Microsoft KB Archive/923836

= The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1 =

Article ID: 923836

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Small Business Server 2003 Premium Edition

-



SYMPTOMS
You install Microsoft Windows Small Business Server 2003 (Windows SBS) Premium Edition Service Pack 1 (SP1) or you upgrade from Windows SBS 2003 Premium Edition to Windows SBS 2003 Premium Edition SP1. After you install or upgrade to SP1, you cannot create an outgoing virtual private network (VPN) connection by using Point-to-Point Tunneling Protocol (PPTP) from inside the Windows SBS 2003 Premium Edition network.



CAUSE
The ISA Server policies that are created by the SBS connection wizard require user authentication. The ISA Firewall Client provides user credentials for non-HTTP traffic. To create the PPTP connection, the PPTP client must use TCP (IP protocol 17) on port 1723 and the GRE (IP protocol 47) protocol. The ISA Server Firewall Client only processes TCP and UDP traffic that is handled by Winsock. Because the ISA Server Firewall Client cannot process the GRE traffic, it cannot authenticate this traffic to ISA Server. Therefore, the GRE connections are denied, and the PPTP connection attempts are blocked.



WORKAROUND
To work around this behavior, you can create a new access rule in the ISA 2004 firewall policy that lets client computers on the internal network make outgoing connections by using PPTP. To do this, follow these steps:
 * 1) Click Start, point to All Programs, click Microsoft ISA Server, and then click ISA Server Management.
 * 2) In the left pane of the ISA Server Management MMC snap-in, click Firewall Policy.
 * 3) In the right pane of the ISA Server Management MMC snap-in, click Create a new access rule
 * 4) On the Welcome to the New Access Rule Wizard page, type a name for the access rule, and then click Next.
 * 5) On the Rule Action page, click Allow, and then click Next.
 * 6) On the Protocols page, under This rule applies to, select Selected Protocols from the list, and then click Add.
 * 7) On the Add Protocols page, expand VPN and IPSec, select PPTP, click Add, click Close, and then click Next.
 * 8) On the Access Rule Sources page, click Add.
 * 9) On the Add Network Entities page, expand Networks, select Internal, click Add, click Close, and then click Next.
 * 10) On the Access Rule Destinations page, click Add.
 * 11) On the Add Network Entities page, expand Networks, select External, click Add, click Close, and then click Next.
 * 12) On the User Sets page, click Add.
 * 13) On the Add Users page, click All users, click Add, click Close, and then click Next.
 * 14) Click Finish.
 * 15) In the ISA Management MMS snap-in, click Apply, and then click OK.

Note Make sure that this new rule comes before any authenticated rule that enables outbound traffic. The authentication requirement of a previous rule would cause this rule to fail.

Keywords: kbtshoot kbprb KB923836

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.