W2K VPN - Problems using a single server

[Guest]

We have one file server. We would like to be able to access it remotely via
VPN but also allow it to perform its general file sharing services on our
LAN. We have a DSL line provided by our Telco which also provides the router
(configured and maintained by them). I have been reading numerous articles
and they all suggest having one server for VPN and additional servers for
various other functions. Financially this is not possible with our
organization. Our Telco's router is plugged into our switch as is our server.
The gateway for our workstations and the server is the interal IP of the
router. We are not running active directory so we don't have DNS or WINS
setup on the server. Our network scheme is 192.168.0.x. Here is what I have
tried so far on our server:

Installed an additional NIC. The original NIC had an IP address of
192.168.0.254. The additional NIC was configured with an IP address of
192.168.0.253. I ran the Routing and Remote Access wizard and configured the
VPN server to use the addtional NIC. I called our Telco and asked them to
configure the router so when someone hits the public IP of the router using
port 1723 it forwards that to the internal address of 192.168.0.253. They
said they understood what I was wanting to do and also set up port 47 for
GRE. When I plugged the additional NIC into our switch no one could access
the server from the LAN. It immediately dropped all of the active
connections.

Can I setup a single server to perform both functions and will it work in
our situation where we go through a switch to connect to the router. What
should I tell our Telco in order to make this work? I have read that possible
configuring the additional NIC with the public IP of the router may help. If
so what needs to be done? We are willing to try just about anything at this
point.

Thanks in advance.

 

[Robert L [MS-MVP]]

don't assign the same IP ranne on a server with two NICs. For samll business, file server can be VPN server. You can server VPN with just NIC.
For more and other information, go to http://www.howtonetworking.com/Windows/vpnsetup.htm
Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

We have one file server. We would like to be able to access it remotely via
VPN but also allow it to perform its general file sharing services on our
LAN. We have a DSL line provided by our Telco which also provides the router
(configured and maintained by them). I have been reading numerous articles
and they all suggest having one server for VPN and additional servers for
various other functions. Financially this is not possible with our
organization. Our Telco's router is plugged into our switch as is our server.
The gateway for our workstations and the server is the interal IP of the
router. We are not running active directory so we don't have DNS or WINS
setup on the server. Our network scheme is 192.168.0.x. Here is what I have
tried so far on our server:

Installed an additional NIC. The original NIC had an IP address of
192.168.0.254. The additional NIC was configured with an IP address of
192.168.0.253. I ran the Routing and Remote Access wizard and configured the
VPN server to use the addtional NIC. I called our Telco and asked them to
configure the router so when someone hits the public IP of the router using
port 1723 it forwards that to the internal address of 192.168.0.253. They
said they understood what I was wanting to do and also set up port 47 for
GRE. When I plugged the additional NIC into our switch no one could access
the server from the LAN. It immediately dropped all of the active
connections.

Can I setup a single server to perform both functions and will it work in
our situation where we go through a switch to connect to the router. What
should I tell our Telco in order to make this work? I have read that possible
configuring the additional NIC with the public IP of the router may help. If
so what needs to be done? We are willing to try just about anything at this
point.

Thanks in advance.

 

[Bill Grant]

In addition to what Bob Lin said (ie don't use two NICs), do not use the
VPN server option in the wizard. This should only be used if the server is a
VPN server ONLY. It sets up filters to block all non-VPN traffic (hence your
LAN problem).

Here is the procedure I would recommend. Configure your server for
remote access with just one NIC. (This sets up the WAN miniports for VPN).
Make sure you can make a VPN connection to your server from a LAN client.
Check that the router is forwarding tcp port 1723 to the RRAS server's
private IP.Then try making a VPN connection from a remote client via the
router (ie using the router's public IP).

Port 47 (TCP or UDP) has nothing to do with VPN. What a PPTP connection
does require is GRE, which is IP protocol 47. If your router (or anything
else in the path) blocks GRE, your connection will fail, probably with an
error 721.

 

[Guest]

When you say "Configure your server for remote access" do you know of a KB
article to do this?

Thanks

 

[Robert L [MS-MVP]]

Hi Bill, Thank you for the input. For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

In addition to what Bob Lin said (ie don't use two NICs), do not use the
VPN server option in the wizard. This should only be used if the server is a
VPN server ONLY. It sets up filters to block all non-VPN traffic (hence your
LAN problem).

Here is the procedure I would recommend. Configure your server for
remote access with just one NIC. (This sets up the WAN miniports for VPN).
Make sure you can make a VPN connection to your server from a LAN client.
Check that the router is forwarding tcp port 1723 to the RRAS server's
private IP.Then try making a VPN connection from a remote client via the
router (ie using the router's public IP).

Port 47 (TCP or UDP) has nothing to do with VPN. What a PPTP connection
does require is GRE, which is IP protocol 47. If your router (or anything
else in the path) blocks GRE, your connection will fail, probably with an
error 721.

 

[Guest]

Okay, I see what you are talking about now. So would this take the GRE
protocol out of the equation? Is this still secure?

Thanks,

Nick

 

[Robert L [MS-MVP]]

I believe what Bill means is using incoming connection. this may help, quoted from http://howtonetworking.com.

How to create an incoming networking connection

You can configure an incoming connection to accept the following connection types: (modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared, DirectParallel). On a computer running Windows 2000, 2003 or XP Pro, an incoming connection can accept up to three incoming calls, up to one of each of these types. Note: on a computer running Windows 2000/2003 Server, the number of inbound calls is only limited by the computer and its hardware configuration.

To create VPN connection, open Networking Connections>New Connection Wizard>Set up an advanced connection>Accept incoming connections, then follow the instruction.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

I recommend Brinkster for web hosting!

When you say "Configure your server for remote access" do you know of a KB
article to do this?

Thanks

 

[Bill Grant]

All data packets sent over a pptp connection are encrypted and
encapsulated. The encapsulation used is a modified GRE header. If you block
GRE anywhere, these packets are blocked so you get zero bytes of data
transferred and the connection closes. Allowing the GRE protocol allows the
encrypted data to pass. It does not allow anything else.

 

[Guest]

Bill,

Thanks for all of your help. I set it up as a Remote Access Server with one
NIC. I had the router do port forwarding on 1723 and allowed all access for
the GRE protocol. We are now up and running.

Thanks again