Questions

SBS 2003 VPN not working

+
0 Votes
Locked

SBS 2003 VPN not working

Trkkr
I set up the SBS 2003 VPN using the wizard. I used our public IP since our domain name does not resolve to our server.

I forwarded the ports required on our router.

On my laptop, I setup the connection and ran it. It connects when I supply my domain credentials.

If I do an ipconfig both my wireless and VPN(PPP) connections show as connected. I have both a local network IP (on the wireless) and an IP supplied by our server (for the PPP connection). They are different subnets (x.x.0.x and x.x.1.x)

If I ping our server's internal IP I get responses back.

However, I cannot see the server or any shared directories, I can't add my computer to the domain and I cannot set up my Exchange email.

I'm not sure what I'm missing. I've heard that when the VPN is working correctly that you shouldn't be able to use the internet, but I am. I currently are 'connected' on my VPN connection at the same time I'm browsing the internet and asking this question.

This is giving me no end of frustration that I'm probably missing something simple.

If anyone can shed any further light on this situation I would be very grateful. I can provide further information if needed.
  • +
    0 Votes
    traevis

    Although it's not strictly an answer to how to see your server, I had the same problem and got round it by mapping a network drive to \\servername\directory

    Although I still can't see the server in Network, I can access all the files that are on it.

    I can use the internet just fine when I use my VPN - though it runs faster if I uncheck the option routing my connection through the gateway at work. Some offices don't let you do that though - I believe because it may pose a security risk.

    +
    0 Votes
    Trkkr

    I'll have to try that and see if it works; however...

    One of the biggest reasons for doing this is to get Exchange email working on the remote system. Since my system cannot see the domain the Exchange will not work.

    The base issue seems to revolve around that. If I can get the remote system to see the domain than it stands to reason that everything else should fall into place.

    As I mentioned before, I can ping the local IP of the server when I'm VPN'ed in. It seems like even though I'm connected to the office network, it's using my local wireless connection to handle everything. If that's the case, I need to figure out how to get it to only use the wireless as a means for the VPN and to have the VPN handle all other traffic.

    +
    0 Votes
    CG IT

    SBS has OWA and RWW that users can use to get email.

    So VPN is a lot of work for services that are already available to the user.

    +
    0 Votes
    Trkkr

    OWA is a royal pain in the rear being as it's run from your web browser. And you don't get all the functionality that I'm looking for.

    The end result I'm looking for is to eventually set up one of our clients with this type of setup. They have many remote sites that they would like to have tied into their main office server. That way they all can use Exchange, calendar sharing, centralized file storage, sharing & backup, etc. The remote sites are very small (avg. 2 people per site) and setting up a hardware VPN connection to each site is a little overkill.

    If SBS has a software VPN built into it, then getting it going should be a possible solution.

    I hope this doesn't get taken the wrong way but I don't want different options, I want to get this one going. If it doesn't work, then it should have been provided in the first place.

    +
    0 Votes
    CG IT

    and you set this up by running the VPN wizard in the Things to Do list which is in the left pane of the server management console.

    Once you run the wizard, you'll have to forward the appropriate VPN ports from your perimeter firewall/ router to your SBS box. Then, you have to add those users who are to have VPN rights to the remote access security group.

    Typically, the VPN wizard will create rules in RRAS allowing VPN users who authenticate, a connection. If not, you'll have to create your own rule in RRAS using the RRAS MMC in administrative tools.

    Suggest you do some reading or pickup a copy of the Small Business Server administrators companion from Amazon.com.

    note: VPN users who successfuly authenticate to the SBS network have a connection to the local network just as if they were workstations on the lan.

    however, all the functionality you want is available to users via the Remote Web Workplace sharepoint site without having to allow remote users a connection to the lan thus access to the lan and all workstations on the lan including the SBS box.

    +
    0 Votes
    Trkkr

    I have the Admin Companion, and it is severely lacking when it comes to the details of getting this going. There's a lot of L2TP setup information but I'm trying to use PPTP.

    So, I connected the remote system to the VPN connection I created and determined some other information:

    - I see that the SM is 255.255.255.255 and the DG is the same as the IP address assigned.

    - Looking on the server, under RRAS, it shows my user (domainname\user) connected under Remote Access Clients.

    From what I've read and what I'm seeing, I am at a loss for where the issue is.

    I've seen other people that have posted similar issues but there has never been a case that was resolved.

    It is so frustrating; everything says it should be working but it's not!

    +
    0 Votes
    CG IT

    for remote access users?

    VPN simply means creating a connection. After that, the remote user is connected to the network the same as a LAN user.

    So to get the exchange, the email client has to be configured for Exchange. To access the sharepoint web site, the user uses the web browser and http://companyweb

    shares or access the same way lan users access shares.

    If your using Windows XP SP2 or later, L2TP does not work. Microsoft actually turned off the L2TP IPSec VPN for XP due to security issues. Don't confuse this with L2TP connection on a LAN. That still works. Only VPN connections.

    so PPTP is about all there is for XP clients. You could use certificates for L2TP connections once on the LAN but L2TP VPN for XP.

    Windows 7 L2TP has no problems.

    If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool.

    +
    0 Votes
    Trkkr

    "If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool."

    This never happened.

    1. Clicked "Configure Remote Access"
    2. Welcome screen (Clicked Next)
    3. "Enable Remote Access" (Checked "VPN Access"), Next
    4. Server Name. Our domain doesn't reside on our server so I put our Public IP in here.
    5. "When you click Finish, the wizard will configure remote access as follws:...". Clicked Finish.
    6. It does it's configuring thing, pops up asking to setup password security minimums, which I decline, and that's that.

    I see in all the documentation that I read, that it's talking about the page where you set address ranges and subnets and all that, but I never have anything to that effect come up. Maybe that's where the issue is? Our server handles our DHCP requests so I figured it just set those settings up automatically.

    +
    0 Votes
    CG IT

    from your post:

    "If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool."

    This never happened.

    1. Clicked "Configure Remote Access"
    2. Welcome screen (Clicked Next)
    3. "Enable Remote Access" (Checked "VPN Access"), Next
    4. Server Name. Our domain doesn't reside on our server so I put our Public IP in here.
    5. "When you click Finish, the wizard will configure remote access as follws:...". Clicked Finish.
    6. It does it's configuring thing, pops up asking to setup password security minimums, which I decline, and that's that.

    I see in all the documentation that I read, that it's talking about the page where you set address ranges and subnets and all that, but I never have anything to that effect come up. Maybe that's where the issue is? Our server handles our DHCP requests so I figured it just set those settings up automatically.

    hum well then DHCP should have a pool of address and it then assigns them to the WAN miniports

    so if you open up RRAS [ start / admin tolls/RRAS you'll see in the left pane ports

    these are the WAN miniports RRAS uses. typically you'll have r ports. there will be addresses in DHCP for these ports. You'll also have 3 rules the first on of which is mobile users [sorry gave wrong security group]. Members of this group are allowed to connect.

    After that, if you forward pptp 1723 to the SBS box, and enable PPTP passthrough on the perimeter router or make a rule allowing GRE 47 you should be good to go.

    A connection made is simply a connection. What's available to users with the VPN connection is the same as LAN domain users.

    +
    0 Votes
    Trkkr

    Got a little bit further.

    When running an ipconfig /all, the WINS was coming up as some unused IP on the local network that the box is in. The subnet mask was showing as 255.255.255.255 when the server network subnet ends in .0.

    On a manually created VPN connection on the external box I was able to force the WINS server to the IP of the server. That didn't help the wierd subnet issue though.

    With that forced, I can setup mapped drives to shared directories. I can't get the computer to add to the domain. It says it can't find the DC.

    It can ping the server by it's name and translate it to its IP address.

    I will see if I can setup an exchange account in Outlook in the next little while. It should work if it can ping fs01.

    Even if I can setup Exchange, the ultimate goal here would have the external box being able to get added to the domain.

    Also, I can't say for sure, but it seems that when the VPN is connected that the local internet connection gets confused (some pages won't load, IE 'recovers' tabs constantly). That only started happening since the WINS was forced.

    +
    0 Votes
    CG IT

    WINS is really only for W9X workstations.

    the broadcast subnet mask 255.255.255.255 is wrong. where or how your clients are getting is needs to be fixed.

    If you look in DHCP, you'll find 5 computers there that are assigned IP address and these are for the PPTP mini ports you see in RRAS. These should all have addressing the same as the local subnet.

    connecting computers to the domain is done via the web browser using the http://server name/connect computer

    if you use a different method then computers won't be placed in the correct Small Business/My Business OU.

    +
    0 Votes
    Trkkr

    Hi CG IT,

    I was wondering if you've used the SBS Software VPN that I'm trying to figure out. Because to me, those settings don't look right either but I've never set this type of VPN up before so maybe that's how it's supposed to look? That's why I ask.

    If you have, then I think we've got something to try and fix. Looking at the servers DHCP, under Scope Options, there is a WINS setting. Going on what you said, should that even be there or should it be removed?

    Moving back to the rest of the IP stuff, I apologize if I'm about to be going back on anything I've posted before. I'll briefly outline some more specific details here.

    When a local user is connected into the server the settings are as follows (I will be modifying the actual numbers a bit):

    DNS Suffix: ourdomain.local
    DHCP Enabled: Yes
    Autoconfiguration Enabled: Yes
    IP: 192.168.10.1xx
    SM: 255.255.255.0
    DG: 192.168.10.1 (Router)
    DHCP: 192.168.10.2 (Server)
    DNS: 192.168.10.2
    WINS: 192.168.10.2

    The remote PCs local IP range is the '192.168.1.1xx' range using a router DHCP.

    Now, when the remote PC connects using the VPN connection that the sbspackage.exe creates, the settings are as follows:

    DNS Suffix: ourdomain.local
    DHCP Enabled: No
    IP: 192.168.10.1xx
    SM: 255.255.255.255
    DG: 192.168.10.1xx (same as IP)
    DNS: 192.168.10.2
    WINS: 192.168.1.1xx (note the '1.1xx' not '10.1xx')

    As we've both mentioned, those don't look right to me. Going back to what I said, if I create a manual VPN connection on the remote system, and then set the WINS to the Server IP (10.2), I can map shared drives. I shouldn't need to set WINS for that (as far as I understand it) but I can't even get that far without that. I can also set up Exchange email with that WINS set manually.

    Going back to what you mentioned, I don't see anywhere in RRAS that I can specify subnet mask. In the RRAS Server properties I can go from using DHCP to static, but the static settings only allow you to set IP range, no SM or DG.

    Can you let me know where you tell it the right SM? In the servers main DHCP configuration, the SM is '.0'.

    +
    0 Votes
    CG IT

    WINS is simply machine name to ip address and uses NetBIOS over TCP/IP. Since W2K NetBIOS isn't needed to resolve names to address on a TCP/IP network. DNS handles that. So you can actually turn off netbios over TCP/IP in your post W2K machines and along with it, the LM hosts files.

    If your using the CMAK kit to create a package for users, you really need to setup and get VPN working first. Then your run the CMAK tool and user the parameters you know works when you run the CMAK tool to create a profile.

    To get PPTP VPN to work on a SBS machine behind a perimeter router, the perimeter route needs to be able to do 2 things. First is to allow PPTP passthrough or be able to allow GRE traffic to passthrough. GRE 47 protocol needs to pass through the perimeter router/firewall. The second is TCP port 1723. That TCP port needs to be forwared to the SBS box. The SBS box needs to listen for TCP/IP traffic on it's external interface.

    VPN on SBS works best if the SBS box does the routing but with a large number of users this can be quite a problem with latency. [2 NIC setup]. Using the 1 NIC setup, you have more of a problem. you have to turn off routing so that the SBS box will listen on the single NIC for inbound port 1723 traffic.

    Once you've established a VPN connection to the SBS box, and obtained a local LAN address from DHCP, your connected just as if you were a local network workstation. Mapping drives is simply \\computer name\share or you can use \\ip address\share.

    the company web site is accessible using the http://companyweb URL.

    email is configuring outlook to use Exchange. Configuring that is the same for lan workstations. using the wizard, just put in the SBS server name and a valid Active Directory user name, click the check name box, one the server name and user name are validated, Outlook is then configured to use Exchange when connected to the network.

    Note: the remote access wizard in the things to do list configures RRAS for Remote Access. The wizard creates rules in RRAS for SBS mobile users group. Active Directory users who are granted VPN access need to be in this security group. Manually configuring RRAS is not recommended because the wizard configures the RRAS rules.

    To check to see if your SBS box is listening on the correct NIC, open up the RRAS MMC in Admin tools and view the interfaces. It should show a status as UP. Also you need to verify your PPTP miniport have address assigned to them. you do this in DHCP. You should see a listing for in DHCP for an extra 5 addresses. These are the VPN miniports.

    +
    0 Votes
    Trkkr

    Microsoft KB837391:

    "Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality...


    ...The following Exchange functionality still depends on WINS name resolution:

    - The Exchange Server 2003 Setup program and the Exchange 2000 Server Setup program, especially on clustered servers.
    - Exchange Mailbox Merge Wizard (ExMerge) on an Exchange 2003 computer and on an Exchange 2000 computer.
    - Changing a password for an Exchange 2003 mailbox or an Exchange 2000 mailbox through Microsoft Outlook Web Access (OWA).
    - Exchange System Manager on an Exchange 2003 computer and on an Exchange 2000 computer.

    ..."

    Well, we're running Exchange 2003 so that last point means we still need WINS on our server.

    So furthering that, if we don't need WINS configured for these VPN connections, how do we fix the fact that the only way mapping folders, Exchange and adding the system to the domain (which I just tested as working using http://servername/connectcomputer) don't work without WINS manually configured.

    Don't get me wrong, I believe it shouldn't need to be set either (since the automatic connection setup that 'Configure Remote Access' creates [sbspackage.exe] doesn't set that) but I can't get it working any other way.

    I think we're making progress though!

    +
    0 Votes
    CG IT

    but I've turned off NetBIOS over TCP/IP and actually not configured WINS on SBS boxes and haven't had any problems. I don't like NetBIOS over TCP/IP.

    DNS handles all name to address resolution on the SBS network.

    the connect computer URL is http://SBS server name/connect computer or use connectcomputer.

    mapping drives by name requires DNS to function or baring that, you use the address and then share name.

    +
    0 Votes
    Trkkr

    I'm not too sure what SP is on the Exchange. We're running SBS 2003 SP2 with Exchange v.6.5.7226.0.

    Going further, with the WINS manually set to the server IP, Exchange and mapped drives work (telling it to map \\servername\shared directory). So I don't have issues on how to map drives or set up Exchange or connect computers to the domain; I've done that plenty of times.

    I've also set up hardware VPNs successfully. But this is the first time I've attempted software VPN.

    The problem looks like there's something, somewhere that isn't configured/working properly that is requiring the WINS to be manually set for this to work. I believe if I can pinpoint that, this whole thing will come together.

    +
    0 Votes
    Trkkr

    I spoke too soon. That didn't work. Before the wizard launched it said you had to be connected into the local network before it would work, so I don't think that's possible regardless of whether or not we get everything else working.

    +
    0 Votes
    CG IT

    if you get VPN to work, then you can try the different things you want to to see if they will work or not.

    +
    0 Votes
    Trkkr

    Oh man. After all this and I found something that fixed ALMOST everything.

    I can now connect to the server shared directories and use Exchange through the automatically created VPN package that the server creates when you setup the RRAS through the wizard.

    All it took was opening up port 500 UDP on the router!

    So it looks like you run through the Remote Access Wizard, open up port 1723 TCP, port 500 UDP, run the sbspackage.exe on the client and it should work....

    Wierd side effect is that my manually created connection with the WINS removed still won't connect.

    IP Differences between the two:

    SBS Connection:
    IP: .105
    GW: .105
    WINS: .105

    Manual Connection:
    IP: .106
    GW: [blank]
    WINS: .105

    I'm guessing that has something to do with it but I haven't investigated further yet. I'll report back if I figure it out.

    If anyone knows why that is and how to fix it, feel free to chip in.

    Personally I'm just happy to have got this figured out this far. This, of course needs to be figured out if it gets set up on Server 2003 Standard since there is no sbspackage.exe created that way.

  • +
    0 Votes
    traevis

    Although it's not strictly an answer to how to see your server, I had the same problem and got round it by mapping a network drive to \\servername\directory

    Although I still can't see the server in Network, I can access all the files that are on it.

    I can use the internet just fine when I use my VPN - though it runs faster if I uncheck the option routing my connection through the gateway at work. Some offices don't let you do that though - I believe because it may pose a security risk.

    +
    0 Votes
    Trkkr

    I'll have to try that and see if it works; however...

    One of the biggest reasons for doing this is to get Exchange email working on the remote system. Since my system cannot see the domain the Exchange will not work.

    The base issue seems to revolve around that. If I can get the remote system to see the domain than it stands to reason that everything else should fall into place.

    As I mentioned before, I can ping the local IP of the server when I'm VPN'ed in. It seems like even though I'm connected to the office network, it's using my local wireless connection to handle everything. If that's the case, I need to figure out how to get it to only use the wireless as a means for the VPN and to have the VPN handle all other traffic.

    +
    0 Votes
    CG IT

    SBS has OWA and RWW that users can use to get email.

    So VPN is a lot of work for services that are already available to the user.

    +
    0 Votes
    Trkkr

    OWA is a royal pain in the rear being as it's run from your web browser. And you don't get all the functionality that I'm looking for.

    The end result I'm looking for is to eventually set up one of our clients with this type of setup. They have many remote sites that they would like to have tied into their main office server. That way they all can use Exchange, calendar sharing, centralized file storage, sharing & backup, etc. The remote sites are very small (avg. 2 people per site) and setting up a hardware VPN connection to each site is a little overkill.

    If SBS has a software VPN built into it, then getting it going should be a possible solution.

    I hope this doesn't get taken the wrong way but I don't want different options, I want to get this one going. If it doesn't work, then it should have been provided in the first place.

    +
    0 Votes
    CG IT

    and you set this up by running the VPN wizard in the Things to Do list which is in the left pane of the server management console.

    Once you run the wizard, you'll have to forward the appropriate VPN ports from your perimeter firewall/ router to your SBS box. Then, you have to add those users who are to have VPN rights to the remote access security group.

    Typically, the VPN wizard will create rules in RRAS allowing VPN users who authenticate, a connection. If not, you'll have to create your own rule in RRAS using the RRAS MMC in administrative tools.

    Suggest you do some reading or pickup a copy of the Small Business Server administrators companion from Amazon.com.

    note: VPN users who successfuly authenticate to the SBS network have a connection to the local network just as if they were workstations on the lan.

    however, all the functionality you want is available to users via the Remote Web Workplace sharepoint site without having to allow remote users a connection to the lan thus access to the lan and all workstations on the lan including the SBS box.

    +
    0 Votes
    Trkkr

    I have the Admin Companion, and it is severely lacking when it comes to the details of getting this going. There's a lot of L2TP setup information but I'm trying to use PPTP.

    So, I connected the remote system to the VPN connection I created and determined some other information:

    - I see that the SM is 255.255.255.255 and the DG is the same as the IP address assigned.

    - Looking on the server, under RRAS, it shows my user (domainname\user) connected under Remote Access Clients.

    From what I've read and what I'm seeing, I am at a loss for where the issue is.

    I've seen other people that have posted similar issues but there has never been a case that was resolved.

    It is so frustrating; everything says it should be working but it's not!

    +
    0 Votes
    CG IT

    for remote access users?

    VPN simply means creating a connection. After that, the remote user is connected to the network the same as a LAN user.

    So to get the exchange, the email client has to be configured for Exchange. To access the sharepoint web site, the user uses the web browser and http://companyweb

    shares or access the same way lan users access shares.

    If your using Windows XP SP2 or later, L2TP does not work. Microsoft actually turned off the L2TP IPSec VPN for XP due to security issues. Don't confuse this with L2TP connection on a LAN. That still works. Only VPN connections.

    so PPTP is about all there is for XP clients. You could use certificates for L2TP connections once on the LAN but L2TP VPN for XP.

    Windows 7 L2TP has no problems.

    If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool.

    +
    0 Votes
    Trkkr

    "If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool."

    This never happened.

    1. Clicked "Configure Remote Access"
    2. Welcome screen (Clicked Next)
    3. "Enable Remote Access" (Checked "VPN Access"), Next
    4. Server Name. Our domain doesn't reside on our server so I put our Public IP in here.
    5. "When you click Finish, the wizard will configure remote access as follws:...". Clicked Finish.
    6. It does it's configuring thing, pops up asking to setup password security minimums, which I decline, and that's that.

    I see in all the documentation that I read, that it's talking about the page where you set address ranges and subnets and all that, but I never have anything to that effect come up. Maybe that's where the issue is? Our server handles our DHCP requests so I figured it just set those settings up automatically.

    +
    0 Votes
    CG IT

    from your post:

    "If you ran the Wizard from the things to do list, during the setup process it will ask for an address range and subnet mask. you can either have DHCP create this or specify your own static poll. Either way, the number of WAN miniports in RRAS needs to be the same as the number of addresses in the pool."

    This never happened.

    1. Clicked "Configure Remote Access"
    2. Welcome screen (Clicked Next)
    3. "Enable Remote Access" (Checked "VPN Access"), Next
    4. Server Name. Our domain doesn't reside on our server so I put our Public IP in here.
    5. "When you click Finish, the wizard will configure remote access as follws:...". Clicked Finish.
    6. It does it's configuring thing, pops up asking to setup password security minimums, which I decline, and that's that.

    I see in all the documentation that I read, that it's talking about the page where you set address ranges and subnets and all that, but I never have anything to that effect come up. Maybe that's where the issue is? Our server handles our DHCP requests so I figured it just set those settings up automatically.

    hum well then DHCP should have a pool of address and it then assigns them to the WAN miniports

    so if you open up RRAS [ start / admin tolls/RRAS you'll see in the left pane ports

    these are the WAN miniports RRAS uses. typically you'll have r ports. there will be addresses in DHCP for these ports. You'll also have 3 rules the first on of which is mobile users [sorry gave wrong security group]. Members of this group are allowed to connect.

    After that, if you forward pptp 1723 to the SBS box, and enable PPTP passthrough on the perimeter router or make a rule allowing GRE 47 you should be good to go.

    A connection made is simply a connection. What's available to users with the VPN connection is the same as LAN domain users.

    +
    0 Votes
    Trkkr

    Got a little bit further.

    When running an ipconfig /all, the WINS was coming up as some unused IP on the local network that the box is in. The subnet mask was showing as 255.255.255.255 when the server network subnet ends in .0.

    On a manually created VPN connection on the external box I was able to force the WINS server to the IP of the server. That didn't help the wierd subnet issue though.

    With that forced, I can setup mapped drives to shared directories. I can't get the computer to add to the domain. It says it can't find the DC.

    It can ping the server by it's name and translate it to its IP address.

    I will see if I can setup an exchange account in Outlook in the next little while. It should work if it can ping fs01.

    Even if I can setup Exchange, the ultimate goal here would have the external box being able to get added to the domain.

    Also, I can't say for sure, but it seems that when the VPN is connected that the local internet connection gets confused (some pages won't load, IE 'recovers' tabs constantly). That only started happening since the WINS was forced.

    +
    0 Votes
    CG IT

    WINS is really only for W9X workstations.

    the broadcast subnet mask 255.255.255.255 is wrong. where or how your clients are getting is needs to be fixed.

    If you look in DHCP, you'll find 5 computers there that are assigned IP address and these are for the PPTP mini ports you see in RRAS. These should all have addressing the same as the local subnet.

    connecting computers to the domain is done via the web browser using the http://server name/connect computer

    if you use a different method then computers won't be placed in the correct Small Business/My Business OU.

    +
    0 Votes
    Trkkr

    Hi CG IT,

    I was wondering if you've used the SBS Software VPN that I'm trying to figure out. Because to me, those settings don't look right either but I've never set this type of VPN up before so maybe that's how it's supposed to look? That's why I ask.

    If you have, then I think we've got something to try and fix. Looking at the servers DHCP, under Scope Options, there is a WINS setting. Going on what you said, should that even be there or should it be removed?

    Moving back to the rest of the IP stuff, I apologize if I'm about to be going back on anything I've posted before. I'll briefly outline some more specific details here.

    When a local user is connected into the server the settings are as follows (I will be modifying the actual numbers a bit):

    DNS Suffix: ourdomain.local
    DHCP Enabled: Yes
    Autoconfiguration Enabled: Yes
    IP: 192.168.10.1xx
    SM: 255.255.255.0
    DG: 192.168.10.1 (Router)
    DHCP: 192.168.10.2 (Server)
    DNS: 192.168.10.2
    WINS: 192.168.10.2

    The remote PCs local IP range is the '192.168.1.1xx' range using a router DHCP.

    Now, when the remote PC connects using the VPN connection that the sbspackage.exe creates, the settings are as follows:

    DNS Suffix: ourdomain.local
    DHCP Enabled: No
    IP: 192.168.10.1xx
    SM: 255.255.255.255
    DG: 192.168.10.1xx (same as IP)
    DNS: 192.168.10.2
    WINS: 192.168.1.1xx (note the '1.1xx' not '10.1xx')

    As we've both mentioned, those don't look right to me. Going back to what I said, if I create a manual VPN connection on the remote system, and then set the WINS to the Server IP (10.2), I can map shared drives. I shouldn't need to set WINS for that (as far as I understand it) but I can't even get that far without that. I can also set up Exchange email with that WINS set manually.

    Going back to what you mentioned, I don't see anywhere in RRAS that I can specify subnet mask. In the RRAS Server properties I can go from using DHCP to static, but the static settings only allow you to set IP range, no SM or DG.

    Can you let me know where you tell it the right SM? In the servers main DHCP configuration, the SM is '.0'.

    +
    0 Votes
    CG IT

    WINS is simply machine name to ip address and uses NetBIOS over TCP/IP. Since W2K NetBIOS isn't needed to resolve names to address on a TCP/IP network. DNS handles that. So you can actually turn off netbios over TCP/IP in your post W2K machines and along with it, the LM hosts files.

    If your using the CMAK kit to create a package for users, you really need to setup and get VPN working first. Then your run the CMAK tool and user the parameters you know works when you run the CMAK tool to create a profile.

    To get PPTP VPN to work on a SBS machine behind a perimeter router, the perimeter route needs to be able to do 2 things. First is to allow PPTP passthrough or be able to allow GRE traffic to passthrough. GRE 47 protocol needs to pass through the perimeter router/firewall. The second is TCP port 1723. That TCP port needs to be forwared to the SBS box. The SBS box needs to listen for TCP/IP traffic on it's external interface.

    VPN on SBS works best if the SBS box does the routing but with a large number of users this can be quite a problem with latency. [2 NIC setup]. Using the 1 NIC setup, you have more of a problem. you have to turn off routing so that the SBS box will listen on the single NIC for inbound port 1723 traffic.

    Once you've established a VPN connection to the SBS box, and obtained a local LAN address from DHCP, your connected just as if you were a local network workstation. Mapping drives is simply \\computer name\share or you can use \\ip address\share.

    the company web site is accessible using the http://companyweb URL.

    email is configuring outlook to use Exchange. Configuring that is the same for lan workstations. using the wizard, just put in the SBS server name and a valid Active Directory user name, click the check name box, one the server name and user name are validated, Outlook is then configured to use Exchange when connected to the network.

    Note: the remote access wizard in the things to do list configures RRAS for Remote Access. The wizard creates rules in RRAS for SBS mobile users group. Active Directory users who are granted VPN access need to be in this security group. Manually configuring RRAS is not recommended because the wizard configures the RRAS rules.

    To check to see if your SBS box is listening on the correct NIC, open up the RRAS MMC in Admin tools and view the interfaces. It should show a status as UP. Also you need to verify your PPTP miniport have address assigned to them. you do this in DHCP. You should see a listing for in DHCP for an extra 5 addresses. These are the VPN miniports.

    +
    0 Votes
    Trkkr

    Microsoft KB837391:

    "Exchange Server 2003 and Exchange 2000 Server require NetBIOS name resolution for full functionality...


    ...The following Exchange functionality still depends on WINS name resolution:

    - The Exchange Server 2003 Setup program and the Exchange 2000 Server Setup program, especially on clustered servers.
    - Exchange Mailbox Merge Wizard (ExMerge) on an Exchange 2003 computer and on an Exchange 2000 computer.
    - Changing a password for an Exchange 2003 mailbox or an Exchange 2000 mailbox through Microsoft Outlook Web Access (OWA).
    - Exchange System Manager on an Exchange 2003 computer and on an Exchange 2000 computer.

    ..."

    Well, we're running Exchange 2003 so that last point means we still need WINS on our server.

    So furthering that, if we don't need WINS configured for these VPN connections, how do we fix the fact that the only way mapping folders, Exchange and adding the system to the domain (which I just tested as working using http://servername/connectcomputer) don't work without WINS manually configured.

    Don't get me wrong, I believe it shouldn't need to be set either (since the automatic connection setup that 'Configure Remote Access' creates [sbspackage.exe] doesn't set that) but I can't get it working any other way.

    I think we're making progress though!

    +
    0 Votes
    CG IT

    but I've turned off NetBIOS over TCP/IP and actually not configured WINS on SBS boxes and haven't had any problems. I don't like NetBIOS over TCP/IP.

    DNS handles all name to address resolution on the SBS network.

    the connect computer URL is http://SBS server name/connect computer or use connectcomputer.

    mapping drives by name requires DNS to function or baring that, you use the address and then share name.

    +
    0 Votes
    Trkkr

    I'm not too sure what SP is on the Exchange. We're running SBS 2003 SP2 with Exchange v.6.5.7226.0.

    Going further, with the WINS manually set to the server IP, Exchange and mapped drives work (telling it to map \\servername\shared directory). So I don't have issues on how to map drives or set up Exchange or connect computers to the domain; I've done that plenty of times.

    I've also set up hardware VPNs successfully. But this is the first time I've attempted software VPN.

    The problem looks like there's something, somewhere that isn't configured/working properly that is requiring the WINS to be manually set for this to work. I believe if I can pinpoint that, this whole thing will come together.

    +
    0 Votes
    Trkkr

    I spoke too soon. That didn't work. Before the wizard launched it said you had to be connected into the local network before it would work, so I don't think that's possible regardless of whether or not we get everything else working.

    +
    0 Votes
    CG IT

    if you get VPN to work, then you can try the different things you want to to see if they will work or not.

    +
    0 Votes
    Trkkr

    Oh man. After all this and I found something that fixed ALMOST everything.

    I can now connect to the server shared directories and use Exchange through the automatically created VPN package that the server creates when you setup the RRAS through the wizard.

    All it took was opening up port 500 UDP on the router!

    So it looks like you run through the Remote Access Wizard, open up port 1723 TCP, port 500 UDP, run the sbspackage.exe on the client and it should work....

    Wierd side effect is that my manually created connection with the WINS removed still won't connect.

    IP Differences between the two:

    SBS Connection:
    IP: .105
    GW: .105
    WINS: .105

    Manual Connection:
    IP: .106
    GW: [blank]
    WINS: .105

    I'm guessing that has something to do with it but I haven't investigated further yet. I'll report back if I figure it out.

    If anyone knows why that is and how to fix it, feel free to chip in.

    Personally I'm just happy to have got this figured out this far. This, of course needs to be figured out if it gets set up on Server 2003 Standard since there is no sbspackage.exe created that way.