ISA, VPN Access and Default Gateways

Regular readers will know that I'm not an expert by any means when it comes to network administration issues. Most of it involves lots of searching the Web (including the ever-useful MSDN), followed by several hours of swearing, running up and down stairs to the server room, and phoning a friend. This policy has stood me in good stead over the last few years, even though I do keep promising myself that I really will learn how DHCP, DNS, AD, WINS and any number of other acronymic combinations of letters actually work. Until then, and in the vain hope that it may just help someone else out there, I continue to fight with the technology and then report my findings. And, this month, it's all about what should be really simple: accessing another site using a VPN through my firewall and proxy server.

I've recently been lucky to be given access to a corporate network (through I can't say which), and this is via a Virtual Private Network connection (VPN) using Point-to-Point Tunnelling Protocol (PPTP). It should be easy enough - all I have to do is run the Connection Wizard in Windows 2000 or XP, specify the network address, and bingo! (or perhaps "voila", or "a snap" depending on where you are reading this). As I have a permanent Internet connection, there's no need to mess about with dial-up stuff. So, plug a machine into the external network, outside the firewall, set it up with a fixed IP address and the appropriate DNS server addresses, and it all just works.

But do I want to be connected to the external network? Probably not, even though XP has a built-in firewall. Better to connect from the internal network, inside the firewall. So, what do I have to do to make this work? According to "the friend I phone", and the Help files, just go to the Properties dialog for the Access Policy section in ISA, open the PPTP tab, and set the checkbox for PPTP through ISA firewall:

This adds an IP Filter named SecureNAT PPTP that uses the standard protocol number 47 PPTP call to allow traffic for the VPN to pass through the firewall:

However, I also use Protocol Rules to control outbound traffic from my internal network, in the perhaps vain hope that it might prevent anything nasty that I do pick up from the Internet from escaping, and then reveal itself in the log files as blocked packets. So, I also need to add PPTP to the list of permitted outbound protocols. Now, according to the ISA Help files, there is a pre-defined filter that I can use - I simply set the checkbox for it in the Protocol tab of the Properties dialog for the rule I use to control outbound access in the Protocol Rules section:

Really? There's no default pre-defined entry for PPTP in my list. So, off I go to find the port details for PPTP. I found a useful article at, which points out that there is a Microsoft document at, which mentions this right at the end. It basically says that, in most cases, all you need to do is open port 1723.

Now, I don't know about you, but I always expect my problem to fall into the "not most cases" category. Perhaps pessimism is a required attribute for network administrators (it's certainly served me well over the years). Anyway, I create a new pre-defined filter named "PPTP Outbound" in the Protocol Definitions section in ISA, and then - Hey presto! - it appears in the list of available protocols in the Protocol tab of the dialog (shown above). So I can just tick this, and go off and use my new VPN.

I guess you're already expecting the next bit ... and you'd be correct. No chance. "Cannot connect to remote host, Error 769". So look in the firewall log, and find no dropped packets. Look in the outbound connections log and find packets that seem to indicate I'm getting out OK. So, what have I missed? Dave has got his VPN connection working fine, and a comprehensive comparison of settings for the network cards, ISA, and anywhere else we can think of, suggests no reason for the error.

Now, I recall when playing with the setup on the external connection that, for some unknown reason, I removed the Default Gateway setting (the IP address of the external router's internal interface) from the Internet Protocol (TCP/IP) Properties dialog of the network card. That caused the same error, and it went away again when I put the IP address back in. Of course, now I'm connecting to the internal network, with DHCP providing the details for my network connection.

So I run ipconfig on the client, and discover there's no value for the Default Gateway. This should be set by the DHCP server as part of the address lease, and I have never played with it since I set up the network. In fact I already knew this from running ipconfig previously, but I figured it obviously wasn't that important as everything else worked OK. (I told you that I really do need to learn about this stuff). Anyway, back to the Help files, and discover that the DHCP option named Router is used to specify the default gateway. Open up the Scope Options dialog, select 003 Router, and enter the IP address of the ISA server's internal network card:

Now I run a quick ipconfig /renew in a Command windows on the client machine, and - much to my amazement - it works! Instantly I get the connection to the remote network. At least I've learned that default gateways are important after all. All I have to do now is try and remember my VPN password...

Email:         Privacy and Acceptable Use Policy