RRAS Ports are not created after enabling VPN on ISA Server 2006

1. Introduction

This post is about an issue that was causing VPN Clients not being able to establish a VPN connection with ISA Server 2006.

2. Symptoms

When testing the VPN Client access in this particular scenario we could see on ISA Server Logging that the system rule that allows VPN Client access was identified but it shows an error saying: Failed Connection Attempt:

Error1

Using the command netstat -nao we verified that there was no process listening on port 1723, which is not correct since svchost.exe should be listening on TCP 1723 when ISA has VPN Enabled. The other non expected behavior was notice in the RRAS Manager that has no PPTP ports available as shown below:

Error2

3. Solution

It turns out that there was a server publishing rule that was using custom protocols on high ports (1500 to 2000) and causing RRAS not being able to grab TCP port 1723. After deleting this rule and restarting the Microsoft Firewall Service the issue was resolved.

 

Author

Saurav Datta

Sr. Support Engineer

Microsoft CSS Security Team

Technical Reviewer

Yuri Diogenes

Sr Security Support Escalation Engineer

Microsoft CSS Forefront Edge Team