Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?

Just by way of background, I have been installing and administering network servers, e-mail systems, VPN servers, and the like for many years. However, my involvement with Exchange and Windows Server has been mostly on the forensics and data recovery
level, or as a (sophisticated) user. I have never tried to deploy either from scratch before. My deployment experiences have been mostly with Linux in recent years, and with small private or personal "servers" running such cutting edge
software as Windows XP back when it was new. And even NetWare once.
When a client asked me if I could set up a server for his business, running Exchange Server (since they really want Outlook with all of its bells and whistles to work, particularly calendars) and providing VPN access for a shared file store, I figured it
could not be too difficult given that its a small business, with only a few users, and nothing sophisticated in the way of requirements. For reasons that don't bear explaining here, he was not willing to use a vendor hosting Exchange services or cloud
storage. There is no internal network behind the server; it is intended to be a stand-alone server, hanging off a static IP address on the Internet, providing the entirely mobile work-force of about 10 people with Exchange-hosted e-mail for their computers
and phones, a secure file store, and not much else. If Exchange didn't need it, I would not need to install Active Directory, for example. We have no direct need for its services.
So I did the research and it appears, more by implication than outright assertion, that I should be able to run Windows Server 2012 with Exchange Server 2013 on a server that also hosts Remote Access (VPN only) and does nothing else. And it appears
I ought to be able to do it without virtualizing any of it. However, I have spent the last three or four days fighting one mysterious issue after another. I had Remote Access VPN working and fairly stable very quickly (although it takes a very
long time to become available after the server boots), and it has mostly remained reliable throughout although at times while installing Exchange it seems to have dropped out on me. But I've always been able to get it back after scrounging through the
logs to find out what is bothering it. I have occasionally, for a few minutes at a time, had Exchange Server willing to do everything it should do (although not always everything at the same time). At one point I even received a number of e-mails
on my BlackBerry that had been sent to my test account on the Exchange Server, and was able to send an e-mail from my BlackBerry to an outside account.
But then Exchange Server just stopped. There are messages stuck in the queues, among other issues, but the Exchange Administration Center refuses now to display anything (after I enter my Administrator password, I just get a blank screen, whether on
the server or remotely).
So, I am trying to avoid bothering all of you any more than I have to, but let me just begin with the basic question posed in the title: Can I run Exchange Server (and therefore Active Directory and all of its components) and Remote Access (VPN only) on
a single Windows Server 2012 server? And if so, do I have to run virtual machines (which will require adding more memory to the server, since I did not plan for it when I purchased it)? If it can be done, can anyone provide any pointers on what
the pitfalls are that may be causing my problems? I am happy to provide whatever additional information anyone might like to help figure it out.
Thanks!

An old thread but I ran into this issue and thought I share my solution since I ran into the same issue. Configuring VPN removes the HTTPS 443 binding on the Default Site in IIS for some strange reason; just go and editing the bindings, add HTTPS and things
should be back to normal.

Similar Messages

Site to Site and Remote Access VPN

Hi All,
Is it possible to configure Site to Site and Remote Access VPN on same interface of Cisco ASA 5505 ?
Regards
Abhishek
This topic first appeared in the Spiceworks Community

A document exists where PIX/ASA maintains LAN-ti-LAN IPsec tunnel at two end points and there is overlapping networks at ther inside interface of both the asa. Probably, the basic configuration for both asa and IOS routers are nat config. So, this particular document might be useful for your requirement
PIX/ASA 7.x and later: Site to Site (L2L) IPsec VPN with Policy NAT (Overlapping Private Networks) Configuration Example
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9950.shtml

Routing and Remote Access VPN DHCP error

I have a strange problem.
I have a client that is using Server 2012 Standard.
On this server they have Routing and Remote Access configured for VPN client access. Their users that are working outside the office connect to the VPN to access the internal network.
The VPN works fine for the most part. Recently however, it has started having issues.
Periodically (about once every 8 days) I will hear from them that they cannot connect and that they get error 720. I will check the server and the server will have the following errors in the event log:
Warning: No IP address is available to hand out to the dial-in client.
If you check DHCP the server is running fine and will hand out local addresses but it will not hand out addresses to VPN clients. Also the addresses that it HAS previously handed out to VPN clients will not show in the address leases.
The solution strangly enough is to disconnect and reconnect a the VPN client connection that the server has connecting it to a offsite server that it does a SQL sync with.
Any ideas as to what might be causing this? If need be I can post more detailed logs but I am not sure what logs even to post or what data to collect.
Any help is greatly appreciated.

I am experiencing the same issue on a Windows 2008R2 SP1 RAS server. The above statement About increasing the lease time on DHCP does not resolve the problem.
I am also Searching for a Solutions to this issue.
Up to now I have done the Following :
1. Increased the scope/ cleared IP's in DHCP.
2. Ensure that the DHCP server is accessable.
3. Created a Manual Scope on RRAS configurations settings (then clients can connect but cannot access resources on the network). Changing Back to DHCP, you recieve the same 720 Error.
4. Stop and started the DHCP services on the DHCP Server.
5. Stop and Started RRAS Services on RRAS server.
The Only Indication is, that DHCP for some reason does not lease out Addresses to the RRAS server..

ACS 5.0 and remote access VPN

I have problem for authenticar a remote access VPN with ACS 5.0, not work.
When I try with ACS 4.1, the authentication work fine.
I hope someone can help me.
Regards.

I have the same problem. I'm using ASA v8.21 and ACS v5.0.0.21, which I'm using as tacacs and radius server. I have no problem with accessing devices via tacacs (except that changing pass with first login doesn't work). The problem is with VPN authentication. I tested radius with Radlogin and PAP is working fine, CHAP goes in timeout, but as I know ACS 5.0 doesn't suport CHAP.
Here are some logs from ASA:
the end of debug crypto isakmp:
Sep 04 15:01:35 [IKEv1]: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 15:01:35 [IKEv1 DEBUG]: Deleting active auth handle during SA deletion: handle = 1844
debug radius:
Sep 04 2010 15:08:53: %ASA-7-713906: IP = X.X.X.X, Connection landed on tunnel_group radiusACS
Sep 04 2010 15:08:53: %ASA-6-713172: Group = radiusACS, IP = X.X.X.X, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f9163eb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 86
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, process_attr(): Enter!
Sep 04 2010 15:08:53: %ASA-7-715001: Group = radiusACS, IP = X.X.X.X, Processing MODE_CFG Reply attributes.
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, Authentication Failure: Unsupported server type!
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE TM V6 FSM error history (struct &0xa7b636a8) , : TM_DONE, EV_ERROR-->TM_AUTH, EV_DO_AUTH-->TM_WAIT_REPLY, EV_CHK_MSCHAPV2-->TM_WAIT_REPLY, EV_PROC_MSG-->TM_WAIT_REPLY, EV_HASH_OK-->TM_WAIT_REPLY, NullEvent-->TM_WAIT_REPLY, EV_COMP_HASH-->TM_WAIT_REPLY, EV_VALIDATE_MSG
Sep 04 2010 15:08:53: %ASA-7-715065: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE AM Responder FSM error history (struct &0xac417310) , : AM_DONE, EV_ERROR-->AM_TM_INIT_XAUTH_V6H, EV_TM_FAIL-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_START_TM-->AM_TM_INIT_XAUTH, EV_START_TM-->AM_PROC_MSG3, EV_TEST_TM_H6
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, IKE SA AM:f7beee8e terminating: flags 0x0105c001, refcnt 0, tuncnt 0
Sep 04 2010 15:08:53: %ASA-7-713906: Group = radiusACS, Username = user1, IP = X.X.X.X, sending delete/delete with reason message
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing blank hash payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing IKE delete payload
Sep 04 2010 15:08:53: %ASA-7-715046: Group = radiusACS, Username = user1, IP = X.X.X.X, constructing qm hash payload
Sep 04 2010 15:08:53: %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=e0cd7809) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Sep 04 2010 15:08:53: %ASA-3-713902: Group = radiusACS, Username = user1, IP = X.X.X.X, Removing peer from peer table failed, no match!
Sep 04 2010 15:08:53: %ASA-4-713903: Group = radiusACS, Username = user1, IP = X.X.X.X, Error: Unable to remove PeerTblEntry
Sep 04 2010 15:08:53: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 1861
Sep 04 2010 15:08:53: %ASA-4-113019: Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Regards

Easy VPN and remote access VPN

Hi all,
I have a pix running version 7.2, with two VPN connection:
1- normal remote access vpn with cisco vpn client.
2- easy vpn with another pix running version 6.3
both are working fine and i can access everything in HQ netweok.
questions is i need to enable communication between cisco vpn clinet to that remote side which has pix easy vpn . ??
please adivce what kind of configuration we need !!!!
regards,
hasan

Take a look at this link for easy VPN configuration.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008019e6d7.shtml

Vpn site to site and remote access , access lists

Hi all, we run remote access and site to site vpn on my asa, my question is Can I create an access list for the site to site tunnel, but still leave the remote access vpn to bypass the access list via the sysopt command, or if I turn this off will it affect both site to site and remote access vpn ?

If you turn off sysopt conn permit-vpn it will apply to both your site to site and remote access vpn...all ipsec traffic. You would have to use a vpn-filter for the site to site tunnel if you wanted to leave the sysopt in there.

Remote access VPN to server from outside and server reach internet on the same time

Dear,
I have problem in my ASA 5515-X , when i make Remote access VPN to servers in inside zone the internet connection disconnected in the servers, or when i have internet in servers, the remote access cant reach servers.
the configuration for server as static NAT for each server, and the connection of VPN is to another public IP but in the same subnet of NAT ip.
server1 : 10.10.10.2 nat to 5.6.7.8
server2: 10.10.10.3 nat to 5.6.7.9
server3: 10.10.10.4 nat to 5.6.7.10
VPN connection to 5.6.7.12
is there any solution for this senario, remote vpn to servers and the same time the servers have internet readability for download updates .. etc

Hi,
So it seems that the problem is with lacking a NAT0 configuration
You could modify the below configuration to match your networks/IP addresses used. In the below configuration I presume that you have interfaces "inside" and "outside".
object network SERVER-NETWORK
subnet <server network address> <network mask>
object network VPN-POOL
subnet <vpn pool network address> <network mask>
nat (inside,outside) 1 source static SERVER-NETWORK SERVER-NETWORK destination static VPN-POOL VPN-POOL
Just insert the correct address related information and change the "object" and interface names if required.
This configuration will tell the ASA that no NAT will be performed for traffic between the VPN-POOL and SERVER-NETWORK. The NAT configuration is bidirectional. With this configuration the Static NAT configurations will continue to work for the servers Internet traffic and this NAT0 configuration will be applied only to the VPN Client traffic.
Hope this helps :)
- Jouni

Server 2003 routing and remote access not passing VPN traffic

I've inherited a network that has two IP scopes that are routed through a Windows 2003 server with Routing and Remote Access. I can ping both sides (we'll call them HQ and Plant) internally. My firewall has an IP from the HQ IP scope and when
I connect via VPN, I can see all the devices on the HQ network including the network card that is in the routing server for that "side". However, if I'm connected via VPN, I cannot get to any of the IPs on the Plant side, not even the card
in the routing server. The buck stops on the server.
I should mention, that the firewall assigns IP addresses that are on the HQ scope, so all VPN connections will have an address from that side.
I'm lost on how to get this set up so my VPN traffic coming in from the HQ side can be routed to the Plant devices.

Hi,
To be honest, your statement confused me a bit.
VPN is used for external client get access to internal resource. When we setup VPN server, we usually have two NICs. We need choose a NIC that will be used when client initiate
a connection request. I prefer to call it external NIC card. The internal one will work as DHCP relay agent. So this is a single way connection. You cannot dial from internal to external.
If I misunderstood you, please elaborate what you are trying to do.
Hope this helps.

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1   172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        10.2.2.2/32 is directly connected, Loopback0
C        10.10.7.0/24 is directly connected, FastEthernet0/1
L        10.10.7.1/32 is directly connected, FastEthernet0/1
C        10.10.8.0/22 is directly connected, FastEthernet0/1
L        10.10.10.1/32 is directly connected, FastEthernet0/1
      117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/22 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      172.18.0.0/32 is subnetted, 1 subnets
S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, FastEthernet0/1
L        192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: giet-vpn, local addr 117.239.xx.xx
   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
   current_peer 49.206.59.86 port 50083
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x550E70F9(1427009785)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5668C75(90606709)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550169/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550E70F9(1427009785)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550170/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance....

Trying to install Exchange Server 2013 and receive this error.

Hello,
I have a computer running Windows Server 2012 R2 Standard. I have completed all the prerequisites to install Exchange Server 2013. It all was going good until the install started. Then I received the below error. Does anyone have any suggestions? I am new
to Exchange Server so would thank and appreciate any help I could get to resolve this issue.
Thank You,
Stan
Error:
The following error was generated when "$error.Clear();
initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions
" was run: "Microsoft.Exchange.Management.Tasks.InvalidWKObjectException: The well-known object entry B:32:A7D2016C83F003458132789EEB127B84:CN=Exchange Servers\0ADEL:16cd035a-6201-492f-b85f-1e28cc9f9ee0,CN=Deleted Objects,DC=MULTIAXCNC,DC=local on
the otherWellKnownObjects attribute in the container object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=MULTIAXCNC,DC=local points to an invalid DN or a deleted object. Remove the entry, and then rerun the task.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateGroup(ADOrganizationalUnit usgContainer, String groupName, Int32 groupId, Guid wkGuid, String groupDescription, GroupTypeFlags groupType, Boolean createAsRoleGroup)
at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.CreateGroup(ADOrganizationalUnit usgContainer, String groupName, Int32 groupId, Guid wkGuid, String groupDescription)
at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

Here is the error I am getting and the last setup log I can find. Any help how to get past the error would be helpful.
Thank You,
Stan
Error
The following error was generated when "$error.Clear();
          Install-ExchangeCertificate -WebSiteName "Exchange Back End" -services "IIS, POP, IMAP" -DomainController $RoleDomainController -InstallInTrustedRootCAIfSelfSigned $true
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
            Install-AuthCertificate -DomainController $RoleDomainController
        " was run: "Microsoft.Exchange.Management.SystemConfigurationTasks.AddAccessRuleCryptographicException: Could not grant Network Service access to the certificate with thumbprint 845C42A131A8A73487400A91491182FB95B81612
because a cryptographic exception was thrown. ---> System.Security.Cryptography.CryptographicException: Access is denied.
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.CAPIAddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Security.Cryptography.X509Certificates.TlsCertificateInfo.AddAccessRule(X509Certificate2 certificate, AccessRule rule)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.ManageExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services, String websiteName, Boolean requireSsl, ITopologyConfigurationSession dataSession, Server server,
List`1 warningList, Boolean allowConfirmation, Boolean forceNetworkService)
   --- End of inner exception stack trace ---
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.EnableForServices(X509Certificate2 cert, AllowedServices services)
   at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".
Setup Log Below
# Default Install steps for ClientAccessRole.
# Programmatically generated on 7/5/2014 10:58:24 PM.
# Variable Declarations
$RoleAllRoles = 'BridgeheadRole,GatewayRole,ClientAccessRole,MailboxRole,UnifiedMessagingRole,FrontendTransportRole,AdminToolsRole,MonitoringRole,CentralAdminRole,CentralAdminDatabaseRole,CentralAdminFrontEndRole,LanguagePacksRole,CafeRole,FfoWebServiceRole,OSPRole'
$RoleBinPath = 'C:\Program Files\Microsoft\Exchange Server\V15\Bin'
$RoleCustomerFeedbackEnabled = $True
$RoleDatacenterPath = 'C:\Program Files\Microsoft\Exchange Server\V15\Datacenter'
$RoleDatacenterServiceEndpointABCHContactService = '<ServiceEndpoint><Url>http://pvt-contacts.msn.com/abservice/abservice.asmx</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointDomainPartnerManageDelegation = '<ServiceEndpoint><Url>https://domains.live.com/service/managedelegation.asmx</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointDomainPartnerManageDelegation2 = '<ServiceEndpoint><Url>https://domains.live.com/service/managedelegation2.asmx</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointLiveFederationMetadata = '<ServiceEndpoint><Url>https://nexus.passport.com/FederationMetadata/2006-12/FederationMetadata.xml</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointLiveGetUserRealm = '<ServiceEndpoint><Url>https://login.live.com/GetUserRealm.srf</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointLiveServiceLogin2 = '<ServiceEndpoint><Url>https://login.live.com/RST2.srf</Url></ServiceEndpoint>'
$RoleDatacenterServiceEndpointMsoFederationMetadata = '<ServiceEndpoint><Url>https://nexus.microsoftonline-p.com/FederationMetadata/2006-12/FederationMetadata.xml</Url></ServiceEndpoint>'
$RoleDomainController = 'MULTIAX2012.MULTIAXCNC.local'
$RoleExternalCASServerDomain = $null
$RoleFqdnOrName = 'MULTIAX2012.MULTIAXCNC.local'
$RoleInstallationMode = 'Install'
$RoleInstallPath = 'C:\Program Files\Microsoft\Exchange Server\V15\'
$RoleInvocationID = '20140705-2258240578829153548'
$RoleIsAdminToolsRoleInstalled = $True
$RoleIsBridgeheadRoleInstalled = $True
$RoleIsDatacenter = $False
$RoleIsDatacenterDedicated = $False
$RoleIsFfo = $False
$RoleIsPartnerHosted = $False
$RoleLanguagePacksPath = 'C:\Exchange\'
$RoleLoggedOnUser = 'MULTIAXCNC\Administrator'
$RoleLoggingPath = 'C:\Program Files\Microsoft\Exchange Server\V15\Logging'
$RoleNetBIOSName = 'MULTIAX2012'
$RoleNoSelfSignedCertificates = $False
$RolePreviousVersion = $null
$RoleProductPlatform = 'amd64'
$RoleRoleName = 'ClientAccessRole'
$RoleRoles = 'BridgeheadRole,AdminToolsRole'
$RoleSetupLoggingPath = 'C:\ExchangeSetupLogs'
$RoleTargetVersion = '15.00.0913.022'
$RoleUpdatesDir = $null
# Component tasks
# Tasks for 'All Roles Common First' component
# [ID = AllRolesCommonFirst___3e69ba31a53e4c29a2d6bffcf78cc614, Wt = 5, isFatal = True] "Starting the WMI service."
7/5/2014 10:58:24 PM:
          if (Get-Service winmgmt* | ?{ $_.Name -ieq "winmgmt" })
            Set-Service winmgmt -StartupType Automatic
            Start-SetupService -ServiceName winmgmt
# [ID = AllRolesCommonFirst___56139ce4432346ecb7936afae4c3a9cc, Wt = 1, isFatal = True] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:58:24 PM:
          & $RoleBinPath\ServiceControl.ps1 EnableServices $RoleRoleName.Replace('Role','')
# [ID = AllRolesCommonFirst___edc23bc11a4e4119a6a4ee802ff1ea49, Wt = 1, isFatal = True] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:58:24 PM:
          if ($RoleRoles)
            & $RoleBinPath\ServiceControl.ps1 EnableServices $RoleRoles.Replace('Role','').Split(',')
# [ID = AllRolesCommonFirst___62f13a063b2846a5ab20765bb7a3fc51, Wt = 5, isFatal = True] "Starting the Remote Registry service."
7/5/2014 10:58:25 PM:Start-SetupService -ServiceName RemoteRegistry
# [ID = AllRolesCommonFirst___00573a17b6e34c26842a6646830d57fa, Wt = 1, isFatal = True] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:58:25 PM:Set-LocalPermissions
# [ID = AllRolesCommonFirst___77668249568048d3812fb7cdba08c58b, Wt = 1, isFatal = False] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:59:35 PM:
          $mofFilePath = ($RoleInstallPath + "bin\Exchange.MOF");
          $mflFilePath = ($RoleInstallPath + "bin\en\Exchange.MFL");
          compile-moffile -MofFilePath:$mofFilePath;
          compile-moffile -MofFilePath:$mflFilePath;
# [ID = AllRolesCommonFirst___f557448f44964e5eaa5dba792a3c4f09, Wt = 1, isFatal = True] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:59:35 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeRPCByPortRule)
# [ID = AllRolesCommonFirst___84a0f0e2c2f44db2b537e9696c26fc3e, Wt = 1, isFatal = True] "Creating the Exchange server configuration object in Active Directory."
7/5/2014 10:59:35 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeRPCEPMapByPortRule)
# Tasks for 'ClientAccess Permissions Configuration' component
# [ID = ClientAccessLocalPermissionsComponent___6246589bb8494a3580c22c26e18451d1, Wt = 1, isFatal = True] "Setting folder or registry permissions for the Mailbox role: Client Access service. "
7/5/2014 10:59:35 PM:Set-LocalPermissions -Feature:"ClientAccess"
# Tasks for 'Exchange 2003 Registry Configuration' component
# [ID = LegacyRegistryMarkersComponent___7d6dadc1069b42ac93eadd1143c04a1a, Wt = 1, isFatal = True] "Installing/Removing registry values used by Exchange 2003 components"
7/5/2014 11:00:01 PM:set-ExsetdataRegistryMarkers
# Tasks for 'Client Access Perf Counters' component
# [ID = ClientAccessPerfCountersComponent___deb99c54869843b68426390615283ab7, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:01 PM:new-PerfCounters -DefinitionFileName OwaInstallSingleCounters.xml
# [ID = ClientAccessPerfCountersComponent___ca78563ec1f1468982d1a2e59c6001bd, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:15 PM:new-PerfCounters -DefinitionFileName EcpPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___e69a559428fb42029ca3261e795b216d, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:21 PM:new-PerfCounters -DefinitionFileName RwsPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___c335490f948a4b16b5e2d2ce5f1eb9e7, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:26 PM:new-PerfCounters -DefinitionFileName InfoworkerAvailabilityPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___5af856aa00ae485ca206c5cdd13e9128, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:31 PM:new-PerfCounters -DefinitionFileName InfoworkerSharingPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___86121d1b951e43fb934f1f1d573362eb, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:35 PM:new-PerfCounters -DefinitionFileName ThrottlingPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___ea5896b92c494834b1a93c4620fcaef4, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:42 PM:new-PerfCounters -DefinitionFileName MiddleTierStoragePerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___dab6f03bdf5141efb7b017c3009fb9e6, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:48 PM:new-PerfCounters -DefinitionFileName ActiveManagerClientPerfmon.xml
# [ID = ClientAccessPerfCountersComponent___5471455db0ef4610bf68fe7ad9417e19, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:53 PM:new-PerfCounters -DefinitionFileName RmsPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___81ad52cb2950483196b52371b4d992c8, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:00:58 PM:new-PerfCounters -DefinitionFileName InfoworkerMailTipsPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___072bf6737f1c42a0a8847ce35cf8a0c7, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:03 PM:new-PerfCounters -DefinitionFileName InfoworkerUserPhotosPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___50b64611f7444bb49d50e00c206d2c13, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:08 PM:new-PerfCounters -DefinitionFileName AirSyncCounters.xml
# [ID = ClientAccessPerfCountersComponent___f2620ff8c3754396a8ea7d77257e2895, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:14 PM:new-PerfCounters -DefinitionFileName ClientAccessRulesPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___4ef0f16c017840a583ace9f062300207, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:19 PM:new-PerfCounters -DefinitionFileName Imap4Counters.xml
# [ID = ClientAccessPerfCountersComponent___135fb06dadd9403a83ceebb290638efe, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:24 PM:new-PerfCounters -DefinitionFileName Pop3Counters.xml
# [ID = ClientAccessPerfCountersComponent___312e8d44e92b45e0809f9d3d5dc2cfc0, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:29 PM:new-PerfCounters -DefinitionFileName WsPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___3c333497697041cb854190ec31c17b18, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:48 PM:new-PerfCounters -DefinitionFileName UMClientAccessCounters.xml
# [ID = ClientAccessPerfCountersComponent___ba015b97cc0b4beba7b25b6cb297fcac, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:54 PM:new-PerfCounters -DefinitionFileName AutodiscoverPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___3daffea50d5a4318aab4aa737e508146, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:01:59 PM:new-PerfCounters -DefinitionFileName OAuthCounters.xml
# [ID = ClientAccessPerfCountersComponent___c71073d7f1ab4c119af83efb513b3a9d, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:04 PM:new-PerfCounters -DefinitionFileName InfoWorkerMessageTrackingPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___abdaf0bf21f4473b88819ee85cada219, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:10 PM:new-PerfCounters -DefinitionFileName RpcClientAccessPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___9f160f3e42984edfa25b62424ebc05b5, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:15 PM:new-PerfCounters -DefinitionFileName RpcClientAccessServerPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___e55cb179521a4dacbeaa588c6948cf14, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:15 PM:new-PerfCounters -DefinitionFileName AddressBookServicePerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___064a7856cf7c4b0399c85cf4f3bc2f1c, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:20 PM:new-PerfCounters -DefinitionFileName RpcEntryPointsPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___42325F33-A961-41FE-B6B5-5CFB3AA9820A, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:22 PM:new-PerfCounters -DefinitionFileName MapiHttpEmsmdbPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___4C04D747-3B5C-400A-980F-45504324EF42, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:28 PM:new-PerfCounters -DefinitionFileName MapiHttpNspiPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___5ab36fffacd04975bb1bc681a214bf71, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:33 PM:new-PerfCounters -DefinitionFileName ThrottlingServiceClientPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___6ca23933132d44b39d6586cb3f9f8f21, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:39 PM:new-PerfCounters -DefinitionFileName MSExchMailboxReplicationServicePerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___6602c41b35254405bed412fab7d527fe, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:44 PM:new-PerfCounters -DefinitionFileName MSExchMailboxReplicationServicePerMdbPerformanceCounters.xml -FileMappingSize 2097152
# [ID = ClientAccessPerfCountersComponent___74e45a45ea8c449092a10929ae24ba4b, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:50 PM:new-PerfCounters -DefinitionFileName MlbPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___a3bcb686add64cf296c8616d387d0323, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:02:55 PM:new-PerfCounters -DefinitionFileName MlbMultiInstancePerformanceCounters.xml -FileMappingSize 2097152
# [ID = ClientAccessPerfCountersComponent___c00c15c4ef6f479b9f5deb852d8eda7d, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:01 PM:new-PerfCounters -DefinitionFileName ProvisioningPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___fe1a2a7c828f4b57abc2e50dc09baddf, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:06 PM:new-PerfCounters -DefinitionFileName GalsyncPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___35D14CB8B01949818832943A391D77B9, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:11 PM:new-PerfCounters -DefinitionFileName BackSyncPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___e69599d235234effb6d2740f3c52f7e1, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:11 PM:new-PerfCounters -DefinitionFileName AdminAuditPerfCounters.xml
# [ID = ClientAccessPerfCountersComponent___09bd11b57f6445e890391a507262cf32, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:16 PM:new-PerfCounters -DefinitionFileName InfoworkerMultiMailboxSearchPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___324687361E1C473A834C22A66104679f, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:16 PM:new-PerfCounters -DefinitionFileName ProvisioningCachePerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___98C36FFEC7944065889DB24067CFD3EE, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:21 PM:new-PerfCounters -DefinitionFileName OABRequestHandlerPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___1F5A7B68C95B42568E02FAA15A05EF17, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:26 PM:new-PerfCounters -DefinitionFileName DlpPolicyTipsPerformanceCounters.xml
# [ID = ClientAccessPerfCountersComponent___995DEA7A1AC5467C89939F5F8CE5F2AF, Wt = 1, isFatal = False] "Installing or removing Client Access performance counters."
7/5/2014 11:03:31 PM:new-PerfCounters -DefinitionFileName ConfigurationCachePerformanceCounters.xml
# Tasks for 'Client Access Configuration' component
# [ID = ClientAccessComponent___d5119205104847bcb275cb63b65160b6, Wt = 5, isFatal = False] "Pre-compiling setup binaries."
7/5/2014 11:03:35 PM:
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\Owa\Bin\Microsoft.Exchange.Clients.Owa.dll");
          $appBase = [System.IO.Path]::Combine($RoleInstallPath, "bin");
          precompile-ManagedBinary -BinaryName $fullPath -AppBase $appBase;
# [ID = ClientAccessComponent___954344d74d8849e9ae7123b91761ed9d, Wt = 5, isFatal = False] "Pre-compiling setup binaries."
7/5/2014 11:03:57 PM:
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\Sync\Bin\Microsoft.Exchange.AirSyncHandler.dll");
          $appBase = [System.IO.Path]::Combine($RoleInstallPath, "bin");
          precompile-ManagedBinary -BinaryName $fullPath -AppBase $appBase;
# [ID = ClientAccessComponent___6632d6c1d5054563942db4f180976238, Wt = 5, isFatal = False] "Pre-compiling setup binaries."
7/5/2014 11:04:01 PM:
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\AutoDiscover\Bin\Microsoft.Exchange.AutoDiscover.dll");
          $appBase = [System.IO.Path]::Combine($RoleInstallPath, "bin");
          precompile-ManagedBinary -BinaryName $fullPath -AppBase $appBase;
# [ID = ClientAccessComponent___390b4ffddd484dcb9edc01dd725e020a, Wt = 5, isFatal = False] "Pre-compiling setup binaries."
7/5/2014 11:04:07 PM:
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\exchweb\ews\bin\Microsoft.Exchange.Services.dll");
          $appBase = [System.IO.Path]::Combine($RoleInstallPath, "bin");
          precompile-ManagedBinary -BinaryName $fullPath -AppBase $appBase;
# [ID = ClientAccessComponent___178a10624c88445093855c4ede7e9b9c, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:42 PM:
          . "$RoleInstallPath\Scripts\ConfigureNetworkProtocolParameters.ps1";
          Set-NtlmLoopbackCheck $false
# [ID = ClientAccessComponent___14a6761e144e428b93c62249acc814fe, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:42 PM:install-ClientAccessIisWebServiceExtensions
# [ID = ClientAccessComponent___28fdfe8bec984e809cdeef6d4d59bf4e, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:43 PM:
        if (get-service MSExchangeServiceHost* | where {$_.name -eq "MSExchangeServiceHost"})
            restart-service MSExchangeServiceHost
# [ID = ClientAccessComponent___7816256880dc4be0baf5b005b2af8cd3, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
        if (get-service MSExchangeProtectedServiceHost* | where {$_.name -eq "MSExchangeProtectedServiceHost"})
            restart-service MSExchangeProtectedServiceHost
# [ID = ClientAccessComponent___e95499b43bd1484dbc03098fb1b4e592, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:set-ExchangeServerRole -Identity $RoleFqdnOrName -IsClientAccessServer:$true -DomainController $RoleDomainController
# [ID = ClientAccessComponent___f4c48e196e374cf3af269b1cea0602c8, Wt = 1, isFatal = True] "Installing/Removing the WebReady Document Viewing service."
7/5/2014 11:04:45 PM:Install-TranscodingServiceEx
# [ID = ClientAccessComponent___f50fd59d231140eb9b2405bbed2b93d4, Wt = 1, isFatal = False] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          if ($RoleIsDatacenter -eq $false)
            uninstall-FBAService
# [ID = ClientAccessComponent___9fad9d51b3ec4ecdad567ab58e470be7, Wt = 1, isFatal = False] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          if ($RoleIsDatacenter -eq $false)
            stop-setupservice -ServiceName MSExchangeFBA
# [ID = ClientAccessComponent___1c7a7da2ab9d41bb8db75522ad28b9db, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          $tpath = "$env:SystemRoot\system32\inetsrv\microsoft.web.administration.dll";
          add-type -Path $tpath;
          $sm = new-object Microsoft.Web.Administration.ServerManager;
          if ($sm.Sites["Exchange Back End"] -eq $null)
            $ppath = "$env:SystemDrive\inetpub\wwwroot";
            $s = $sm.Sites.Add("Exchange Back End","http", "*:81:", $ppath);
            $s.ServerAutoStart = $true;
            $sb =$s.Bindings;
            $b = $sb.Add("*:444:","https");
            $sm.CommitChanges();
# [ID = ClientAccessComponent___a5f211d837784aea931b9ba55c39996d, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          Get-ExchangeServer $RoleFqdnOrName | Add-AdPermission -User "S-1-5-20" -ExtendedRights "Exchange Web Services Token Serialization";
# [ID = ClientAccessComponent__SetInstallPathInMrsAppConfig, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          Set-InstallPathInAppConfig -ConfigFileRelativePath "Bin" -ConfigFileName "MsExchangeMailboxReplication.exe.config"
# [ID = ClientAccessComponent___765cc444ba07411aa81d58397b0401fd, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:45 PM:
          if (!(get-service MSExchangeMailboxReplication* | where {$_.name -eq "MSExchangeMailboxReplication"}))
            install-MailboxReplicationService
# [ID = ClientAccessComponent___151b722e327b42a69411df32afdbbcbb, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:46 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeMailboxReplicationFirewallRule)
# [ID = ClientAccessComponent___7d69bb94f08245589e49eb569c6d5f4f, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:46 PM:
          if (!(get-service MSExchangeMigrationWorkflow* | where {$_.name -eq "MSExchangeMigrationWorkflow"}))
            install-MigrationWorkflowService
# [ID = ClientAccessComponent___95f051d9dc5941c4b6014181b6e5ce93, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeABRPCFirewallRule)
# [ID = ClientAccessComponent___959c2d6566984da6b8e0e3235c1c11c2, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangePOPBeByPortRule)
# [ID = ClientAccessComponent___29864e7462374fdb84fc75eec931d8e4, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
          Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeIMAP4BeFirewallRule)
# [ID = ClientAccessComponent___052e1b794d0641ada4d6d417061af2a8, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeOWAByPortRule)
# [ID = ClientAccessComponent___975efd8911fd41cca8b17462535d710e, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
           Add-FirewallException -FirewallRule (New-Object Microsoft.Exchange.Security.WindowsFirewall.MSExchangeMailboxReplicationByPort)
# [ID = ClientAccessComponent___023036e43f004bda9f4f4e0b1e0d233f, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
          Install-ResourceHealthActiveFlags
# [ID = ClientAccessComponent___3a51c2876e2c4643bc892d2665754228, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:set-InstallPathInAppConfig -ConfigFileRelativePath "ClientAccess\PushNotifications\" -ConfigFileName web.config
# [ID = ClientAccessComponent___FCC16AC1FFED43518F8292DBE770C621, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:set-InstallPathInAppConfig -ConfigFileRelativePath "ClientAccess\mapi\emsmdb\" -ConfigFileName web.config
# [ID = ClientAccessComponent___E9C71786D02E40CBB1403E2E1A4B0758, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:set-InstallPathInAppConfig -ConfigFileRelativePath "ClientAccess\mapi\nspi\" -ConfigFileName web.config
# [ID = ClientAccessComponent___abcab6b91ac844848c58b4ee66fcbea6, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
            ."$RoleInstallPath\Scripts\Install-OutlookServiceVirtualDirectory.ps1";
# [ID = ClientAccessComponent___9D94915F-B12D-4579-93EE-36B6DF42CF4A, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:47 PM:
          $CommandAppCmd = join-path $env:SystemRoot System32\inetsrv\appcmd.exe;
          $MapiClientAccessPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\mapi");
          $MapiMailboxClientAccessPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\mapi\emsmdb");
          $clrConfigFilePath = [System.IO.Path]::Combine($RoleInstallPath, "bin", "MSExchangeMapiMailboxAppPool_CLRConfig.config");
          Start-SetupProcess -Name "$CommandAppCmd" -args "add apppool /name:MSExchangeMapiMailboxAppPool /autostart:true /managedRuntimeVersion:v4.0 /queueLength:65535 /CLRConfigFile:`"$clrConfigFilePath`" /managedRuntimeLoader:`"`"
/processModel.identityType:LocalSystem /managedPipelineMode:Integrated /recycling.periodicRestart.time:00:00:00 /processModel.idleTimeout:00:00:00 /processModel.pingingEnabled:false /failure.rapidFailProtection:false" -IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "add vdir /app.name:`"Exchange Back End/`" /path:`"/mapi`" /physicalPath:`"$MapiClientAccessPath`"" -IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "add app /site.name:`"Exchange Back End`" /physicalPath:`"$MapiMailboxClientAccessPath`" /applicationPool:MSExchangeMapiMailboxAppPool /path:`"/mapi/emsmdb`""
-IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/access /sslFlags:Ssl /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/basicAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/digestAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/emsmdb`" /section:system.webServer/security/authentication/windowsAuthentication /enabled:true /commit:apphost";
# [ID = ClientAccessComponent___B551AAAC-0F36-428B-B1BB-3B9AFDC9EAEF, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:50 PM:
          $CommandAppCmd = join-path $env:SystemRoot System32\inetsrv\appcmd.exe;
          $MapiClientAccessPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\mapi");
          $MapiAddressBookClientAccessPath = [System.IO.Path]::Combine($RoleInstallPath, "ClientAccess\mapi\nspi");
          $clrConfigFilePath = [System.IO.Path]::Combine($RoleInstallPath, "bin", "MSExchangeMapiAddressBookAppPool_CLRConfig.config");
          Start-SetupProcess -Name "$CommandAppCmd" -args "add apppool /name:MSExchangeMapiAddressBookAppPool /autostart:true /managedRuntimeVersion:v4.0 /queueLength:65535 /CLRConfigFile:`"$clrConfigFilePath`" /managedRuntimeLoader:`"`"
/processModel.identityType:LocalSystem /managedPipelineMode:Integrated /recycling.periodicRestart.time:00:00:00 /processModel.idleTimeout:00:00:00 /processModel.pingingEnabled:false /failure.rapidFailProtection:false" -IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "add vdir /app.name:`"Exchange Back End/`" /path:`"/mapi`" /physicalPath:`"$MapiClientAccessPath`"" -IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "add app /site.name:`"Exchange Back End`" /physicalPath:`"$MapiAddressBookClientAccessPath`" /applicationPool:MSExchangeMapiAddressBookAppPool /path:`"/mapi/nspi`""
-IgnoreExitCode @(183);
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/access /sslFlags:Ssl /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/basicAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/digestAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:false /commit:apphost";
          Start-SetupProcess -Name "$CommandAppCmd" -args "set config `"Exchange Back End/mapi/nspi`" /section:system.webServer/security/authentication/windowsAuthentication /enabled:true /commit:apphost";
# [ID = ClientAccessComponent___178FD1A31B5949A0B4A819E39311B1FD, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:52 PM:
            $ExchangeLabsRegKey = 'HKLM:\SOFTWARE\Microsoft\ExchangeLabs'
            $E4eCertificateDistinguishedNameRegValueName = 'E4eCertificateDistinguishedName'
            if ($RoleDatacenterE4eCertificateDistinguishedName -ne $null)
                New-ItemProperty -path "$ExchangeLabsRegKey" -Name $E4eCertificateDistinguishedNameRegValueName -Value $RoleDatacenterE4eCertificateDistinguishedName -Force
                Write-ExchangeSetupLog -Info "Wrote registry key: $ExchangeLabsRegKey\$E4eCertificateDistinguishedNameRegValueName. value: $RoleDatacenterE4eCertificateDistinguishedName"
            else
                Write-ExchangeSetupLog -Info "Could not write registry key: $ExchangeLabsRegKey\$E4eCertificateDistinguishedNameRegValueName. Value is null."
            $E4eServiceUrlRegValueName = 'E4eServiceUrl'
            if ($RoleDatacenterE4eServiceUrl -ne $null)
                New-ItemProperty -path "$ExchangeLabsRegKey" -Name $E4eServiceUrlRegValueName -Value $RoleDatacenterE4eServiceUrl -Force
                Write-ExchangeSetupLog -Info "Wrote registry key: $ExchangeLabsRegKey\$E4eServiceUrlRegValueName. value: $RoleDatacenterE4eServiceUrl"
            else
                Write-ExchangeSetupLog -Info "Could not write registry key: $ExchangeLabsRegKey\$E4eServiceUrlRegValueName. Value is null."
# [ID = ClientAccessComponent___240c7e5d07f941cfbe69a692dc33a31a, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:52 PM:
          ."$RoleInstallPath\Scripts\ConfigureCafeResponseHeaders.ps1";
          CreateCustomHeadersNodeForBackend 'autodiscover'
          CreateCustomHeadersNodeForBackend 'ecp'
          CreateCustomHeadersNodeForBackend 'ews'
          CreateCustomHeadersNodeForBackend 'oab'
          CreateCustomHeadersNodeForBackend 'owa'
          CreateCustomHeadersNodeForBackend 'powershell'
          CreateCustomHeadersNodeForBackend 'pushnotifications'
          CreateCustomHeadersNodeForBackend 'rpcproxy'
          CreateCustomHeadersNodeForBackend 'sync'
          CreateCustomHeadersNodeForBackend 'mapi\emsmdb'
          CreateCustomHeadersNodeForBackend 'mapi\nspi'
          CreateCustomHeadersNodeForBackend 'outlookservice'
# [ID = ClientAccessComponent___75f8c93d15314369983d33ec0742e189, Wt = 1, isFatal = True] "Configuring Mailbox role: Client Access service."
7/5/2014 11:04:53 PM:
          New-PushNotificationsVirtualDirectory -Role Mailbox -DomainController $RoleDomainController;
# Tasks for 'POP/IMAP Backend Configuration' component
# [ID = PopImapBeComponent___d91be94d83bb4dc28e1fbdf7d94ca60e, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:05 PM:
          if (!(get-service MSExchangeIMAP4BE* | where {$_.name -eq "MSExchangeIMAP4BE"}))
            install-Imap4BeService
# [ID = PopImapBeComponent___e2debc6ecabf457eb6f278096ad5102c, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:06 PM:
          if (!(get-service MSExchangePOP3BE* | where {$_.name -eq "MSExchangePOP3BE"}))
            install-Pop3BeService
# [ID = PopImapBeComponent___7ee4dbb3fe884d26bb3e060ac68061ee, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:06 PM:
          $file = 'Microsoft.Exchange.Pop3Service.exe.config';
          $template = $file + '.template';
          $relPath = 'ClientAccess\PopImap';
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, $relPath);
          $fullFilePath = [System.IO.Path]::Combine($fullPath, $file);
          Set-InstallPathInAppConfig -ConfigFileRelativePath $relPath -ConfigFileName $template;
          Preserve-AppSettings -RoleInstallPath $fullPath -ConfigFileName $file;
          set-appconfigvalue -ConfigFileFullPath:$fullFilePath -Element:configuration/runtime/generatePublisherEvidence -Attribute:enabled -NewValue:false
# [ID = PopImapBeComponent___9b86c2af9f364990aa196cb6e69905b6, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:06 PM:
          $file = 'Microsoft.Exchange.Pop3.exe.config';
          $template = $file + '.template';
          $relPath = 'ClientAccess\PopImap';
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, $relPath);
          Set-InstallPathInAppConfig -ConfigFileRelativePath $relPath -ConfigFileName $template;
          Preserve-AppSettings -RoleInstallPath $fullPath -ConfigFileName $file;
# [ID = PopImapBeComponent___01c604c08fd6402e9de6b3c45e3431c8, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:06 PM:
          $file = 'Microsoft.Exchange.Imap4Service.exe.config';
          $template = $file + '.template';
          $relPath = 'ClientAccess\PopImap';
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, $relPath);
          $fullFilePath = [System.IO.Path]::Combine($fullPath, $file);
          Set-InstallPathInAppConfig -ConfigFileRelativePath $relPath -ConfigFileName $template;
          Preserve-AppSettings -RoleInstallPath $fullPath -ConfigFileName $file;
          set-appconfigvalue -ConfigFileFullPath:$fullFilePath -Element:configuration/runtime/generatePublisherEvidence -Attribute:enabled -NewValue:false
# [ID = PopImapBeComponent___2528980001a444fcb7097d123e879728, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:06 PM:
          $file = 'Microsoft.Exchange.Imap4.exe.config';
          $template = $file + '.template';
          $relPath = 'ClientAccess\PopImap';
          $fullPath = [System.IO.Path]::Combine($RoleInstallPath, $relPath);
          Set-InstallPathInAppConfig -ConfigFileRelativePath $relPath -ConfigFileName $template;
          Preserve-AppSettings -RoleInstallPath $fullPath -ConfigFileName $file;
# [ID = PopImapBeComponent___bbfdc492aaf748298977cb9b98e00029, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:07 PM:install-Imap4Container -Name:"IMAP4" -DomainController $RoleDomainController
# [ID = PopImapBeComponent___091c98cfe0f145189c0966717496795e, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:07 PM:install-Pop3Container -Name:"POP3" -DomainController $RoleDomainController
# [ID = PopImapBeComponent___42cb9f4ac2924c27b6ebf60b92a03628, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:07 PM:new-ImapSettings -DomainController $RoleDomainController -ExchangePath $RoleInstallPath
# [ID = PopImapBeComponent___181f5361a5df4e7ca009f21f26f8c0d5, Wt = 1, isFatal = True] "Configuring the server."
7/5/2014 11:05:07 PM:new-PopSettings -DomainController $RoleDomainController -ExchangePath $RoleInstallPath
# Tasks for 'ClientAccessExchangeCertificate' component
# [ID = ClientAccessExchangeCertificate___fb5e9028e669404d94dba90aace8c2f9, Wt = 1, isFatal = True] "Installing Client Access server certificates."
7/5/2014 11:05:07 PM:
          Install-ExchangeCertificate -WebSiteName "Exchange Back End" -services "IIS, POP, IMAP" -DomainController $RoleDomainController -InstallInTrustedRootCAIfSelfSigned $true
          if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
            Install-AuthCertificate -DomainController $RoleDomainController

Can i use same address pool for different remote access VPN tunnel groups and policy

Hi all,
i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
thanks in advance
Shnail

Thanks Karsten..
but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below, this will achive waht i need right??
access-list 15 extended permit tcp any host 192.168.205.134 eq 80
username test password password test
username test attributes
vpn-group-policy TEST
vpn-filter value 15
group-policy TEST internal
group-policy TEST attributes
dns-server value 192.168.200.16
vpn-filter value 15
vpn-tunnel-protocol IPSec
address-pools value existing-pool
tunnel-group RAVPN type ipsec-ra
tunnel-group RAVPN general-attributes
address-pool existing-pool
default-group-policy TEST
tunnel-group Payroll ipsec-attributes
pre-shared-key xxx

Can you create a Remote Access VPN connection to tunnel DMZ LAN and Inside Networks simultaneously?

I have a customer that has a ASA 5510 version 8.3 with IPSEC Client Access that includes some of their networks on the Inside interface. The issue they are having is when their mobile users connect with the vpn client (which is using split tunneling), they can no longer access their web server applications that are running in the DMZ. Without the client connected, they access the web servers via the external public IP. Once they are connected via vpn, their default dns server becomes the internal AD DNS server, which resolves the DNS of the web servers to the private DMZ ip address.
Can a Remote Access VPN client connection be allowed to connect to both the DMZ interface and the Inside Interface? I had always only setup RA VPN clients to connect to networks on the Inside Interface.
I tried adding the DMZ network to the Split Tunnel list, but I could not access anything it while connected to vpn using the private IP addresses.

Yes, you should be able to access DMZ subnets as well if they are added to the split tunnel ACL. You could check the NAT exemption configuration for the DMZ and also check if the ASA is forwarding the packet through DMZ interface by configuring captures on the DMZ interface.
Share the configuration if you want help with the NAT exemption part.

Remote access VPN with ASA 5510 using DHCP server

Hi,
Can someone please share your knowledge to help me find why I am not able to receive an IP address on remote access VPN connection while I can get an IP address on local DHCP pool?
I am trying to setup remote access VPN with ASA 5510. It works with local dhcp pool but doesn't seem to work when I tried using an existing DHCP server. It is being tested in an internal network as follows:
ASA Version 8.2(5)
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.6.0.12 255.255.254.0
ip local pool testpool 10.6.240.150-10.6.240.159 mask 255.255.248.0 !(worked with this)
route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface inside
crypto isakmp enable inside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
vpn-addr-assign aaa
vpn-addr-assign dhcp
group-policy testgroup internal
group-policy testgroup attributes
dhcp-network-scope 10.6.192.1
ipsec-udp enable
ipsec-udp-port 10000
username testlay password *********** encrypted
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
default-group-policy testgroup
dhcp-server 10.6.20.3
tunnel-group testgroup ipsec-attributes
pre-shared-key *****
I got following output when I test connect to ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDO
4024 bytesR copied in 3.41 0 secs (1341 by(tes/sec)13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ISA_KE payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received DPD VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received NAT-Traversal ver 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, Connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing IKE SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA Proposal # 1, Transform # 9 acceptable Matches global IKE entry # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ISAKMP SA payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for Responder...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing ID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Cisco Unity VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing xauth V6 VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Traversal VID ver 02 payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing Fragmentation VID + extended capabilities payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Computing hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing NAT-Discovery payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, computing NAT Discovery hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing VID payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Received Cisco Unity client VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
kens-mgmt-012# P = 10.15.200.108, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=d4ca48e4) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Processing MODE_CFG Reply attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary WINS = cleared
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: IP Compression = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling Policy = Disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, User (testlay) authenticated.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=6b1b471) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg ACK attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=49ae1bb8) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): Enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Processing cfg Request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for IPV4 net mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DNS server address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for WINS server address!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Received unsupported transaction mode attribute: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Save PW setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Default Domain Name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split Tunnel List!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for backup ip-sec peer list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for Application Version!
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Client Type: WinNT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for DHCP hostname for DDNS is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: Received request for UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIVED Message (msgid=b04e830f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Duplicate Phase 2 packet detected. No last packet to retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE received response of type [] to a request from the IP address utility
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Cannot obtain an IP address for remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE TM V6 FSM error history (struct &0xd8030048) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE AM Responder FSM error history (struct &0xd82b6740) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending delete/delete with reason message
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing blank hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing IKE delete payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing qm hash payload
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SENDING Message (msgid=9de30522) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Regards,
Lay

For RADIUS you need a aaa-server-definition:
aaa-server NPS-RADIUS protocol radius
aaa-server NPS-RADIUS (inside) host 10.10.18.12
key *****
authentication-port 1812
accounting-port 1813
and tell your tunnel-group to ask that server:
tunnel-group VPN general-attributes
authentication-server-group NPS-RADIUS LOCAL
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Win 7 Pro 64 occasionally fails to connect using IKEV2 to Win2008R2 Routing and Remote Access server

I'm a networking guy and having this troubling VPM issue that I can't find.
I have a number of VPN connections from my Win7Pro 64 PC to various customers. Their end points are all Windows Routing and Remote Access on Windows 2008R2 STD servers.
Every once and a while I will hang at Verifying User ID and Password and eventually get ERROR 809. Change the security type on my VPN connection from IKEV2 to PPTP - never an issue, connects in right away.
I can also try from another PC (at the same or alternate location) to get into that same server using the same credentials and access - no issue using either IKEV2 or PPTP.
This has happened at various times to various customers. Here is what I know it is not:
- Not the local or remote routers or Firewalls since I can always get in from other PC's going through the same network. Even so, tried rebooting all several times
- Not an ISP issue at either end since I can always get into other IKEV2 servers from the same PC and from other PC's to the server I can't from my PC.
This leads to the only logical conclusion. It is something to do with my Win7Pro 64 PC but for the life of my I can not find it.
I have obviously tried rebooting the Win7Pro PC. I have also tried recreating the VPN connection several times. Nothing.
Help!

Hi,
I know that you've mentioned that it is not a issue about firewall or router settings, but this error usually comes when some firewall between client and server is blocking the ports used by VPN tunnel.
so to allow IKEv2 traffic, please make sure to configure the network firewall to open UDP ports 500 and 4500, and to allow IP protocol 50.
If that is not possible, deploy SSTP based VPN tunnel on both VPN server and VPN client – that allows VPN connection across firewalls, web proxies and NAT
You can refer to this blog
http://blogs.technet.com/b/rrasblog/archive/2006/06/14/which-ports-to-unblock-for-vpn-traffic-to-pass-through.aspx
Regards
Yolanda
TechNet Community Support

Routing and Remote Access Logs (Windows Server 2008 R2)

Hi,
I have a Windows 2008 R2 server running Routing and Remote access and users are using PPTP VPN's to connect to our network.
I have been asked to find logs for the following for connections in to our server
Username used for connection
Computer Name
IP Address used by computer connecting
Start/End time of VPN session
Date
Encryption used
I found an article stating to enable RRAS logs you need to run the following command
To enable RAS logs run command “netsh ras set tracing * enabled” and found a series of logs created in this location C:\Windows\tracing
None appear to contain the information I am looking for and was wondering if I was doing this correctly and if not how I am meant to extract this information?
If you require any more details just let me know.
Kind Regards
David

Hi,
I can’t sure which article you have read, but fur the 2008R2 the RAS to enable the log and the debug log in the KB is descried like this, I recommend you to try the KB
mentioned method.
To configure RRAS to enable logging
1. Start Server Manager. Click Start, click Administrative Tools, and then click Server Manager.
2. In the navigation tree, expand Roles, and then expand Network Policy and Access Services.
3. Right-click Routing and Remote Access, and then click Properties.
4. On the Logging tab, select Log errors only, Log errors and warnings, or Log all events, depending on how much information you want to capture.
5. Click OK to save your changes.
The related KB:
RRAS: Logging should be enabled on the RRAS server
http://technet.microsoft.com/zh-cn/library/ee922651(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Exchange Server 2013 and Remote Access VPN on a single server running Windows Server 2012?

Similar Messages

Maybe you are looking for