ISA Server 2004 FAQ: Virtual Private Network (VPN)
This frequently asked questions (FAQ) document provides answers to questions commonly asked about configuring and managing VPN functionality in Microsoft® Internet Security and Acceleration (ISA) Server 2004.
Q |
Can I view IP addresses that are dynamically assigned to clients in the VPN Clients network? |
A |
The ISA Server logs hold a unique entry for each VPN client connection, including the IP address assigned. |
Q |
How many concurrent connections are supported by ISA Server VPN? |
A |
For ISA Server 2004 Standard Edition, the number of concurrent VPN remote access connections is limited to 1,000. This limitation exists even if you install the product on a Windows operating system that supports more than 1,000 concurrent VPN connections. |
Q |
Can I create an IPSec site-to-site tunnel where one of the ISA Server computers receives a dynamic address from DHCP? |
A |
No, this is a limitation of IPSec tunnel mode. For dynamic addresses, use PPTP or L2TP over IPSec. |
Q |
I am running ISA Server on Windows 2000, and I cannot create a remote site with IPSec tunneling. Why not? |
A |
To create a remote site network that uses the IPSec protocol tunneling mode on a computer running Windows 2000, you must install the IPSecPol tool from the Microsoft website. The tool must be installed to the ISA Server installation folder. |
Q |
I have ISA Server running on a computer running Windows 2000 and it is not accepting any VPN connections. Why not? |
A |
If Internet Authentication Service (IAS) was running while ISA Server was installed, ISA Server will not accept VPN connections. Restart IAS. |
Q |
Traffic originating from the IP address of the remote site gateway is denied by ISA Server. What could be wrong? |
A |
In a remote site network scenario that uses PPTP or L2TP tunneling protocols, the ISA Server computer may not have a default gateway configured. When no default gateway is defined, a static route is not added between ISA Server and the remote site gateway. Because there is no route, traffic from the remote site gateway is perceived as spoofing€”and the traffic is denied. Add a default gateway. You can specify a dummy default gateway. |
Q |
In Routing and Remote Access, I've configured several dial attempts with time intervals between events. When I change any settings of a site-to-site network, time interval is reset to one second and the redial value to 0. What's wrong? |
A |
ISA Server overwrites a number of demand dial configuration settings. This may be an issue on slow, modem-based demand dial connections, where dialing may not succeed on the first attempt. As a workaround, you can use the Routing and Remote Access APIs to configure the redial settings, and run the program every time Routing and Remote Access starts. However, ISA Server will overwrite Routing and Remote Access setting each time the Firewall service, or the computer, restarts. |
[Topic Last Modified: 12/16/2008]