Windows 2K RRAS VPN on DMZ can't authenticate users

[David Hodgson]

Hi folks,

I have a Windows 2K RRAS VPN server which in my DMZ, it is part of the
domain and the firewall between the DMZ and the Internal network has all the
ports open between the DMZ network and the Internal network.

My clients when connecting to this server get a 919 error "the remote
computer refused to be authenticated....." at the "Verifying username and
password"

Also the VPN server cannot get a browse list of the whole domain, looks like
it's just broadcasting on the DMZ and picking up computers there. (don't
know if this has anything to do with the above?)

The server knows the address of a WINS server, it can browse the AD, it can
resolve the internal clients by name (using either DNS or WINS I'm not
sure?)

any help would be appreciatted

thanks
Dave

 

[Phillip Windell]

I have a Windows 2K RRAS VPN server which in my DMZ, it is part of the
domain and the

How can it be part of the domain when it is out in the DMZ?

firewall between the DMZ and the Internal network has all the
ports open between the DMZ network and the Internal network.

All 65,000+ of them? What's the point in having the Firewall?

My clients when connecting to this server get a 919 error "the remote
computer refused to be authenticated....." at the "Verifying username and
password"

Firewalls perform NAT and create "trusted" and "untrusted" networks. The DMZ
is "untrusted" and the LAN is "trusted". The DMZ is never supposed to see
the LAN, and therfore can never "authenticate".

Also the VPN server cannot get a browse list of the whole domain, looks like
it's just broadcasting on the DMZ and picking up computers there. (don't
know if this has anything to do with the above?)

That is exactly what it is supposed to do in that environment.

You will have to explain the intent a little better here. Just because you
say you *have* a VPN Server in the DMZ doesn't explain how you intend to use
it and how you expect it to perform. There are several types of VPN "models"
that all behave differently and are used in different types of
situations,...and the types aren't "cross-compatible".

Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/vpndpls2.mspx

Virtual Private Networking with Windows 2000: Deploying Router-to-Router
VPNs
http://www.microsoft.com/windows2000/server/evaluation/features/deplyr2rvpn.asp

Virtual Private Networking with Windows 2000: Deploying Remote Access VPNs
http://www.microsoft.com/windows2000/techinfo/planning/incremental/vpndeploy.asp

Microsoft Windows Server 2003 Remote Access/VPN Server Role
http://www.microsoft.com/technet/pr...3/serverroles/remoteaccessserver/default.mspx

Overview of Deploying Dial-up and VPN Remote Access Servers
http://www.microsoft.com/resources/...2003/all/deployguide/en-us/dnsbf_vpn_mcnx.asp

 

[David Hodgson]

How can it be part of the domain when it is out in the DMZ?"

because when it uses AD to authenticate users it needs to be on the same
domain (right or wrong?)

All 65,000+ of them? What's the point in having the Firewall?

I should have said all the ports are open between the VPN Server and the
Internal network, it's then controlled via ACL's to allow only that server
to connect to our internal network, it can't be spoofed cause it's got an
internal IP.
this is common practise.

Firewalls perform NAT and create "trusted" and "untrusted" networks. The DMZ
is "untrusted" and the LAN is "trusted". The DMZ is never supposed to see
the LAN, and therfore can never "authenticate".

DMZ can see the LAN in certain circumstances, ie doing what I'm doing,
Exchange FE/BE servers etc.

It's a Remote Access VPN with clients connecting to it using PPTP nothing
more.

I only asked why the server in question can't authenticate a user when it
has complete access to my internal network.

 

[David Hodgson]

it's ok, it was the client side's security options where it was only set to
allow CHAP

 

[Phillip Windell]

OK.