Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Post by Marcelo Go » Wed, 21 Jul 2004 00:00:02


Hello,

I followed the directions in many how-to articles (including the
http://www.yqcomputer.com/ ) and after
several attempts and tests I decided to post my doubt in this group in
search of tips.

My Configuration:

Site A: SBS2000, ISA sp2
Local: 192.168.51.2 / 255.255.255.0
Internet: 200.176.x.x

Site B: SBS2000, ISA sp2
Local: 192.168.48.2 / 255.255.255.0
Internet: 200.176.y.y

After followed the directions in
http://www.yqcomputer.com/

Site A can see all of the machines of the site B. The machines of the site A
can navigate in the Internet without problems.

Site B can see all of the machines of the site A, but the machines of the
site B CANNOT navigate in the Internet.

Ping and tracert to externals IPs (200.x.x.x) works.
Name Resolution (dns) from command line works fine.
Seemingly ISA stops serving the requests from site B when VPN is
established.

Does anybody have some suggestion of the one what I should verify?

Thank you,

Marcelo Goulart

ps: Seeking for a solution in the Internet, I found other user with a
similar problem:

http://www.yqcomputer.com/ ;f=13;t=002438
-------------------------------------------------------------------------
I have 2 sites : 1 running SBS 2003 Server (with ISA 2000) and the other
running 2003 Server with ISA 2000. Each site has ISA configured and working
properly over a broadband connection to the 'External' network card.

I have followed the Chapter 4 tutorial: "ISA Server 2000 Gateways on each
site" configured to use a PPTP connection only and have come up against a
problem.

When the remote site connects to the main branch I have access to all the
network resources over the VPN which is great but the clients PC's and
server at the remote site lose internet access.

I can ping internet sites from the server using domain name and/or IP
address so I don't think it's a DNS problem. When I manually disconnect the
main_branch interface within RRAS full functionality is restored.

I'm 100% sure that this is a routing problem but is proving difficult for me
to resolve. Has anyone has a similar experience who can maybe point me in
the right direction ?

Thanks
--------------------------------------------------------------------------
 
 
 

Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Post by Tony S » Wed, 21 Jul 2004 00:39:50

ost likely...

Depends on how the gateways are configured, and whether
you have configured Anonymous Internet support for the
remote VPN clients.

In particular, my guess is that althoush Site B is
properly configured to use the Remote Gateway to the
Internet(No split tunnel)...

- The clients may not be configured to point to the Remote
Gateway properly (all you know is that they can't use the
Local Gateway at this point) Hard to tell, since you don't
describe what "Externals" is supposed to mean, public
addresses on the perimeter of either network or a remote
destination not in either network.
- The remote ISA may not be configured to support both
networks in the LAT. Same comment about "Externals" as
above.
- You may not have created Site & Content and Protocol
rules using Client Sets. Remember, most of the VPN
tutorials on isaserver.org assume that it's possible to
make the remote network a member of the Local Domain but
with SBS each network must be its own Domain with no
support for inter-Domain Trusts.





(including the
and ) and after
this group in
all looks like OK.
machines of the site A
machines of the
VPN is
should verify?
user with a
ubb=get_topic;f=13;t=002438
---------------
2000) and the other
configured and working
network card.
Gateways on each
come up against a
access to all the
clients PC's and
name and/or IP
manually disconnect the
restored.
proving difficult for me
maybe point me in
----------------

 
 
 

Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Post by Marcelo Go » Wed, 21 Jul 2004 01:45:37

Hi Tony

Thank you for the help.


I basically used the ISA's assistant of VPN in both sites.

The idea is that the users of SITE A use ISA of SITE A and the users of SITE
B use ISA of SITE B.
Each site has his own AD, there is no trust need (I know that it is a
limitation of SBS).
I imagine that this way I don't need "Anonymous Internet support", I just
need the access to local IP's of each net.



I compared the configurations of ISA and of RRAS in both sites. Everything
seems similar, just with the change of the addresses IP's.


External it means address IP in Interent, out of the perimeter. Example:
www.uol.com, www.google.com

when VPN is established, I can:

FROM SITE A = 192.168.51.2
Ping 192.168.48.2 (OK)
Ping 200.221.8.45 (OK)
Ping www.google.com (OK)
Internet Explorer through Proxy 192.168.51.2:8080 (All OK)

FROM SITE B = 192.168.48.2
Ping 192.168.51.2 (OK)
Ping 200.221.8.45 (OK)
Ping www.google.com (OK)
Internet Explorer through Proxy 192.168.48.2:8080 (Don't WORK)



LAT in both ISA:
192.168.51.0 - 192.168.51.255
192.168.48.0 - 192.168.48.255


I also tried to invert the LOCAL and the REMOTE using VPN ISA'S Assistant.
The problem continues being the same.

Any help will be very welcome. My last attempt will be to uninstall and to
reinstall ISA in SITE B.

Thank You.

Marcelo
 
 
 

Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Post by Marcelo Go » Wed, 21 Jul 2004 09:16:05

I think that I found a solution:

http://www.yqcomputer.com/ %40TK2MSFTNGP11.phx.gbl&rnum=1&prev=/&frame=on

I will test tomorrow in the morning. Now, I lost the TS connection during my
last tests and doesn't have anybody in the office for reset the server...
:-(

Thanks to Les Connor [SBS MVP], Damian N. Leibaschoff and Luis Carvalho.

Marcelo Goulart



"Marcelo Goulart" < XXXX@XXXXX.COM > escreveu na mensagem

SITE
 
 
 

Joining Networks over the Internet with a Gateway to Gateway VPN - Loose Internet Browsing

Post by Tony S » Wed, 21 Jul 2004 21:21:53

MO they're not trying to do what you're trying to do, I
believe they're just trying to access resources in the
remote Domain, not reach out to the Internet through the
remote ISA.

Believe you have already resolved all the issues their
posts refer to which is to enable both IP and name
resolution to access resources in the remote domain.

Your problem probably is that your Clients in Site B are
pointing to your Site B ISA on port 8080 which then tries
to connect to the remote Server on port 80... but of
course the Site A ISA is configured to only accept
outbound requests on port 8080 also.

From what you've posted, I believe you also have basic
network connectivity and name resolution to the Internet,
you only need to resolve Web Proxy issues.

If you believe this is your situation, then you will need
to configure something like an upstream proxy routing rule.

Good Luck!

Tony Su





8&threadm=OhAkfIqlDHA.3688%
40TK2MSFTNGP11.phx.gbl&rnum=1&prev=/&frame=on
connection during my
reset the server...
Luis Carvalho.
mensagem
whether
sites.
and the users of
know that it is a
Internet support", I just
both sites. Everything
IP's.
Remote
the
don't
remote
perimeter. Example:
(All OK)
(Don't WORK)
VPN ISA'S Assistant.
to uninstall and to