Isa, site to site vpn, routing tables

 I have a SBS account with 3 routers and 4 servers. Your typical SBS environment.


Main office:

Hospital router

Main office site to site router

Internet router


Psschartlogic (sql server that syncs a folder and sql)

Pssapps2  (for remote timeclock use and to see the hospital network apps)


Remote office:

Clogic2 (sql server that works with psschartlogic)

Remote office site to site vpn router




I had this account working for a year or more on SBS 2000. I have the remote office connecting to the main office pssapps2 to use the timeclock and to look at hospital xrays and lab reports. The hospital internet portal does not have the most up to date lab reports and xrays so we want to use the hospital router via pssapps2 to see stuff. The main office does not need to use pssapps because the timeclock is on psssbs. All the workstations at the main office can use the hospital router to see xrays and reports.


This fell apart when I installed a new SBS 2003 with ISA 2004. On my SBS I added my routing tables. I added my dns entries and host entries. I could resolve names and everything worked fine at the main office. The remote office was having a hard time reaching the servers or workstations. One doc wants to reach his workstation because he had a few unique things on his workstation. Weird thing was that you could reach psschartlogic and psssbs  from the remote office but that was it. When I am in the main office working from any main office computer all machines tested would answer a rdp session.


I made sure the Windows firewall was turned off on the pssapps2. I turned off the Trend firewall. No diff. I turned on the Windows firewall and made sure there were exceptions for remote. I turned on logging and I could see the start of a conversation with a 3389 connection but nothing after that. I clicked on default settings and a warning pops up. I click away. Now I cannot get to pssapps2 because the default is let no traffic in. It was 10:30 at night. I was planning on visiting in the morning. Did I mention that this account is a pulmonary and sleep disorder practice? That means the run 24×7. I get calls in the evening when things do not work. I guess I broke things a little too late for anyone to notice. They must have already gotten their face sheets. Oh, they actually run two remote offices but the second remote office dials in using a Microsoft vpn so they did not suffer problems access any resources because the vpn put them in the 192.168.10.x network.


I arrive at the site and the staff is in jeans. This is always a good sign as it suggests no patients or docs for the day. They were doing housecleaning with minimal computer use. That meant free reign of the server with a bit of server going down warning. I go back to pssapps2 and turn off the Windows firewall. I noodle around and I give up on things. I call Microsoft support. This costs money but usually worth it. I almost never call with a 10 minute problem. I often spend 2 hours and even days working on problems. I had a dfs problem at this same account that I spent 2 months working on. I work in Atlanta. I started the support call over the phone. A month later I actually was in Texas for training and spent a few hours with a Microsoft support engineering in his cube working on the dfs problem. We never solved that dfs problem. Well I sort of solved it when I install new hard drives in the problem server and a new operating system. I then used VisaVersa from It has a gui interface so I can see what is happening. I bought the basic program and the other program that is supposed to set things up as a service. I could never get the service module to work so I told the program to sync using a task schedule every 15 minutes. Program works great. I have used the tool a few times when xcopy did not work when I did a swing migration. I do a swing every month or so. I am cheap so I use the procedure listed in The book covers a lot of things but I use it mainly for the migration process. Jeff has developed a number of scripts that you can use to make the job easier. I need to watch someone use the scripts so I can appreciate them. Sorry I learned computers in dos and mainframes so I am sort of used to working without gui for some tasks. Anyway the kit he has put together is great and worth every penny.


Back to the current problem. Support looks around and can’t see anything. They state something to the affect that ISA is handling all 3389 and we need to change the ports on the other servers and workstations. She starts to change the listening port and I stop her. I do not want to tell my users click on port 3388 for this server and 3387 for this workstation. I request a bump up to the next level of support. I am passed on. I swear that I am still in India as the next guy has a name I cannot pronounce. I was certainly not John and did not sound like a John fromOhio. Well I was in Canada support. I have called there and they are quite international. In the Texas and Charlotte support offices everyone there seemed to be from the US. Well Ray Fong in Charlotte was not from the US but most were. I guess I am just showing my ignorance. An international company should have people from all over the world working for them. I know some folks I met in Charlotte are working over in the UK for Microsoft.


Sorry, I digress again. I explain to Shahram  what my goal is and how I have engineered things. We look around. We change some local network settings in ISA. I had the hospital networks, my main office network and my remote office networks listed.,,, and He tried to make the main office That made not difference.


Here is my routing table from my SBS. Note that there is nothing exciting or worrisome because all my gateways are private ips the real world cannot reach.


Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric



     20     20     20
      1      1      1      1      1      1      1     10     10     50      1     10
     10      1      1

Default Gateway:


Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric       1       1       1       1       1       1


Routing 101. A computer cannot talk to another computer unless it knows how to talk to the other computer. Sometimes this stuff is handled by a server, sometimes by a router, sometimes magic. Well never magic but it seems that way. If you have worked with Cisco routers you know nothing good happens when connecting two sites until you  tell the routers how to talk to each other. You go into their Command Line Interface and program away. This Cisco conversation is not relevant to my problem. It is just a high level overview. On a workstation or server you might have to do a route add –p mask You can tighten it up if you need to go to a specific workstation or server or a smaller subnet. That is why you see some persistent routes because I used the –p when I ran the command.


After much clicking here and there we ran some netmon traces at psssbs, pssapps2 and from a workstation at the remote office. 20 minutes later Sharam calls back with info. He talked with some other techs and they are sure ISA 2004 is eating up the traffic. Well that was my thought the whole time as it worked with ISA 2000 on the old server. The solution is simple. We did route add –p mask on pssapps2 and the doctor’s main office workstation. The remote desktop now works fine. What I never understood was how the psschartlogic would accept rdp. I bet I never looked at the route print. I also bet I added a route add –p back 4 months ago when I installed the new hard drives and the new operating system.


Long story short. Check your routing tables. Add some routes to see if good things happen. Make sure you delete those routes if you added them with a –p if they do not help. If you did not use a –p then a reboot will flush out your experiment.


Leave a Reply

Your email address will not be published. Required fields are marked *