3rd party VPN clients cannot connect to SBS

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 04:09:09



I have a Netscreen Router/VPN running alongside my SBS
server.  I can connect remotely to the VPN just fine and
ping all the client machines running on the local LAN,
but if I try to ping the SBS server the packets just get
dropped.

What I really want to do is access Exchange over the VPN,
but I just can't seem to make it work - it feels like ISA
(on the SBS server) is blocking connections altogether.

Has anyone got any bright ideas to get this working?

TIA,

Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Steve Foster [SBS MVP » Wed, 28 May 2003 07:00:16



> I have a Netscreen Router/VPN running alongside my SBS server.  I can
> connect remotely to the VPN just fine and ping all the client machines
> running on the local LAN, but if I try to ping the SBS server the packets
> just get dropped.

> What I really want to do is access Exchange over the VPN, but I just
> can't seem to make it work - it feels like ISA (on the SBS server) is
> blocking connections altogether.

You haven't given us enough information...

Is the netscreen installed as the gateway to the internet? Does the SBS
have one nic or two? If two, are you using the internal address when trying
to communicate with the server?

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 07:30:46


Quote:>You haven't given us enough information...

>Is the netscreen installed as the gateway to the

internet? Does the SBS
Quote:>have one nic or two? If two, are you using the internal

address when trying

Quote:>to communicate with the server?

Sorry for the lack of info :)

The Netscreen is the gateway to the Internet.  It has
an 'external' address (217.aaa.bbb.ccc) and an internal
address of 192.168.0.1.

SBS server has two NICs, 'external' (217.xxx.yyy.zzz) and
an internal of 192.168.0.2.

I can initiate the VPN connection and remotely ping other
client machines on the server's LAN, but I can't ping the
internal SBS interface.

If I log into the server over terminal services (to the
external address!) and run a ping, I can see the ping
hitting the internal NIC (the icon blinks accordingly)
but no reply comes back.

Thanks in advance for any clues as to what might be going
wrong.

Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Steve Foster [SBS MVP » Wed, 28 May 2003 07:55:47



>> You haven't given us enough information...

>> Is the netscreen installed as the gateway to the
> internet? Does the SBS
>> have one nic or two? If two, are you using the internal
> address when trying
>> to communicate with the server?

> Sorry for the lack of info :)

> The Netscreen is the gateway to the Internet.  It has an 'external'
> address (217.aaa.bbb.ccc) and an internal address of 192.168.0.1.

> SBS server has two NICs, 'external' (217.xxx.yyy.zzz) and an internal of
> 192.168.0.2.

> I can initiate the VPN connection and remotely ping other client machines
> on the server's LAN, but I can't ping the internal SBS interface.

> If I log into the server over terminal services (to the external
> address!) and run a ping, I can see the ping hitting the internal NIC
> (the icon blinks accordingly) but no reply comes back.

> Thanks in advance for any clues as to what might be going wrong.

> Mark.

And what do internal clients have for the default gateway - the netscreen
or the SBS? My money would be on the netscreen.

But the SBS will not have a default gateway on the internal nic (quite
correctly). And I'm guessing the VPN IP is not 192.168.0.x but some other
internal range. You probably should add the VPN IP range to the SBS LAT. Or
get rid of the netscreen entirely since SBS could handle the VPN for itself
(or place the netscreen in front of SBS and have a DMZ).

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 08:13:10


Quote:>And what do internal clients have for the default

gateway - the netscreen

Quote:>or the SBS? My money would be on the netscreen.

Correct...

Quote:>But the SBS will not have a default gateway on the

internal nic (quite
Quote:>correctly). And I'm guessing the VPN IP is not

192.168.0.x but some other
Quote:>internal range. You probably should add the VPN IP range

to the SBS LAT. Or

That's right - my LAN at home is 192.168.1.x.  I have
added this range to the SBS LAT already...

Quote:>get rid of the netscreen entirely since SBS could handle

the VPN for itself

I have thought of this, but looking around the net I get
the impression that Windows VPN could be quite
troublesome to set up, or even reduce the reliability of
the SBS server (I know one person who has to reboot his
SBS regularly as it locks up totally sometimes as a
result of something going wrong with the VPN).

What do you think - would you trust SBS to handle VPN
reliably considering what else runs on the box?

Quote:>(or place the netscreen in front of SBS and have a DMZ).

This is definitely an option, but I don't see how it
would solve the problem as I'm still pinging the Internal
interface...

Thanks again,

Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Susan Bradley, CPA aka Ebitz SBS Rocks [MVP » Wed, 28 May 2003 09:35:25


That lock up is do to something else not the VPN in Windows.  It's not
that much brainsurgery to set it up....  ;-)

And has it done the needed registry edits as per KB  292822

Microsoft Smallbusiness 2000 - Frequently Asked Questions:
http://www.smallbizserver.net/Remote/How_do_I_configure_the_server_fo...


> >And what do internal clients have for the default
> gateway - the netscreen
> >or the SBS? My money would be on the netscreen.

> Correct...

> >But the SBS will not have a default gateway on the
> internal nic (quite
> >correctly). And I'm guessing the VPN IP is not
> 192.168.0.x but some other
> >internal range. You probably should add the VPN IP range
> to the SBS LAT. Or

> That's right - my LAN at home is 192.168.1.x.  I have
> added this range to the SBS LAT already...

> >get rid of the netscreen entirely since SBS could handle
> the VPN for itself

> I have thought of this, but looking around the net I get
> the impression that Windows VPN could be quite
> troublesome to set up, or even reduce the reliability of
> the SBS server (I know one person who has to reboot his
> SBS regularly as it locks up totally sometimes as a
> result of something going wrong with the VPN).

> What do you think - would you trust SBS to handle VPN
> reliably considering what else runs on the box?

> >(or place the netscreen in front of SBS and have a DMZ).

> This is definitely an option, but I don't see how it
> would solve the problem as I'm still pinging the Internal
> interface...

> Thanks again,

> Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Craig Pfa » Wed, 28 May 2003 14:40:18


So you are using the netscreen as a vpn concentrator.  This is OK in my book
as it can offload some of the work to the netscreen.

Now about the clients, are they XP, win98 etc? I have had some 98 clients
that needed the lmhosts file modified to access the server properly. A
couple of XP systems needed that also.

Also, I have had a SOHO+ unit where if I logged the VPN clients in with a
domain name (to join), they could not access the server at all like you say.
When you just log them into the snapgear without a domain name, they
connected fine.  This could be your issue and you may need to check into
that.

Craig


Quote:> >And what do internal clients have for the default
> gateway - the netscreen
> >or the SBS? My money would be on the netscreen.

> Correct...

> >But the SBS will not have a default gateway on the
> internal nic (quite
> >correctly). And I'm guessing the VPN IP is not
> 192.168.0.x but some other
> >internal range. You probably should add the VPN IP range
> to the SBS LAT. Or

> That's right - my LAN at home is 192.168.1.x.  I have
> added this range to the SBS LAT already...

> >get rid of the netscreen entirely since SBS could handle
> the VPN for itself

> I have thought of this, but looking around the net I get
> the impression that Windows VPN could be quite
> troublesome to set up, or even reduce the reliability of
> the SBS server (I know one person who has to reboot his
> SBS regularly as it locks up totally sometimes as a
> result of something going wrong with the VPN).

> What do you think - would you trust SBS to handle VPN
> reliably considering what else runs on the box?

> >(or place the netscreen in front of SBS and have a DMZ).

> This is definitely an option, but I don't see how it
> would solve the problem as I'm still pinging the Internal
> interface...

> Thanks again,

> Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 17:48:08


Hi Susan,

So are you saying that if the VPN server is set up
properly it wont lock up the server or require it to be
rebooted more often?

Thanks !

mark.

Quote:>-----Original Message-----
>That lock up is do to something else not the VPN in
Windows.  It's not
>that much brainsurgery to set it up....  ;-)

>And has it done the needed registry edits as per KB  
292822

>Microsoft Smallbusiness 2000 - Frequently Asked Questions:
>http://www.smallbizserver.net/Remote/How_do_I_configure_th

e_server_for_remote_access_with_VPN.aspx


>> >And what do internal clients have for the default
>> gateway - the netscreen
>> >or the SBS? My money would be on the netscreen.

>> Correct...

>> >But the SBS will not have a default gateway on the
>> internal nic (quite
>> >correctly). And I'm guessing the VPN IP is not
>> 192.168.0.x but some other
>> >internal range. You probably should add the VPN IP
range
>> to the SBS LAT. Or

>> That's right - my LAN at home is 192.168.1.x.  I have
>> added this range to the SBS LAT already...

>> >get rid of the netscreen entirely since SBS could
handle
>> the VPN for itself

>> I have thought of this, but looking around the net I get
>> the impression that Windows VPN could be quite
>> troublesome to set up, or even reduce the reliability of
>> the SBS server (I know one person who has to reboot his
>> SBS regularly as it locks up totally sometimes as a
>> result of something going wrong with the VPN).

>> What do you think - would you trust SBS to handle VPN
>> reliably considering what else runs on the box?

>> >(or place the netscreen in front of SBS and have a
DMZ).

>> This is definitely an option, but I don't see how it
>> would solve the problem as I'm still pinging the
Internal
>> interface...

>> Thanks again,

>> Mark.

>.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 17:54:54


Thanks Craig.

Quote:>So you are using the netscreen as a vpn concentrator.  

This is OK in my book

Quote:>as it can offload some of the work to the netscreen.

>Now about the clients, are they XP, win98 etc? I have had
some 98 clients
>that needed the lmhosts file modified to access the
server properly. A
>couple of XP systems needed that also.

The clients are a mix of 2000 and XP machines.

Quote:>Also, I have had a SOHO+ unit where if I logged the VPN
clients in with a
>domain name (to join), they could not access the server

at all like you say.

Quote:>When you just log them into the snapgear without a domain
name, they
>connected fine.  This could be your issue and you may
need to check into
>that.

We are not logging in using a domain - just a user name
and preshared key...  I can connect to the VPN and ping
other clients on the server's LAN just fine, but when I
ping the server's internal IP there is no reply, even
though I can see the ping hitting the server's internal
interface.

I am sure that it is something to do with ISA not knowing
how to route a reply back across the VPN box (there is
obviously no gateway for the internal interface) and so it
either routes it to the external interface or drops the
packet altogether - I'm not sure which...

Thanks,

Mark.

Mark.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Steve Foster [SBS MVP » Wed, 28 May 2003 18:22:51



>> And what do internal clients have for the default
> gateway - the netscreen
>> or the SBS? My money would be on the netscreen.

> Correct...

>> But the SBS will not have a default gateway on the
> internal nic (quite
>> correctly). And I'm guessing the VPN IP is not
> 192.168.0.x but some other
>> internal range. You probably should add the VPN IP range
> to the SBS LAT. Or

> That's right - my LAN at home is 192.168.1.x.  I have added this range to
> the SBS LAT already...

Your Home LAN IP range is not relevant, unless you're also using a
netscreen. If it's a VPN connectoid of some sort on a Windows machine, you
need to look at what IP range the netscreen is handing out for VPN sessions
(ipconfig /all while the VPN is up should tell you).

Is there a static route defined in SBS for the VPN IP range(s), telling the
SBS to pass those packets to the netscreen?

Quote:>> get rid of the netscreen entirely since SBS could handle
> the VPN for itself

> I have thought of this, but looking around the net I get the impression
> that Windows VPN could be quite troublesome to set up, or even reduce the
> reliability of the SBS server (I know one person who has to reboot his
> SBS regularly as it locks up totally sometimes as a result of something
> going wrong with the VPN).

> What do you think - would you trust SBS to handle VPN reliably
> considering what else runs on the box?

I use SBS VPN regularly without issue.

Quote:

>> (or place the netscreen in front of SBS and have a DMZ).

> This is definitely an option, but I don't see how it would solve the
> problem as I'm still pinging the Internal interface...

You would either terminate the VPN in front of the SBS, and then have
particular access policies setup in ISA to allow inbound access from the
DMZ, or again SBS would be handling the VPN (PPTP only in this case).

One of my clients has this configuration of a hardware VPN firewall in
front of the SBS, and we use IPSec VPN to get to the DMZ (where there are
some webservers we manage) and then PPTP VPN is passed-through to SBS for
LAN access by the boss and myself.

--
Steve Foster [SBS MVP]
---------------------------------------
MVPs do not work for Microsoft. Please reply only to the newsgroups.

 
 
 

3rd party VPN clients cannot connect to SBS

Post by Mark » Wed, 28 May 2003 19:15:59


Quote:>Your Home LAN IP range is not relevant, unless you're
also using a
>netscreen. If it's a VPN connectoid of some sort on a

Windows machine, you
Quote:>need to look at what IP range the netscreen is handing

out for VPN sessions

Quote:>(ipconfig /all while the VPN is up should tell you).

Yes I looked there before, but the only interface on the
machine is the LAN nic - the Netscreen client did not add
any virtual interfaces or anything...  But I can ping
other machines across the VPN so I don't think there is a
problem there...

Quote:>Is there a static route defined in SBS for the VPN IP

range(s), telling the

Quote:>SBS to pass those packets to the netscreen?

Nope - where and what would I need to add for this?

Quote:>>> get rid of the netscreen entirely since SBS could
handle
>> the VPN for itself

>> I have thought of this, but looking around the net I
get the impression
>> that Windows VPN could be quite troublesome to set up,
or even reduce the
>> reliability of the SBS server (I know one person who
has to reboot his
>> SBS regularly as it locks up totally sometimes as a

result of something

Quote:>> going wrong with the VPN).

>> What do you think - would you trust SBS to handle VPN
reliably
>> considering what else runs on the box?

>I use SBS VPN regularly without issue.

I am going to set up a testbed for this later today to see
how reliable it is...

Quote:

>>> (or place the netscreen in front of SBS and have a
DMZ).

>> This is definitely an option, but I don't see how it
would solve the
>> problem as I'm still pinging the Internal interface...

>You would either terminate the VPN in front of the SBS,
and then have
>particular access policies setup in ISA to allow inbound
access from the
>DMZ, or again SBS would be handling the VPN (PPTP only in
this case).

>One of my clients has this configuration of a hardware
VPN firewall in
>front of the SBS, and we use IPSec VPN to get to the DMZ
(where there are
>some webservers we manage) and then PPTP VPN is passed-
through to SBS for
>LAN access by the boss and myself.

This sounds horribly complicated, I wouldn't want to do
this unless I had exhausted other options - besides it
means some pretty dramatic reconfiguration of an important
server ;)

I am coming to the opinion that the problem is SBS not
knowing where packets going back across the VPN should be
routed...  But I'm not sure what to do about it...

Thanks for all your help so far...

Mark.

 
 
 

1. 3rd party client/server package running on SBS server

Running SBS V4.5 on HP E40 server with 128MB RAM - Pentium Pro 200 CPU from
memory. 2 SCSI drives C for system and D for data

The above is obviously not the most prowerful server these days but has been
adequete for all things being done over the past few years. We are not heavy
duty users.

A 3rd party, client/server package  was recently installed, requiring a
program to run continually on the server.

We have noticed performance to generally decline when  this new program is
running on the server.

Appreciate any comments suggestions as how to improve performance,
specifically

1. is this a common occurrence with programs running on the server ? Any
other experiences ?

2. more RAM the answer ?

3. we use SBS fairly simply - file/print sharing, internet access, email.
Can some SBS serveices be disabled to assist in RAM usage ? Such services as
WWW publishing service, MSSQL services, others ?

4. what is the best setting for My Computer/Performance/Application
Performance in this situation

5. we have 2 drives  ( C - system, D- data ). What is the best mix of drives
for the pagefile, this new system, etc ?

6. any other tweaking worthwhile in this situation or best not to play with
anything

2. Keyboard accelerator for Desks Overview / switch desk?

3. Adding 3rd Party Software to install list when adding a SBS client

4. HP ScanJet 5p 7 NT 4.0

5. 3rd party apps (NETSTORE) can't connect

6. Receive Internet Mail on SBS 2000

7. SBS2000 & 3rd party mail clients possible?

8. I want to reject mail based on MX info inside access_db

9. SBS & 3rd Party Software

10. New 3rd party SBS Exchange product for spam, AV, company sigs

11. SBS 4.0a 3rd Party Application won't Install on XP PRO Workstation

12. Cannot connect to my SBS Network VIA VPN

13. Added structure for 3rd party programs