VPN Problem with a domain account versus local computer account
Daniel
On an SBS2k3 SP1 / ISA2k4 network, I joined a laptop to work remotely via
VPN. In the office connected directly to LAN it works fine no problems ( this
was done for the setup), but in WAN using VPN with dial in option at logon it
take 15 min to log on, it doesn't run the login script, and another 15 to see
\\servername then it asks for a password. The internet works fine and the
server responds to pings. Same scenario happens when I connect without
checking the dial in box for VPN, so I'm off line then establish a VPN
connection. The weird part is that if I log on to the local computer account
and use VPN it works fine, fast, I can see network resources and would have
to run the script manually. I got same results off a test system.
We have used the same settings for other companies with same network and it
works fine. I just connected the test system to another SBS2k3 sp1 via VPN
and it works fine (same settings were used). I checked the two SBS servers,
line by line in ISA2004 and remote access, they are the same. I noticed that
this happened to a few SBS2k3 networks only after you upgrade to SP1. Is
there a fix or a solution for this problem?
Your input is much appreciated.
Daniel
Charles Yang [MSFT]
Thanks for using SBS newsgroup.
Issue description:
===========
I understand that you encountered some problem if you use dial in option to
logon domain remotely.
Analyzing and suggestions:
============
Generally speaking, this should be a performance issue, as I know if you
use dial in option to logon SBS domain remotely, the remote computer will
deliver a lot of information such as AD to the SBS over network, it might
be cause some delay as you refer you even encountered some problem when
browsing \\servername . As my experience, it might be some incorrect design
of ISA firewall.
So I suggest you make sure that you have configure ISA 2004 correctly, for
your convenience, I would like to give you an example to show how to
configure ISA 2004 to allow external dial in connection:
The following is a verbal description of a physical network configuration
that describes bidirectional VPN traffic between two locations that are
separated by the Internet.
Location 1 = [local area network] + [domain controller] + [ISA Server
1] -- Internet -- [remote client computer] = location 2
In this method, there is one ISA Server computer that is configured to
allow VPN client access, and there is a client computer that is configured
to use a VPN connection to access the network through an Internet
connection.
Enable VPN client access on the ISA server
To enable VPN client access on the ISA server, follow these steps:
1. Click "Start", point to "All Programs", point to "Microsoft ISA Server",
and then click "ISA Server Management".
2. Expand <YourServerName>, and then click "Virtual Private Networks (VPN)".
3. In the right pane, click "Enable VPN Client Access".
Enable remote access on domain user accounts
When you use a VPN connection to join a domain, you must first allow
remote access permission in the Active Directory of the domain controller
for each user account that requires VPN access. To enable remote access on
domain user accounts, follow these steps:
1. Click "Start", point to "Administrative Tools", and then click "Active
Directory Users and Computers".
2. Expand <YourServerName>, and then click "Users".
3. In the right pane, right-click the user account that you want to enable
remote access on, and then click "Properties".
4. Click the "Dial-in" tab.
5. Click to select the "Allow access" check box, and then click "OK".
6. Repeat steps 3 through 5 for any additional user accounts that you want
enable remote access on.
If the problem still exists, please help gather more information:
1. Does it occur on all the remote location if you connect the computer to
the external NIC of the ISA 2004 does the issue still exist when you use
dial-in option to logon.
2. Please also make sure that you disable the ip fragement on ISA 2004, it
might block some logon information or group policy. You can check it follow
the steps below:
On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server may
experience long logon time or even fail to logon to the domain, in some
cases, ISA will fail to the do the authentication for defined rules.
3. Please also follow the steps below to collect ISAinfo then send to me,
it might be helpful to isolate the problem.
Use the ISAinfo utility to capture the server configurations:
a. Download the file from the following URL:
http://www.isatools.org/isainfo/ISAInfo.zip
b. Extract all files to a folder on ISA server
c. Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
My email address is v-ch...@microsoft.com
4. Please also make sure that router is configure correct to allow such
packet to travel through internet.
More info:
===========
867483 How to configure networks in ISA Server 2004
http://support.microsoft.com/?id=867483
Please feel free to let me know, if you have any further concerns. I will
be here waiting for your updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: VPN Problem with a domain account versus local computer
account
| thread-index: AcWo6Vh6N8OcpLzYS0GFdliNYnPQEQ==
| X-WBNR-Posting-Host: 24.83.96.244
| From: =?Utf-8?B?RGFuaWVs?= <Dan...@discussions.microsoft.com>
| Subject: VPN Problem with a domain account versus local computer account
| Date: Wed, 24 Aug 2005 13:21:01 -0700
| Lines: 21
| Message-ID: <5313D719-6B64-4A62...@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147484
| X-Tomcat-NG: microsoft.public.windows.server.sbs
Daniel
suggestion:
"2. Please also make sure that you disable the ip fragement on ISA 2004, it
might block some logon information or group policy. You can check it follow
the steps below:
On ISA 2004, if you enable 'Block IP fragments' option in ISA MMC '
Configuration ' General ' 'IP Preferences' ' 'IP Fragments', ISA server may
experience long logon time or even fail to logon to the domain, in some
cases, ISA will fail to the do the authentication for defined rules."
I must've spent couple of days troubleshooting this problem, and finally
problem solved.
Thanks again,
Daniel
Charles Yang [MSFT]
Thanks for letting us know that my solutions works great for you. Have a
nice day and hope you have a good sharing in this newsgroup.
Best regards,
Charles Yang (MSFT)
Get Secure! - www.microsoft.com/security
| thread-index: AcWqAHb8AnMr7G88SV+Yrxf+Bzx4uw==
| X-WBNR-Posting-Host: 70.68.180.215
| From: =?Utf-8?B?RGFuaWVs?= <Dan...@discussions.microsoft.com>
| References: <5313D719-6B64-4A62...@microsoft.com>
<7QblN0Tq...@TK2MSFTNGXA01.phx.gbl>
| Subject: RE: VPN Problem with a domain account versus local computer
accoun
| Date: Thu, 25 Aug 2005 22:39:02 -0700
| Lines: 224
| Message-ID: <5BC8BDA9-4FE5-4D4B...@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147983
| X-Tomcat-NG: microsoft.public.windows.server.sbs