The Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections in Microsoft Windows Small Business Server 2003 Premium Edition SP1 (923836)


The information in this article applies to:

  • Microsoft Windows Small Business Server 2003, Premium Edition

SYMPTOMS

You install Microsoft Windows Small Business Server 2003 (Windows SBS) Premium Edition Service Pack 1 (SP1) or you upgrade from Windows SBS 2003 Premium Edition to Windows SBS 2003 Premium Edition SP1. After you install or upgrade to SP1, you cannot create an outgoing virtual private network (VPN) connection by using Point-to-Point Tunneling Protocol (PPTP) from inside the Windows SBS 2003 Premium Edition network.

CAUSE

By default, the Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy blocks outgoing PPTP connections. However, users who are members of the Windows SBS 2003 Internet Users group can send outgoing PPTP traffic from the server that is running Windows SBS 2003.

By default, when you install the ISA 2004 firewall client on the client computer, the client computer does not use PPTP to communicate with the server that is running Windows SBS 2003. Additionally, because the PPTP connection is sent from a client computer and is not sent from the server that is running Windows SBS 2003, the firewall policy rule does not apply.

WORKAROUND

To work around this behavior, you can create a new access rule in the ISA 2004 firewall policy that lets client computers on the internal network make outgoing connections by using PPTP. To do this, follow these steps:
  1. Click Start, point to All Programs, click Microsoft ISA Server, and then click ISA Server Management.
  2. In the left pane of the ISA Server Management MMC snap-in, click Firewall Policy.
  3. In the right pane of the ISA Server Management MMC snap-in, click Create a new access rule
  4. On the Welcome to the New Access Rule Wizard page, type a name for the access rule, and then click Next.
  5. On the Rule Action page, click Allow, and then click Next.
  6. On the Protocols page, under This rule applies to, select Selected Protocols from the list, and then click Add.
  7. On the Add Protocols page, expand VPN and IPSec, select PPTP, click Add, click Close, and then click Next.
  8. On the Access Rule Sources page, click Add.
  9. On the Add Network Entities page, expand Networks, select Internal, click Add, click Close, and then click Next.
  10. On the Access Rule Destinations page, click Add.
  11. On the Add Network Entities page, expand Networks, select External, click Add, click Close, and then click Next.
  12. On the User Sets page, click Add.
  13. On the Add Users page, select the users or groups that you want to add, click Add, click Close, and then click Next.
  14. Click Finish.
  15. In the ISA Management MMS snap-in, select the rule that you created, click Apply, and then click OK.
Modification Type:MinorLast Reviewed:9/7/2006
Keywords:kbprb KB923836 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.