to me at v-terliu@microsoft.com

3. Gather MPS network report on SBS:

a. Download MPSrepot_network from
http://download.microsoft.com/downlo...5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE

b. Run MPSRPT_NETWORK.exe on the server box.

c. The tool will automatically collect the information. This procedure will
take 10~15 minutes.

d. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\

e. Send the .cab file directly to me at v-terliu@microsoft.com

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Reply-To: "John" <info@nospam.infovis.co.uk>
>From: "John" <info@nospam.infovis.co.uk>
>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
<F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
>Subject: Re: Unable to access server resources via vpn
>Date: Tue, 22 Jul 2008 09:58:09 +0100
>Lines: 19
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>X-RFC2646: Format=Flowed; Response
>Message-ID: <OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 78.147.153.237
>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116200
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>> 1) How have you set up the VPN? PPTP? IPSec? Client and server?
third
>> party tools?
>
>PPTP, Server=sbs2003 remote access works OK via RWW, client=winxp dialup
>
>> 2) Are you running SBS 2000, 2003, 2003 R2, Standard, Premium?
>
>sbs 2003 premium
>
>> 3) Are you running a firewall between your server and the internet? ISA
>> (SBS Premium) or third party firewall?
>
>ISA but it is configured for remote access
>
>Thanks
>
>Regards
>
>
>

Hi Terence

Many thanks. Required files sent separately.

The client pc is able to vpn successfully to several other sbs2003 server so
client pc is probably not at fault.

Running ICW and Remote Access Wizards now intermittently (mostly not) allows
remote desktop to connect using server ip 192.168.16.2. Files are also
accessible intermittently using \\192.168.16.2\MyFileShare etc. Ping is
never successful.

However I have noticed a peculiar thing on this server. When trying to
connect to local sites via 192.168.16.2 , 192.168.16.2/Remote or
192.168.16.2/Exchange, no login web page is displayed instead a windows
login box appears asking for username and password. After having entered
admin username/password three times, login fails with an error web page as
below;

The page cannot be displayed

HTTP 407 Proxy Authentication Required - The ISA Server requires
authorization to fulfill the request. Access to the Web Proxy service is
denied. (12209)

Many thanks again.

Regards

"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
news:jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl...
> Hello John,
>
> Thank you for posting here. Let's also thank Cliff and Eric for the input.
>
> According to your description, I understand that you unable to access any
> resource on SBS after the VPN connection is established. If I have
> misunderstood the problem, please don't hesitate to let me know.
>
> Based on my research, I suggest we try the following steps to see if we
> can
> resolve this issue:
>
> I suggest we try the following steps to reconfigure the VPN on SBS and
> remote clients to see if we can resolve this issue:
>
> 1) Disable RRAS
>
> a. Schedule a network down time.
>
> b. Please open Routing and Remote Access console on SBS thru run command
> "rrasmgmt.msc"
>
> c. Right click the SBSname (local), select Disable Routing and Remote
> Access console
>
> 2) Run CEICW on SBS
>
> You have to rerun the CEICW to make sure your SBS 2003 server have right
> network configuration. Go through the follow KB and Rerun CEICW again
> carefully.
>
> How to configure Internet access in Windows Small Business Server 2003
> http://support.microsoft.com/kb/825763/en-us
>
> 3) Run Remote Access wizard
>
> a. On the Small Business Server 2003-based server, click To Do List in the
> left pane of the Server Management console.
>
> b. Under Network Tasks, click Configure Remote Access.
>
> c. Click Next, click Enable Remote Access, click to select the VPN Access
> check box, and then click Next.
>
> d. Type the fully qualified public domain name (your public DNS name) of
> your server, click Next, and then click Finish.
>
> e. When the wizard is completed, click Close.
>
> 4) Then you can access RWW to download Connection Manager or copy the file
> from SBS server c:\ClientApps\Connection Manager\SBSPackage.exe. Please
> save the sbspackage.exe file in VPN client computer. Then double-click
> SBSPackage.exe to run it. After this file run the "connect to small
> business server" will be created and you can use it to connect VPN to your
> SBS server.
>
> If we cannot resolve the issue after we perform the above steps, please
> help me collect some information for further investigation:
>
> 1. Once the VPN connection is established, run command "ipconfig /all >
> c:\ipconfig_sbs.txt" and "route print > c:\route_sbs.txt" on SBS, send the
> files c:\ipconfig_sbs.txt and c:\route_sbs.txt to me at
> v-terliu@microsoft.com
>
> 2. Once the VPN connection is established, run command "ipconfig /all >
> c:\ipconfig_client.txt" and "route print > c:\route_client.txt" on
> problematic VPN client, send the files c:\ipconfig_client.txt and
> c:\route_client.txt to me at v-terliu@microsoft.com
>
> 3. Gather MPS network report on SBS:
>
> a. Download MPSrepot_network from
> http://download.microsoft.com/downlo...5-a579-30b0bd9
> 15706/MPSRPT_NETWORK.EXE
>
> b. Run MPSRPT_NETWORK.exe on the server box.
>
> c. The tool will automatically collect the information. This procedure
> will
> take 10~15 minutes.
>
> d. Open Windows Explorer, navigate to the folder:
> %SystemRoot%\MPSReports\Network\Reports\Cab\
>
> e. Send the .cab file directly to me at v-terliu@microsoft.com
>
> I hope these steps will give you some help.
>
> Thanks and have a nice day!
>
> Best regards,
>
> Terence Liu (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities...s/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
>>Reply-To: "John" <info@nospam.infovis.co.uk>
>>From: "John" <info@nospam.infovis.co.uk>
>>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
> <F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
>>Subject: Re: Unable to access server resources via vpn
>>Date: Tue, 22 Jul 2008 09:58:09 +0100
>>Lines: 19
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>X-RFC2646: Format=Flowed; Response
>>Message-ID: <OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 78.147.153.237
>>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116200
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>> 1) How have you set up the VPN? PPTP? IPSec? Client and server?
> third
>>> party tools?
>>
>>PPTP, Server=sbs2003 remote access works OK via RWW, client=winxp dialup
>>
>>> 2) Are you running SBS 2000, 2003, 2003 R2, Standard, Premium?
>>
>>sbs 2003 premium
>>
>>> 3) Are you running a firewall between your server and the internet? ISA
>>> (SBS Premium) or third party firewall?
>>
>>ISA but it is configured for remote access
>>
>>Thanks
>>
>>Regards
>>
>>
>>
>

Hi John,

Thank you for your update.

Since this is a intermittently issue, I suggest you check the following
things:

1. Please contact your ISP, to ensure your Internet connection is stable.
2. Please update your SBS NIC driver, ensure you install the latest driver
of your NIC.
3. Check your router before SBS, or try to replace it with another one for
test. As I know, some un-qualify router will cause this issue.
4. Please install the last service pack of SBS:

Downloading and Installing Windows Small Business Server 2003 Service Pack 1
http://download.microsoft.com/downlo...0-8871-9bc48e0
b3fc3/ToDownLoadFilesandReadInstructions.htm

Windows Server 2003 Service Pack 2 (32-bit x86)
http://www.microsoft.com/downloads/d...610-c232-4644-
b828-c55eec605d55&DisplayLang=en

In regards to OWA and RWW access issue, this is mostly a ISA settings
issue. I suggest you perform the following steps:

1. Open ISA server 2004, select Firewall Policy
2. Select Toolbox tab at right pane
3. Select Network Objects -> Web Listeners
4. Double click SBS Web listener
5. Select Preferences tab, click Authentication button.
6. Uncheck Require all users to authenticate, and ensure only tick
Integrated in the list.
7. Click OK twice.
8. Repeat step 4 to 7 on SBS CompanyWeb listener.
9. Click Apply button.

If we cannot resolve the issue after we perform the steps above, please
help me collect some information for further investigation:

1. Please help to gather the ISA Info:

1) Download the file from the following URL:

http://www.isatools.org/tools/isainfo.zip

2) Extract all files to a folder on ISA server.

3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.

4) Please send these files to me at v-terliu@microsoft.com

2. Please also help to gather the ISA logs:

1) Schedule a down time.

2) Open ISA 2004 management console.

3) Expand the server node and highlight 'Monitoring'.

4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.

5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

6) Switch to the 'Fields' tab, click 'Select All', and then click OK.

7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.

8) Switch to the 'Fields' tab, click 'Select All', and then click OK.

9) Click 'Apply' to save changes and update the configuration.

10) Temporarily disable the Firewall service. To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.

11) Clear the current existing W3C logs. To do that, go to the log saving
directory and clean any existing .W3C logs. By default, the logs will be
saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may not
be able to deleted, that's normal.) You may backup them first and then
delete them.

12) Go back to the ISA 2004 management console, and then Start the stopped
'Microsoft Firewall' service.

13) Reproduce the problem, stop the service, and then gather the resulting
W3C files to me for analysis.

14) Please also let me know the IP address of the testing clients so that I
can filter the data.

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Reply-To: "John" <info@nospam.infovis.co.uk>
>From: "John" <info@nospam.infovis.co.uk>
>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
<F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
<OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
<jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl>
>Subject: Re: Unable to access server resources via vpn
>Date: Fri, 25 Jul 2008 05:42:58 +0100
>Lines: 202
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>X-RFC2646: Format=Flowed; Original
>Message-ID: <#MEloDh7IHA.2072@TK2MSFTNGP04.phx.gbl>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 78.147.98.33
>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116640
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Terence
>
>Many thanks. Required files sent separately.
>
>The client pc is able to vpn successfully to several other sbs2003 server
so
>client pc is probably not at fault.
>
>Running ICW and Remote Access Wizards now intermittently (mostly not)
allows
>remote desktop to connect using server ip 192.168.16.2. Files are also
>accessible intermittently using \\192.168.16.2\MyFileShare etc. Ping is
>never successful.
>
>However I have noticed a peculiar thing on this server. When trying to
>connect to local sites via 192.168.16.2 , 192.168.16.2/Remote or
>192.168.16.2/Exchange, no login web page is displayed instead a windows
>login box appears asking for username and password. After having entered
>admin username/password three times, login fails with an error web page as
>below;
>
>The page cannot be displayed
>
>HTTP 407 Proxy Authentication Required - The ISA Server requires
>authorization to fulfill the request. Access to the Web Proxy service is
>denied. (12209)
>
>Many thanks again.
>
>Regards
>
>"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
>news:jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl...
>> Hello John,
>>
>> Thank you for posting here. Let's also thank Cliff and Eric for the
input.
>>
>> According to your description, I understand that you unable to access any
>> resource on SBS after the VPN connection is established. If I have
>> misunderstood the problem, please don't hesitate to let me know.
>>
>> Based on my research, I suggest we try the following steps to see if we
>> can
>> resolve this issue:
>>
>> I suggest we try the following steps to reconfigure the VPN on SBS and
>> remote clients to see if we can resolve this issue:
>>
>> 1) Disable RRAS
>>
>> a. Schedule a network down time.
>>
>> b. Please open Routing and Remote Access console on SBS thru run command
>> "rrasmgmt.msc"
>>
>> c. Right click the SBSname (local), select Disable Routing and Remote
>> Access console
>>
>> 2) Run CEICW on SBS
>>
>> You have to rerun the CEICW to make sure your SBS 2003 server have right
>> network configuration. Go through the follow KB and Rerun CEICW again
>> carefully.
>>
>> How to configure Internet access in Windows Small Business Server 2003
>> http://support.microsoft.com/kb/825763/en-us
>>
>> 3) Run Remote Access wizard
>>
>> a. On the Small Business Server 2003-based server, click To Do List in
the
>> left pane of the Server Management console.
>>
>> b. Under Network Tasks, click Configure Remote Access.
>>
>> c. Click Next, click Enable Remote Access, click to select the VPN Access
>> check box, and then click Next.
>>
>> d. Type the fully qualified public domain name (your public DNS name) of
>> your server, click Next, and then click Finish.
>>
>> e. When the wizard is completed, click Close.
>>
>> 4) Then you can access RWW to download Connection Manager or copy the
file
>> from SBS server c:\ClientApps\Connection Manager\SBSPackage.exe. Please
>> save the sbspackage.exe file in VPN client computer. Then double-click
>> SBSPackage.exe to run it. After this file run the "connect to small
>> business server" will be created and you can use it to connect VPN to
your
>> SBS server.
>>
>> If we cannot resolve the issue after we perform the above steps, please
>> help me collect some information for further investigation:
>>
>> 1. Once the VPN connection is established, run command "ipconfig /all >
>> c:\ipconfig_sbs.txt" and "route print > c:\route_sbs.txt" on SBS, send
the
>> files c:\ipconfig_sbs.txt and c:\route_sbs.txt to me at
>> v-terliu@microsoft.com
>>
>> 2. Once the VPN connection is established, run command "ipconfig /all >
>> c:\ipconfig_client.txt" and "route print > c:\route_client.txt" on
>> problematic VPN client, send the files c:\ipconfig_client.txt and
>> c:\route_client.txt to me at v-terliu@microsoft.com
>>
>> 3. Gather MPS network report on SBS:
>>
>> a. Download MPSrepot_network from
>>
http://download.microsoft.com/downlo...5-a579-30b0bd9
>> 15706/MPSRPT_NETWORK.EXE
>>
>> b. Run MPSRPT_NETWORK.exe on the server box.
>>
>> c. The tool will automatically collect the information. This procedure
>> will
>> take 10~15 minutes.
>>
>> d. Open Windows Explorer, navigate to the folder:
>> %SystemRoot%\MPSReports\Network\Reports\Cab\
>>
>> e. Send the .cab file directly to me at v-terliu@microsoft.com
>>
>> I hope these steps will give you some help.
>>
>> Thanks and have a nice day!
>>
>> Best regards,
>>
>> Terence Liu (MSFT)
>>
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities...s/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> =====================================================
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>>>Reply-To: "John" <info@nospam.infovis.co.uk>
>>>From: "John" <info@nospam.infovis.co.uk>
>>>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
>> <F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
>>>Subject: Re: Unable to access server resources via vpn
>>>Date: Tue, 22 Jul 2008 09:58:09 +0100
>>>Lines: 19
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>>X-RFC2646: Format=Flowed; Response
>>>Message-ID: <OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: 78.147.153.237
>>>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
>>>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116200
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>> 1) How have you set up the VPN? PPTP? IPSec? Client and server?
>> third
>>>> party tools?
>>>
>>>PPTP, Server=sbs2003 remote access works OK via RWW, client=winxp dialup
>>>
>>>> 2) Are you running SBS 2000, 2003, 2003 R2, Standard, Premium?
>>>
>>>sbs 2003 premium
>>>
>>>> 3) Are you running a firewall between your server and the internet?
ISA
>>>> (SBS Premium) or third party firewall?
>>>
>>>ISA but it is configured for remote access
>>>
>>>Thanks
>>>
>>>Regards
>>>
>>>
>>>
>>
>
>
>

Hi Terence

Please see inline;

"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
news:h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl...
> Hi John,
>
> Thank you for your update.
>
> Since this is a intermittently issue, I suggest you check the following
> things:
>
> 1. Please contact your ISP, to ensure your Internet connection is stable.
> 2. Please update your SBS NIC driver, ensure you install the latest driver
> of your NIC.
> 3. Check your router before SBS, or try to replace it with another one for
> test. As I know, some un-qualify router will cause this issue.
> 4. Please install the last service pack of SBS:

**** All is OK. It seems access is only a problem internally that is
accessing rww internally and ping to server once dialup is connected. Access
via rww from outside is fine. Windows Mobile devices also connect fine
remotely.

> Downloading and Installing Windows Small Business Server 2003 Service Pack
> 1
> http://download.microsoft.com/downlo...0-8871-9bc48e0
> b3fc3/ToDownLoadFilesandReadInstructions.htm
>
> Windows Server 2003 Service Pack 2 (32-bit x86)
> http://www.microsoft.com/downloads/d...610-c232-4644-
> b828-c55eec605d55&DisplayLang=en

**** Done, and all updates from Windows Update.

> In regards to OWA and RWW access issue, this is mostly a ISA settings
> issue. I suggest you perform the following steps:
>
> 1. Open ISA server 2004, select Firewall Policy
> 2. Select Toolbox tab at right pane
> 3. Select Network Objects -> Web Listeners
> 4. Double click SBS Web listener
> 5. Select Preferences tab, click Authentication button.
> 6. Uncheck Require all users to authenticate, and ensure only tick
> Integrated in the list.
> 7. Click OK twice.
> 8. Repeat step 4 to 7 on SBS CompanyWeb listener.
> 9. Click Apply button.

**** Unfortunately ISA is still at 2000. One peculiar thing is that under
'Site and Content Rule' there is no 'Allow Rule'. Adding 'Allow Rule'
manually allows access to RWW internally but running ICW get rids of 'Allow
Rule' again.

> If we cannot resolve the issue after we perform the steps above, please
> help me collect some information for further investigation:
>
> 1. Please help to gather the ISA Info:
>
> 1) Download the file from the following URL:
>
> http://www.isatools.org/tools/isainfo.zip
>
> 2) Extract all files to a folder on ISA server.
>
> 3) Double click Isainfo.js. This will generate 2 files
> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
> current folder.
>
> 4) Please send these files to me at v-terliu@microsoft.com

**** Isainfo.js does not work with ISA 2000.

> 2. Please also help to gather the ISA logs:
>
> 1) Schedule a down time.
>
> 2) Open ISA 2004 management console.
>
> 3) Expand the server node and highlight 'Monitoring'.
>
> 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
> Pane' is showed there.
>
> 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
> Tasks', and then switch the 'log storage format' from 'MSDE database'
> (default) to 'File'.
>
> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>
> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
> Tasks', and then switch the 'log storage format' from 'MSDE database'
> (default) to 'File'.
>
> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>
> 9) Click 'Apply' to save changes and update the configuration.
>
> 10) Temporarily disable the Firewall service. To do that, please click
> Monitoring | Services tab, and then right click 'Microsoft Firewall' to
> choose 'Stop'.
>
> 11) Clear the current existing W3C logs. To do that, go to the log saving
> directory and clean any existing .W3C logs. By default, the logs will be
> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
> not
> be able to deleted, that's normal.) You may backup them first and then
> delete them.
>
> 12) Go back to the ISA 2004 management console, and then Start the stopped
> 'Microsoft Firewall' service.
>
> 13) Reproduce the problem, stop the service, and then gather the resulting
> W3C files to me for analysis.
>
> 14) Please also let me know the IP address of the testing clients so that
> I
> can filter the data.

Log file sent separately.

Thanks



Regards

Hi John,

Thank you for your email. I'm sorry for the delay response due to the
weekend.

Since you are running ISA server 2000 on SBS 2003 sp1, this mostly be the
known issue on SBS. The problem occurs because of a change in Windows
Server 2003 SP1. Windows Server 2003 SP1 enables the BootTimeSecurity
registry entry. Therefore, after you install Windows Server 2003 SP1, the
Windows Server 2003 Ipnat.sys driver drops VPN packets that it receives.

You can find more information about it in:
VPN clients can no longer access internal resources after you install
Windows Server 2003 Service Pack 1 on a computer that is running ISA Server
2000
http://support.microsoft.com/kb/897651/en-us

Since you had applied the Windows Server 2003 Service Pack 2 on your SBS,
you have to enter the DisableBootTimeSecurity registry entry manually to
resolve this problem. To do this, following these steps:

1. Click Start, click Run, type regedit , and then click OK.
2. Locate and then click the following subkey in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type DisableBootTimeSecurity , and then press ENTER.
5. On the Edit menu, click Modify.
6. Click Decimal, type 1 in the Value data box, and then click OK.

Hope this helps.

Please let me know the results so that I can provide further assistance on
this problem. I am looking forward to your reply.

Thanks and have a nice day!

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Reply-To: "John" <info@nospam.infovis.co.uk>
>From: "John" <info@nospam.infovis.co.uk>
>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
<F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
<OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
<jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl>
<#MEloDh7IHA.2072@TK2MSFTNGP04.phx.gbl>
<h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl>
>Subject: Re: Unable to access server resources via vpn
>Date: Mon, 28 Jul 2008 03:48:26 +0100
>Lines: 129
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>Message-ID: <urNalxF8IHA.1204@TK2MSFTNGP04.phx.gbl>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 78.147.110.223
>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116941
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Terence
>
>Please see inline;
>
>"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
>news:h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl...
>> Hi John,
>>
>> Thank you for your update.
>>
>> Since this is a intermittently issue, I suggest you check the following
>> things:
>>
>> 1. Please contact your ISP, to ensure your Internet connection is stable.
>> 2. Please update your SBS NIC driver, ensure you install the latest
driver
>> of your NIC.
>> 3. Check your router before SBS, or try to replace it with another one
for
>> test. As I know, some un-qualify router will cause this issue.
>> 4. Please install the last service pack of SBS:
>
>**** All is OK. It seems access is only a problem internally that is
>accessing rww internally and ping to server once dialup is connected.
Access
>via rww from outside is fine. Windows Mobile devices also connect fine
>remotely.
>
>> Downloading and Installing Windows Small Business Server 2003 Service
Pack
>> 1
>>
http://download.microsoft.com/downlo...0-8871-9bc48e0
>> b3fc3/ToDownLoadFilesandReadInstructions.htm
>>
>> Windows Server 2003 Service Pack 2 (32-bit x86)
>>
http://www.microsoft.com/downloads/d...610-c232-4644-
>> b828-c55eec605d55&DisplayLang=en
>
>**** Done, and all updates from Windows Update.
>
>> In regards to OWA and RWW access issue, this is mostly a ISA settings
>> issue. I suggest you perform the following steps:
>>
>> 1. Open ISA server 2004, select Firewall Policy
>> 2. Select Toolbox tab at right pane
>> 3. Select Network Objects -> Web Listeners
>> 4. Double click SBS Web listener
>> 5. Select Preferences tab, click Authentication button.
>> 6. Uncheck Require all users to authenticate, and ensure only tick
>> Integrated in the list.
>> 7. Click OK twice.
>> 8. Repeat step 4 to 7 on SBS CompanyWeb listener.
>> 9. Click Apply button.
>
>**** Unfortunately ISA is still at 2000. One peculiar thing is that under
>'Site and Content Rule' there is no 'Allow Rule'. Adding 'Allow Rule'
>manually allows access to RWW internally but running ICW get rids of
'Allow
>Rule' again.
>
>> If we cannot resolve the issue after we perform the steps above, please
>> help me collect some information for further investigation:
>>
>> 1. Please help to gather the ISA Info:
>>
>> 1) Download the file from the following URL:
>>
>> http://www.isatools.org/tools/isainfo.zip
>>
>> 2) Extract all files to a folder on ISA server.
>>
>> 3) Double click Isainfo.js. This will generate 2 files
>> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
the
>> current folder.
>>
>> 4) Please send these files to me at v-terliu@microsoft.com
>
>**** Isainfo.js does not work with ISA 2000.
>
>> 2. Please also help to gather the ISA logs:
>>
>> 1) Schedule a down time.
>>
>> 2) Open ISA 2004 management console.
>>
>> 3) Expand the server node and highlight 'Monitoring'.
>>
>> 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
>> Pane' is showed there.
>>
>> 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>> (default) to 'File'.
>>
>> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>
>> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under 'Logging
>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>> (default) to 'File'.
>>
>> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>
>> 9) Click 'Apply' to save changes and update the configuration.
>>
>> 10) Temporarily disable the Firewall service. To do that, please click
>> Monitoring | Services tab, and then right click 'Microsoft Firewall' to
>> choose 'Stop'.
>>
>> 11) Clear the current existing W3C logs. To do that, go to the log
saving
>> directory and clean any existing .W3C logs. By default, the logs will be
>> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
>> not
>> be able to deleted, that's normal.) You may backup them first and then
>> delete them.
>>
>> 12) Go back to the ISA 2004 management console, and then Start the
stopped
>> 'Microsoft Firewall' service.
>>
>> 13) Reproduce the problem, stop the service, and then gather the
resulting
>> W3C files to me for analysis.
>>
>> 14) Please also let me know the IP address of the testing clients so
that
>> I
>> can filter the data.
>
>Log file sent separately.
>
>Thanks
>
>
>
>Regards
>
>
>

Email from customer:
==========================

Hi Terence,

I initially created this range:
192.168.1.0 - 192.168.1.255
192.168.2.0 - 192.168.2.255
192.168.3.0 - 192.168.3.255

after the SBS server was installed a few years ago as users in this
range could not successfully connect via their Citrix terminal clients
to the servers in the 192.168.1.0 range.
Today I deleted these 3 entries from the ISA config as it does not seem
necessary.

Attached find the cab file and ISA logs as per your request.
Note that for the ISA logs the testing client IP was 41.31.222.87.

Regards
Tony

Hi Tony,

Thank you for your update.

After analysis your ISA server log, I find the 443 access is denied by
default rule. The strange thing is that the 443 access appears in the
firewall log. But it should appear in web log.

I think your ISA server is corrupted. I suggest you reinstall ISA server
2004 on SBS to see if it help.

1. Please backup your ISA server 2004 first: Open ISA server 2004, right
click SBSServerName, select Back Up.

2. Uninstall ISA 2004 from Add or Remove Programs. Reboot the SBS server.

3. Reinstall ISA server 2004 from the SBS SP1 or R2 premium tech CD.

After reinstall the ISA server, we need to run CEICW to configure the
network and firewall.

a. On the SBS 2003 Server open the Server Management console. Go to
Standard Management\To Do List.
b. Click the "Connect to the Internet" link.
c. On the Connection Type page, click Broadband, and then click Next.
d. On the Broadband Connection page, under My server uses, click A local
router device with an IP address, and then click Next.
e. On the Router Connection page, next to Preferred DNS server and
Alternate DNS server, type the IP addresses that are provided by your ISP.
In the Local IP address of router box, type the IP address (192.168.5.254)
of the router that the server uses to connect to the router.
f. Click to clear the My server uses a single network connection for both
Internet access and the local network check box, and then click Next.
g. On the Network Connection, You must enable and configure the network
connection to your ISP page, under the Connection Name, click Network
Connection.
h. Click Use the following IP address, and then type the IP address
(192.168.5.13) and the subnet mask in accordance with the router settings.
The default gateway is the IP address of the router (192.168.5.254).
i. Click Next.

The network connection is now enabled.
j. On the Network Connection, You must click the connection for your ISP
and local network page, click Network Connection under the ISP network
connection.
k. Under the Local network connection, click Server Local Area Connection,
and then click Next.
l. Complete the Configure E-mail and Internet Connection Wizard.

4. Please ensure you install ISA server 2004 sp3:

Microsoft? Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 3
http://www.microsoft.com/downloads/d...74A-5033-4792-
AF8B-58B90D841436&displaylang=en

I hope these steps will give you some help.

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Newsgroups: microsoft.public.windows.server.sbs
>From: v-terliu@online.microsoft.com (Terence Liu [MSFT])
>Organization: Microsoft
>Date: Thu, 31 Jul 2008 10:41:19 GMT
>Subject: Re: Unable to access server resources via vpn
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>
>Email from customer:
>==========================
>
>Hi Terence,
>
>I initially created this range:
>192.168.1.0 - 192.168.1.255
>192.168.2.0 - 192.168.2.255
>192.168.3.0 - 192.168.3.255
>
>after the SBS server was installed a few years ago as users in this
>range could not successfully connect via their Citrix terminal clients
>to the servers in the 192.168.1.0 range.
>Today I deleted these 3 entries from the ISA config as it does not seem
>necessary.
>
>Attached find the cab file and ISA logs as per your request.
>Note that for the ISA logs the testing client IP was 41.31.222.87.
>
>Regards
>Tony
>

Hi Tony,

Thank you for your update.

After analysis your ISA server log, I find the 443 access is denied by
default rule. The strange thing is that the 443 access appears in the
firewall log. But it should appear in web log.

I think your ISA server is corrupted. I suggest you reinstall ISA server
2004 on SBS to see if it help.

1. Please backup your ISA server 2004 first: Open ISA server 2004, right
click SBSServerName, select Back Up.

2. Uninstall ISA 2004 from Add or Remove Programs. Reboot the SBS server.

3. Reinstall ISA server 2004 from the SBS SP1 or R2 premium tech CD.

After reinstall the ISA server, we need to run CEICW to configure the
network and firewall.

a. On the SBS 2003 Server open the Server Management console. Go to
Standard Management\To Do List.
b. Click the "Connect to the Internet" link.
c. On the Connection Type page, click Broadband, and then click Next.
d. On the Broadband Connection page, under My server uses, click A local
router device with an IP address, and then click Next.
e. On the Router Connection page, next to Preferred DNS server and
Alternate DNS server, type the IP addresses that are provided by your ISP.
In the Local IP address of router box, type the IP address (192.168.5.254)
of the router that the server uses to connect to the router.
f. Click to clear the My server uses a single network connection for both
Internet access and the local network check box, and then click Next.
g. On the Network Connection, You must enable and configure the network
connection to your ISP page, under the Connection Name, click Network
Connection.
h. Click Use the following IP address, and then type the IP address
(192.168.5.13) and the subnet mask in accordance with the router settings.
The default gateway is the IP address of the router (192.168.5.254).
i. Click Next.

The network connection is now enabled.
j. On the Network Connection, You must click the connection for your ISP
and local network page, click Network Connection under the ISP network
connection.
k. Under the Local network connection, click Server Local Area Connection,
and then click Next.
l. Complete the Configure E-mail and Internet Connection Wizard.

4. Please ensure you install ISA server 2004 sp3:

Microsoft? Internet Security and Acceleration (ISA) Server 2004 Standard
Edition Service Pack 3
http://www.microsoft.com/downloads/d...74A-5033-4792-
AF8B-58B90D841436&displaylang=en

I hope these steps will give you some help.

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Newsgroups: microsoft.public.windows.server.sbs
>From: v-terliu@online.microsoft.com (Terence Liu [MSFT])
>Organization: Microsoft
>Date: Thu, 31 Jul 2008 10:41:19 GMT
>Subject: Re: Unable to access server resources via vpn
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>
>Email from customer:
>==========================
>
>Hi Terence,
>
>I initially created this range:
>192.168.1.0 - 192.168.1.255
>192.168.2.0 - 192.168.2.255
>192.168.3.0 - 192.168.3.255
>
>after the SBS server was installed a few years ago as users in this
>range could not successfully connect via their Citrix terminal clients
>to the servers in the 192.168.1.0 range.
>Today I deleted these 3 entries from the ISA config as it does not seem
>necessary.
>
>Attached find the cab file and ISA logs as per your request.
>Note that for the ISA logs the testing client IP was 41.31.222.87.
>
>Regards
>Tony
>

Hi Terrance

It seems that adding the registry key has worked. Very many thanks for your
help.

Regards

"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
news:INSs3BT8IHA.4744@TK2MSFTNGHUB02.phx.gbl...
> Hi John,
>
> Thank you for your email. I'm sorry for the delay response due to the
> weekend.
>
> Since you are running ISA server 2000 on SBS 2003 sp1, this mostly be the
> known issue on SBS. The problem occurs because of a change in Windows
> Server 2003 SP1. Windows Server 2003 SP1 enables the BootTimeSecurity
> registry entry. Therefore, after you install Windows Server 2003 SP1, the
> Windows Server 2003 Ipnat.sys driver drops VPN packets that it receives.
>
> You can find more information about it in:
> VPN clients can no longer access internal resources after you install
> Windows Server 2003 Service Pack 1 on a computer that is running ISA
> Server
> 2000
> http://support.microsoft.com/kb/897651/en-us
>
> Since you had applied the Windows Server 2003 Service Pack 2 on your SBS,
> you have to enter the DisableBootTimeSecurity registry entry manually to
> resolve this problem. To do this, following these steps:
>
> 1. Click Start, click Run, type regedit , and then click OK.
> 2. Locate and then click the following subkey in the registry subkey:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat\Parameters
> 3. On the Edit menu, point to New, and then click DWORD Value.
> 4. Type DisableBootTimeSecurity , and then press ENTER.
> 5. On the Edit menu, click Modify.
> 6. Click Decimal, type 1 in the Value data box, and then click OK.
>
> Hope this helps.
>
> Please let me know the results so that I can provide further assistance on
> this problem. I am looking forward to your reply.
>
> Thanks and have a nice day!
>
> Best regards,
>
> Terence Liu (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities...s/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> --------------------
>>Reply-To: "John" <info@nospam.infovis.co.uk>
>>From: "John" <info@nospam.infovis.co.uk>
>>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
> <F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
> <OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
> <jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl>
> <#MEloDh7IHA.2072@TK2MSFTNGP04.phx.gbl>
> <h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl>
>>Subject: Re: Unable to access server resources via vpn
>>Date: Mon, 28 Jul 2008 03:48:26 +0100
>>Lines: 129
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>>X-RFC2646: Format=Flowed; Original
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>Message-ID: <urNalxF8IHA.1204@TK2MSFTNGP04.phx.gbl>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: 78.147.110.223
>>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116941
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Hi Terence
>>
>>Please see inline;
>>
>>"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
>>news:h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl...
>>> Hi John,
>>>
>>> Thank you for your update.
>>>
>>> Since this is a intermittently issue, I suggest you check the following
>>> things:
>>>
>>> 1. Please contact your ISP, to ensure your Internet connection is
>>> stable.
>>> 2. Please update your SBS NIC driver, ensure you install the latest
> driver
>>> of your NIC.
>>> 3. Check your router before SBS, or try to replace it with another one
> for
>>> test. As I know, some un-qualify router will cause this issue.
>>> 4. Please install the last service pack of SBS:
>>
>>**** All is OK. It seems access is only a problem internally that is
>>accessing rww internally and ping to server once dialup is connected.
> Access
>>via rww from outside is fine. Windows Mobile devices also connect fine
>>remotely.
>>
>>> Downloading and Installing Windows Small Business Server 2003 Service
> Pack
>>> 1
>>>
> http://download.microsoft.com/downlo...0-8871-9bc48e0
>>> b3fc3/ToDownLoadFilesandReadInstructions.htm
>>>
>>> Windows Server 2003 Service Pack 2 (32-bit x86)
>>>
> http://www.microsoft.com/downloads/d...610-c232-4644-
>>> b828-c55eec605d55&DisplayLang=en
>>
>>**** Done, and all updates from Windows Update.
>>
>>> In regards to OWA and RWW access issue, this is mostly a ISA settings
>>> issue. I suggest you perform the following steps:
>>>
>>> 1. Open ISA server 2004, select Firewall Policy
>>> 2. Select Toolbox tab at right pane
>>> 3. Select Network Objects -> Web Listeners
>>> 4. Double click SBS Web listener
>>> 5. Select Preferences tab, click Authentication button.
>>> 6. Uncheck Require all users to authenticate, and ensure only tick
>>> Integrated in the list.
>>> 7. Click OK twice.
>>> 8. Repeat step 4 to 7 on SBS CompanyWeb listener.
>>> 9. Click Apply button.
>>
>>**** Unfortunately ISA is still at 2000. One peculiar thing is that under
>>'Site and Content Rule' there is no 'Allow Rule'. Adding 'Allow Rule'
>>manually allows access to RWW internally but running ICW get rids of
> 'Allow
>>Rule' again.
>>
>>> If we cannot resolve the issue after we perform the steps above, please
>>> help me collect some information for further investigation:
>>>
>>> 1. Please help to gather the ISA Info:
>>>
>>> 1) Download the file from the following URL:
>>>
>>> http://www.isatools.org/tools/isainfo.zip
>>>
>>> 2) Extract all files to a folder on ISA server.
>>>
>>> 3) Double click Isainfo.js. This will generate 2 files
>>> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
> the
>>> current folder.
>>>
>>> 4) Please send these files to me at v-terliu@microsoft.com
>>
>>**** Isainfo.js does not work with ISA 2000.
>>
>>> 2. Please also help to gather the ISA logs:
>>>
>>> 1) Schedule a down time.
>>>
>>> 2) Open ISA 2004 management console.
>>>
>>> 3) Expand the server node and highlight 'Monitoring'.
>>>
>>> 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
>>> Pane' is showed there.
>>>
>>> 5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
>>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>>> (default) to 'File'.
>>>
>>> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>>
>>> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
>>> 'Logging
>>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>>> (default) to 'File'.
>>>
>>> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>>
>>> 9) Click 'Apply' to save changes and update the configuration.
>>>
>>> 10) Temporarily disable the Firewall service. To do that, please click
>>> Monitoring | Services tab, and then right click 'Microsoft Firewall' to
>>> choose 'Stop'.
>>>
>>> 11) Clear the current existing W3C logs. To do that, go to the log
> saving
>>> directory and clean any existing .W3C logs. By default, the logs will be
>>> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
>>> not
>>> be able to deleted, that's normal.) You may backup them first and then
>>> delete them.
>>>
>>> 12) Go back to the ISA 2004 management console, and then Start the
> stopped
>>> 'Microsoft Firewall' service.
>>>
>>> 13) Reproduce the problem, stop the service, and then gather the
> resulting
>>> W3C files to me for analysis.
>>>
>>> 14) Please also let me know the IP address of the testing clients so
> that
>>> I
>>> can filter the data.
>>
>>Log file sent separately.
>>
>>Thanks
>>
>>
>>
>>Regards
>>
>>
>>
>

Hi All,

I'm sorry for posting in the wrong thread. Please ignore the 2 threads
above.

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Newsgroups: microsoft.public.windows.server.sbs
>From: v-terliu@online.microsoft.com (Terence Liu [MSFT])
>Organization: Microsoft
>Date: Thu, 31 Jul 2008 10:41:58 GMT
>Subject: Re: Unable to access server resources via vpn
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>MIME-Version: 1.0
>Content-Type: text/plain
>Content-Transfer-Encoding: 7bit
>
>Hi Tony,
>
>Thank you for your update.
>
>After analysis your ISA server log, I find the 443 access is denied by
>default rule. The strange thing is that the 443 access appears in the
>firewall log. But it should appear in web log.
>
>I think your ISA server is corrupted. I suggest you reinstall ISA server
>2004 on SBS to see if it help.
>
>1. Please backup your ISA server 2004 first: Open ISA server 2004, right
>click SBSServerName, select Back Up.
>
>2. Uninstall ISA 2004 from Add or Remove Programs. Reboot the SBS server.
>
>3. Reinstall ISA server 2004 from the SBS SP1 or R2 premium tech CD.
>
>After reinstall the ISA server, we need to run CEICW to configure the
>network and firewall.
>
>a. On the SBS 2003 Server open the Server Management console. Go to
>Standard Management\To Do List.
>b. Click the "Connect to the Internet" link.
>c. On the Connection Type page, click Broadband, and then click Next.
>d. On the Broadband Connection page, under My server uses, click A local
>router device with an IP address, and then click Next.
>e. On the Router Connection page, next to Preferred DNS server and
>Alternate DNS server, type the IP addresses that are provided by your ISP.
>In the Local IP address of router box, type the IP address (192.168.5.254)
>of the router that the server uses to connect to the router.
>f. Click to clear the My server uses a single network connection for both
>Internet access and the local network check box, and then click Next.
>g. On the Network Connection, You must enable and configure the network
>connection to your ISP page, under the Connection Name, click Network
>Connection.
>h. Click Use the following IP address, and then type the IP address
>(192.168.5.13) and the subnet mask in accordance with the router settings.
>The default gateway is the IP address of the router (192.168.5.254).
>i. Click Next.
>
>The network connection is now enabled.
>j. On the Network Connection, You must click the connection for your ISP
>and local network page, click Network Connection under the ISP network
>connection.
>k. Under the Local network connection, click Server Local Area
Connection,
>and then click Next.
>l. Complete the Configure E-mail and Internet Connection Wizard.
>
>4. Please ensure you install ISA server 2004 sp3:
>
>Microsoft? Internet Security and Acceleration (ISA) Server 2004 Standard
>Edition Service Pack 3
>http://www.microsoft.com/downloads/d...074A-5033-4792
-
>AF8B-58B90D841436&displaylang=en
>
>I hope these steps will give you some help.
>
>Best regards,
>
>Terence Liu (MSFT)
>
>Microsoft CSS Online Newsgroup Support
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities...s/default.aspx
>
>When opening a new thread via the web interface, we recommend you check
the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In
doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>=====================================================
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>--------------------
>>Newsgroups: microsoft.public.windows.server.sbs
>>From: v-terliu@online.microsoft.com (Terence Liu [MSFT])
>>Organization: Microsoft
>>Date: Thu, 31 Jul 2008 10:41:19 GMT
>>Subject: Re: Unable to access server resources via vpn
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>MIME-Version: 1.0
>>Content-Type: text/plain
>>Content-Transfer-Encoding: 7bit
>>
>>Email from customer:
>>==========================
>>
>>Hi Terence,
>>
>>I initially created this range:
>>192.168.1.0 - 192.168.1.255
>>192.168.2.0 - 192.168.2.255
>>192.168.3.0 - 192.168.3.255
>>
>>after the SBS server was installed a few years ago as users in this
>>range could not successfully connect via their Citrix terminal clients
>>to the servers in the 192.168.1.0 range.
>>Today I deleted these 3 entries from the ISA config as it does not seem
>>necessary.
>>
>>Attached find the cab file and ISA logs as per your request.
>>Note that for the ISA logs the testing client IP was 41.31.222.87.
>>
>>Regards
>>Tony
>>
>

Hi John,

Thank you for your update. I'm sorry for the delay response due to the
weekend.

I'm glad to hear that things are working correctly for you now.

I'd like to make a summary for this post:

Issue:
=============
Unable to access any resource on SBS after the VPN connection is established

Cause:
=============
The problem occurs because of a change in Windows Server 2003 SP1. Windows
Server 2003 SP1 enables the BootTimeSecurity registry entry.

Resolutions:
=============
1. Click Start, click Run, type regedit , and then click OK.
2. Locate and then click the following subkey in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat\Parameters
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type DisableBootTimeSecurity , and then press ENTER.
5. On the Edit menu, click Modify.
6. Click Decimal, type 1 in the Value data box, and then click OK.

Please do not hesitate to post in SBS newsgroup if you need any assistance
in the future. I look forward to working with you again.

Thank you and have a nice day,

Best regards,

Terence Liu (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities...s/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
>Reply-To: "John" <info@nospam.infovis.co.uk>
>From: "John" <info@nospam.infovis.co.uk>
>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
<F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
<OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
<jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl>
<#MEloDh7IHA.2072@TK2MSFTNGP04.phx.gbl>
<h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl>
<urNalxF8IHA.1204@TK2MSFTNGP04.phx.gbl>
<INSs3BT8IHA.4744@TK2MSFTNGHUB02.phx.gbl>
>Subject: Re: Unable to access server resources via vpn
>Date: Thu, 31 Jul 2008 12:04:47 +0100
>Lines: 254
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>Message-ID: <uSN290v8IHA.2060@TK2MSFTNGP02.phx.gbl>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 78.147.151.78
>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:117538
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Terrance
>
>It seems that adding the registry key has worked. Very many thanks for
your
>help.
>
>Regards
>
>"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
>news:INSs3BT8IHA.4744@TK2MSFTNGHUB02.phx.gbl...
>> Hi John,
>>
>> Thank you for your email. I'm sorry for the delay response due to the
>> weekend.
>>
>> Since you are running ISA server 2000 on SBS 2003 sp1, this mostly be the
>> known issue on SBS. The problem occurs because of a change in Windows
>> Server 2003 SP1. Windows Server 2003 SP1 enables the BootTimeSecurity
>> registry entry. Therefore, after you install Windows Server 2003 SP1, the
>> Windows Server 2003 Ipnat.sys driver drops VPN packets that it receives.
>>
>> You can find more information about it in:
>> VPN clients can no longer access internal resources after you install
>> Windows Server 2003 Service Pack 1 on a computer that is running ISA
>> Server
>> 2000
>> http://support.microsoft.com/kb/897651/en-us
>>
>> Since you had applied the Windows Server 2003 Service Pack 2 on your SBS,
>> you have to enter the DisableBootTimeSecurity registry entry manually to
>> resolve this problem. To do this, following these steps:
>>
>> 1. Click Start, click Run, type regedit , and then click OK.
>> 2. Locate and then click the following subkey in the registry subkey:
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat\Parameters
>> 3. On the Edit menu, point to New, and then click DWORD Value.
>> 4. Type DisableBootTimeSecurity , and then press ENTER.
>> 5. On the Edit menu, click Modify.
>> 6. Click Decimal, type 1 in the Value data box, and then click OK.
>>
>> Hope this helps.
>>
>> Please let me know the results so that I can provide further assistance
on
>> this problem. I am looking forward to your reply.
>>
>> Thanks and have a nice day!
>>
>> Best regards,
>>
>> Terence Liu (MSFT)
>>
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities...s/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> =====================================================
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> --------------------
>>>Reply-To: "John" <info@nospam.infovis.co.uk>
>>>From: "John" <info@nospam.infovis.co.uk>
>>>References: <ODlGdj75IHA.1428@TK2MSFTNGP06.phx.gbl>
>> <F2D6E32F-71A6-44BD-8FB8-A49A78A1EC76@microsoft.com>
>> <OP7dRk96IHA.5276@TK2MSFTNGP05.phx.gbl>
>> <jfMPufL7IHA.1624@TK2MSFTNGHUB02.phx.gbl>
>> <#MEloDh7IHA.2072@TK2MSFTNGP04.phx.gbl>
>> <h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl>
>>>Subject: Re: Unable to access server resources via vpn
>>>Date: Mon, 28 Jul 2008 03:48:26 +0100
>>>Lines: 129
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.5512
>>>X-RFC2646: Format=Flowed; Original
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
>>>Message-ID: <urNalxF8IHA.1204@TK2MSFTNGP04.phx.gbl>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: 78.147.110.223
>>>Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
>>>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:116941
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Hi Terence
>>>
>>>Please see inline;
>>>
>>>"Terence Liu [MSFT]" <v-terliu@online.microsoft.com> wrote in message
>>>news:h8CwLxk7IHA.1620@TK2MSFTNGHUB02.phx.gbl...
>>>> Hi John,
>>>>
>>>> Thank you for your update.
>>>>
>>>> Since this is a intermittently issue, I suggest you check the following
>>>> things:
>>>>
>>>> 1. Please contact your ISP, to ensure your Internet connection is
>>>> stable.
>>>> 2. Please update your SBS NIC driver, ensure you install the latest
>> driver
>>>> of your NIC.
>>>> 3. Check your router before SBS, or try to replace it with another one
>> for
>>>> test. As I know, some un-qualify router will cause this issue.
>>>> 4. Please install the last service pack of SBS:
>>>
>>>**** All is OK. It seems access is only a problem internally that is
>>>accessing rww internally and ping to server once dialup is connected.
>> Access
>>>via rww from outside is fine. Windows Mobile devices also connect fine
>>>remotely.
>>>
>>>> Downloading and Installing Windows Small Business Server 2003 Service
>> Pack
>>>> 1
>>>>
>>
http://download.microsoft.com/downlo...0-8871-9bc48e0
>>>> b3fc3/ToDownLoadFilesandReadInstructions.htm
>>>>
>>>> Windows Server 2003 Service Pack 2 (32-bit x86)
>>>>
>>
http://www.microsoft.com/downloads/d...610-c232-4644-
>>>> b828-c55eec605d55&DisplayLang=en
>>>
>>>**** Done, and all updates from Windows Update.
>>>
>>>> In regards to OWA and RWW access issue, this is mostly a ISA settings
>>>> issue. I suggest you perform the following steps:
>>>>
>>>> 1. Open ISA server 2004, select Firewall Policy
>>>> 2. Select Toolbox tab at right pane
>>>> 3. Select Network Objects -> Web Listeners
>>>> 4. Double click SBS Web listener
>>>> 5. Select Preferences tab, click Authentication button.
>>>> 6. Uncheck Require all users to authenticate, and ensure only tick
>>>> Integrated in the list.
>>>> 7. Click OK twice.
>>>> 8. Repeat step 4 to 7 on SBS CompanyWeb listener.
>>>> 9. Click Apply button.
>>>
>>>**** Unfortunately ISA is still at 2000. One peculiar thing is that under
>>>'Site and Content Rule' there is no 'Allow Rule'. Adding 'Allow Rule'
>>>manually allows access to RWW internally but running ICW get rids of
>> 'Allow
>>>Rule' again.
>>>
>>>> If we cannot resolve the issue after we perform the steps above, please
>>>> help me collect some information for further investigation:
>>>>
>>>> 1. Please help to gather the ISA Info:
>>>>
>>>> 1) Download the file from the following URL:
>>>>
>>>> http://www.isatools.org/tools/isainfo.zip
>>>>
>>>> 2) Extract all files to a folder on ISA server.
>>>>
>>>> 3) Double click Isainfo.js. This will generate 2 files
>>>> ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
>> the
>>>> current folder.
>>>>
>>>> 4) Please send these files to me at v-terliu@microsoft.com
>>>
>>>**** Isainfo.js does not work with ISA 2000.
>>>
>>>> 2. Please also help to gather the ISA logs:
>>>>
>>>> 1) Schedule a down time.
>>>>
>>>> 2) Open ISA 2004 management console.
>>>>
>>>> 3) Expand the server node and highlight 'Monitoring'.
>>>>
>>>> 4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
>>>> Pane' is showed there.
>>>>
>>>> 5) In the 'Task Pane', click 'Configure Firewall Logging' under
'Logging
>>>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>>>> (default) to 'File'.
>>>>
>>>> 6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>>>
>>>> 7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
>>>> 'Logging
>>>> Tasks', and then switch the 'log storage format' from 'MSDE database'
>>>> (default) to 'File'.
>>>>
>>>> 8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>>>>
>>>> 9) Click 'Apply' to save changes and update the configuration.
>>>>
>>>> 10) Temporarily disable the Firewall service. To do that, please click
>>>> Monitoring | Services tab, and then right click 'Microsoft Firewall' to
>>>> choose 'Stop'.
>>>>
>>>> 11) Clear the current existing W3C logs. To do that, go to the log
>> saving
>>>> directory and clean any existing .W3C logs. By default, the logs will
be
>>>> saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
>>>> not
>>>> be able to deleted, that's normal.) You may backup them first and
then
>>>> delete them.
>>>>
>>>> 12) Go back to the ISA 2004 management console, and then Start the
>> stopped
>>>> 'Microsoft Firewall' service.
>>>>
>>>> 13) Reproduce the problem, stop the service, and then gather the
>> resulting
>>>> W3C files to me for analysis.
>>>>
>>>> 14) Please also let me know the IP address of the testing clients so
>> that
>>>> I
>>>> can filter the data.
>>>
>>>Log file sent separately.
>>>
>>>Thanks
>>>
>>>
>>>
>>>Regards
>>>
>>>
>>>
>>
>
>
>