When you use the ISA Server 2006 or ISA Server 2004 Firewall Client program, you cannot make a PPTP-based VPN connection

When you have the Microsoft Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004 Firewall Client program installed on your computer, and you try to make a Point-to-Point Tunneling Protocol (PPTP)-based virtual private network (VPN) connection, the connection is not made. In this situation, you may receive an error message that resembles the following:

This issue occurs because the ISA Server Firewall Client program does not support a PPTP-based VPN connection.

To resolve this issue, you must configure ISA Server secure network address translation (SecureNAT) on your computer. To configure SecureNAT, you do not have to install any software. You must correctly configure the default gateway in the Internet Protocol settings for your network adaptor. SecureNAT can be configured in the following scenarios:

• Simple network.
  On a simple network, your computer and the ISA Server computer are on the same network segment and do not have a router between them. For a simple network, set the internal IP address of the ISA Server computer as the default gateway address on your computer.
• Complex network.
  On a complex network, your computer and the ISA Server computer are on different network segments with one or more routers between them. For a complex network, identify the address of the router interface that provides the shortest route to the internal interface of the ISA Server computer. Configure this address as the default gateway address on your computer. The router at the intranet perimeter is configured to route all outgoing Internet traffic to the internal IP address of the ISA Server computer. This configuration routes all outgoing Internet traffic through the router at the Intranet perimeter, through the ISA Server computer, and to the Internet. Incoming Internet traffic is routed in the reverse order.

To set the default gateway address, follow these steps on your computer that is running the ISA Server Firewall Client program.

Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. Click Start, point to Settings, and then click Network Settings.
2. Right-click the Local Area Connection that you want to change, and then click Properties.
3. In the This connection uses the following settings list, click Internet Protocol (TCP/IP), and then click Properties.
4. In the Default Gateway box, enter the appropriate IP address depending on whether you have a simple network or a complex network.
5. Click OK two times.
6. If prompted, restart your computer.

For additional information about how to configure a VPN in an ISA Server environment, click the following link to download the ISA Server 2004 VPN Deployment Kit.

The following file is available for download from the Microsoft Download Center:


Download the ISA2004SE_vpnkit-Rev 1 04.doc package now.

For additional information about ISA Server, visit the following Microsoft Web site: