Desperately require help with VPN configuration

We have a pretty bizzare 2 server network configured as
follows-

SERVER 1

We have a small biz2k server which runs a very memory
hungy SQL ERP system. This server is the DC and also has
DHCP, WINS and DNS installed.
The server has one NIC for the Internal network. It has a
static IP adddress of 192.168.16.2. The server assigns IP
address' to the rest of the client PC's on the network,
including server2.
Subnet Mask is standard 255.255.255.0

SERVER 2

We also have a Windows2k member server which runs
Exchange2k and ISA2k. The server also has WINS and DNS.
(DHCP is installed but not configured).
This server has two Nic's one facing the internal network
and the other facing the BB Router.
Internal NIC - IP address this server receives via DHCP
from server1 is always 192.168.16.22
External NIC - The external NIC is configured to use
static IP of 211.XXX.XXX.252 an address leased from our
ISP. (This is the address of our external NIC we VPN into).
The External Nic is configured to use DNS of
6x.xxx.xxx.200, our ISP's DNS server. Subnet mask of
255.255.255.248
RRAS is installed on this server to allow VPN traffic.

We also have a range of leased IP address' from our ISP
211.xxx.xxx.250 to 211.xxx.xxx.260


ROUTER
We have a BB router configured for IP routing connected to
server2. This has an IP Address of 211.XXX.XXX.251

Problem - I have setup a VPN for our sales team to access
from outside our company HQ. I have right clicked "Allow
VPN connections" in ISA and also configured the users via
AD to allow them remote dial access.
They can dial in, authenticate and connect via VPN but
that is all they can do.

Here's the result from the client PC when we do an
Ipcongig/all. This was when the VPN client had established
a connection to the VPN server(server2).

PPP adapter Virtual Private Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP)
Interface
Physical Address. . . . . . . . . : xx-15-42-00-
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 169.254.19.240
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 169.254.82.127
DNS Servers . . . . . . . . . . . : 6x.xxx.xxx.200
6x.xxx.xxx.205

It seems to be finding the ISP's DNS ok 6x.xxx.xxx.200 so
i have the following three questions.


Question 1 - Why are VPN users being assigned
169.254.19.240 as their IP address when they dial in and
why from the default gateway of 169.254.82.127?
(This does not even relate to our internal network IP
range)

Question 2 - How do i change it in order that i can have
VPN clients receive one of the leased IP address' we have
211.xxx.xxx.250 to 211.xxx.xxx.260 ?

Question 3 -When a user connects via VPN they can only
browse the network via Windows explorer. They see the VPN
server (Server2) but the connection is drastically slow
even when they come in over their own BB connection. How
do i improve speed and also allow them to browse the rest
of the network?

Thanks in advance to all who have taken the time to
struggle with this or who reply. Much appreciated....

Jim
Wed Jan 14 20:28:22 CST 2004

The vpn clients are not getting an ip from any of your servers.
169.254.x.x ip assignment has a name but it is what happens when a
workstation cannot find a dhcp server.

VPN clients should not be getting leased ips. The goal of vpn is to
get inside your network, not to stay outside it. They usually get an
ip that is on the same network as your own internal network. Some
people set up the RRAS to serve up ips on another private network and
do some routing tricks. Have you set up RRAS to assign a range of IPs
on your ISA server.

Do not forget to check binding order on the ISA server. Network
Properties/Advanced/ Advanced Settings. The internal nic should be at
the top of the binding order. Don't forget to go to
support.microsoft.com and read the article 292822. You should do those
edits I believe.

What else are the clients supposed to do? If they can start-run
\\servername and see the server shares they should be able to set up
Outlook. They should hopefully see your application server. You forgot
to mention the third server you set up in application mode so the
salesforce can see the sql database. ;-)

"Robert" <anonymous@discussions.microsoft.com> wrote:

>We have a pretty bizzare 2 server network configured as
>follows-
>
>SERVER 1
>
>We have a small biz2k server which runs a very memory
>hungy SQL ERP system. This server is the DC and also has
>DHCP, WINS and DNS installed.
>The server has one NIC for the Internal network. It has a
>static IP adddress of 192.168.16.2. The server assigns IP
>address' to the rest of the client PC's on the network,
>including server2.
>Subnet Mask is standard 255.255.255.0
>
>SERVER 2
>
>We also have a Windows2k member server which runs
>Exchange2k and ISA2k. The server also has WINS and DNS.
>(DHCP is installed but not configured).
>This server has two Nic's one facing the internal network
>and the other facing the BB Router.
>Internal NIC - IP address this server receives via DHCP
>from server1 is always 192.168.16.22
>External NIC - The external NIC is configured to use
>static IP of 211.XXX.XXX.252 an address leased from our
>ISP. (This is the address of our external NIC we VPN into).
>The External Nic is configured to use DNS of
>6x.xxx.xxx.200, our ISP's DNS server. Subnet mask of
>255.255.255.248
>RRAS is installed on this server to allow VPN traffic.
>
>We also have a range of leased IP address' from our ISP
>211.xxx.xxx.250 to 211.xxx.xxx.260
>
>
>ROUTER
>We have a BB router configured for IP routing connected to
>server2. This has an IP Address of 211.XXX.XXX.251
>
>Problem - I have setup a VPN for our sales team to access
>from outside our company HQ. I have right clicked "Allow
>VPN connections" in ISA and also configured the users via
>AD to allow them remote dial access.
>They can dial in, authenticate and connect via VPN but
>that is all they can do.
>
>Here's the result from the client PC when we do an
>Ipcongig/all. This was when the VPN client had established
>a connection to the VPN server(server2).
>
>PPP adapter Virtual Private Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP)
>Interface
> Physical Address. . . . . . . . . : xx-15-42-00-
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 169.254.19.240
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . : 169.254.82.127
> DNS Servers . . . . . . . . . . . : 6x.xxx.xxx.200
> 6x.xxx.xxx.205
>
>It seems to be finding the ISP's DNS ok 6x.xxx.xxx.200 so
>i have the following three questions.
>
>
>Question 1 - Why are VPN users being assigned
>169.254.19.240 as their IP address when they dial in and
>why from the default gateway of 169.254.82.127?
>(This does not even relate to our internal network IP
>range)
>
>Question 2 - How do i change it in order that i can have
>VPN clients receive one of the leased IP address' we have
>211.xxx.xxx.250 to 211.xxx.xxx.260 ?
>
>Question 3 -When a user connects via VPN they can only
>browse the network via Windows explorer. They see the VPN
>server (Server2) but the connection is drastically slow
>even when they come in over their own BB connection. How
>do i improve speed and also allow them to browse the rest
>of the network?
>
>Thanks in advance to all who have taken the time to
>struggle with this or who reply. Much appreciated....

Jim B. SBS MVP
remove the mvp to send email

Mark
Wed Jan 14 20:39:36 CST 2004

2 issues. you need to configure DHCP on that member server with ISA.
Second, the BIGGEST problem you have. DNS!!!!!!!!!!!!!!!!!!!!! It is NOT
setup right! Go to the download section of mcse2000.com and setup
forwarders and have it give internal DNS addresses. If you look at your
event log and performance, it is lagging due to DNS misconfiguration.
Don't worry, that's common.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



"Robert" <anonymous@discussions.microsoft.com> wrote in message
news:04b301c3dafe$3a610110$a401280a@phx.gbl...
> We have a pretty bizzare 2 server network configured as
> follows-
>
> SERVER 1
>
> We have a small biz2k server which runs a very memory
> hungy SQL ERP system. This server is the DC and also has
> DHCP, WINS and DNS installed.
> The server has one NIC for the Internal network. It has a
> static IP adddress of 192.168.16.2. The server assigns IP
> address' to the rest of the client PC's on the network,
> including server2.
> Subnet Mask is standard 255.255.255.0
>
> SERVER 2
>
> We also have a Windows2k member server which runs
> Exchange2k and ISA2k. The server also has WINS and DNS.
> (DHCP is installed but not configured).
> This server has two Nic's one facing the internal network
> and the other facing the BB Router.
> Internal NIC - IP address this server receives via DHCP
> from server1 is always 192.168.16.22
> External NIC - The external NIC is configured to use
> static IP of 211.XXX.XXX.252 an address leased from our
> ISP. (This is the address of our external NIC we VPN into).
> The External Nic is configured to use DNS of
> 6x.xxx.xxx.200, our ISP's DNS server. Subnet mask of
> 255.255.255.248
> RRAS is installed on this server to allow VPN traffic.
>
> We also have a range of leased IP address' from our ISP
> 211.xxx.xxx.250 to 211.xxx.xxx.260
>
>
> ROUTER
> We have a BB router configured for IP routing connected to
> server2. This has an IP Address of 211.XXX.XXX.251
>
> Problem - I have setup a VPN for our sales team to access
> from outside our company HQ. I have right clicked "Allow
> VPN connections" in ISA and also configured the users via
> AD to allow them remote dial access.
> They can dial in, authenticate and connect via VPN but
> that is all they can do.
>
> Here's the result from the client PC when we do an
> Ipcongig/all. This was when the VPN client had established
> a connection to the VPN server(server2).
>
> PPP adapter Virtual Private Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : WAN (PPP/SLIP)
> Interface
> Physical Address. . . . . . . . . : xx-15-42-00-
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 169.254.19.240
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . : 169.254.82.127
> DNS Servers . . . . . . . . . . . : 6x.xxx.xxx.200
> 6x.xxx.xxx.205
>
> It seems to be finding the ISP's DNS ok 6x.xxx.xxx.200 so
> i have the following three questions.
>
>
> Question 1 - Why are VPN users being assigned
> 169.254.19.240 as their IP address when they dial in and
> why from the default gateway of 169.254.82.127?
> (This does not even relate to our internal network IP
> range)
>
> Question 2 - How do i change it in order that i can have
> VPN clients receive one of the leased IP address' we have
> 211.xxx.xxx.250 to 211.xxx.xxx.260 ?
>
> Question 3 -When a user connects via VPN they can only
> browse the network via Windows explorer. They see the VPN
> server (Server2) but the connection is drastically slow
> even when they come in over their own BB connection. How
> do i improve speed and also allow them to browse the rest
> of the network?
>
> Thanks in advance to all who have taken the time to
> struggle with this or who reply. Much appreciated....
>

Robert
Thu Jan 15 05:03:53 CST 2004

Mark,

How do i configure DHCP on the windows2k server?
Will it not have an impact on my network as this server is
configured to obtain it's IP address itseld via DHCP from
the small biz server on it's internal NIC?




>-----Original Message-----
>2 issues. you need to configure DHCP on that member
server with ISA.
>Second, the BIGGEST problem you have.
DNS!!!!!!!!!!!!!!!!!!!!! It is NOT
>setup right! Go to the download section of mcse2000.com
and setup
>forwarders and have it give internal DNS addresses. If
you look at your
>event log and performance, it is lagging due to DNS
misconfiguration.
>Don't worry, that's common.
>
>--
>Sincerely,
>Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I
4&2000
>www.MCSE2000.com
>www.AppLauncher.com
>
>
>
>"Robert" <anonymous@discussions.microsoft.com> wrote in
message
>news:04b301c3dafe$3a610110$a401280a@phx.gbl...
>> We have a pretty bizzare 2 server network configured as
>> follows-
>>
>> SERVER 1
>>
>> We have a small biz2k server which runs a very memory
>> hungy SQL ERP system. This server is the DC and also has
>> DHCP, WINS and DNS installed.
>> The server has one NIC for the Internal network. It has
a
>> static IP adddress of 192.168.16.2. The server assigns
IP
>> address' to the rest of the client PC's on the network,
>> including server2.
>> Subnet Mask is standard 255.255.255.0
>>
>> SERVER 2
>>
>> We also have a Windows2k member server which runs
>> Exchange2k and ISA2k. The server also has WINS and DNS.
>> (DHCP is installed but not configured).
>> This server has two Nic's one facing the internal
network
>> and the other facing the BB Router.
>> Internal NIC - IP address this server receives via DHCP
>> from server1 is always 192.168.16.22
>> External NIC - The external NIC is configured to use
>> static IP of 211.XXX.XXX.252 an address leased from our
>> ISP. (This is the address of our external NIC we VPN
into).
>> The External Nic is configured to use DNS of
>> 6x.xxx.xxx.200, our ISP's DNS server. Subnet mask of
>> 255.255.255.248
>> RRAS is installed on this server to allow VPN traffic.
>>
>> We also have a range of leased IP address' from our ISP
>> 211.xxx.xxx.250 to 211.xxx.xxx.260
>>
>>
>> ROUTER
>> We have a BB router configured for IP routing connected
to
>> server2. This has an IP Address of 211.XXX.XXX.251
>>
>> Problem - I have setup a VPN for our sales team to
access
>> from outside our company HQ. I have right clicked "Allow
>> VPN connections" in ISA and also configured the users
via
>> AD to allow them remote dial access.
>> They can dial in, authenticate and connect via VPN but
>> that is all they can do.
>>
>> Here's the result from the client PC when we do an
>> Ipcongig/all. This was when the VPN client had
established
>> a connection to the VPN server(server2).
>>
>> PPP adapter Virtual Private Connection:
>>
>> Connection-specific DNS Suffix . :
>> Description . . . . . . . . . . . : WAN
(PPP/SLIP)
>> Interface
>> Physical Address. . . . . . . . . : xx-15-42-00-
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . :
169.254.19.240
>> Subnet Mask . . . . . . . . . . . :
255.255.255.255
>> Default Gateway . . . . . . . . . :
169.254.82.127
>> DNS Servers . . . . . . . . . . . :
6x.xxx.xxx.200
>>
6x.xxx.xxx.205
>>
>> It seems to be finding the ISP's DNS ok 6x.xxx.xxx.200
so
>> i have the following three questions.
>>
>>
>> Question 1 - Why are VPN users being assigned
>> 169.254.19.240 as their IP address when they dial in and
>> why from the default gateway of 169.254.82.127?
>> (This does not even relate to our internal network IP
>> range)
>>
>> Question 2 - How do i change it in order that i can have
>> VPN clients receive one of the leased IP address' we
have
>> 211.xxx.xxx.250 to 211.xxx.xxx.260 ?
>>
>> Question 3 -When a user connects via VPN they can only
>> browse the network via Windows explorer. They see the
VPN
>> server (Server2) but the connection is drastically slow
>> even when they come in over their own BB connection. How
>> do i improve speed and also allow them to browse the
rest
>> of the network?
>>
>> Thanks in advance to all who have taken the time to
>> struggle with this or who reply. Much appreciated....
>>
>
>
>.
>

Jim
Thu Jan 15 07:10:30 CST 2004

You can set RRAS to serve up a small range of ips manually. You can
choose high numbers so your SBS does not serve them or better yet just
exclude them from being served by your SBS by opening the SBS dhcp
manager and doing an exclusion. After that open RRAS on your ISA
server, right click your server name and click on the ip tab to deal
with RRAS ip assignment.

"Robert" <anonymous@discussions.microsoft.com> wrote:

>Mark,
>
>How do i configure DHCP on the windows2k server?
>Will it not have an impact on my network as this server is
>configured to obtain it's IP address itseld via DHCP from
>the small biz server on it's internal NIC?
>
>
>
>
>>-----Original Message-----
>>2 issues. you need to configure DHCP on that member
>server with ISA.
>>Second, the BIGGEST problem you have.
>DNS!!!!!!!!!!!!!!!!!!!!! It is NOT
>>setup right! Go to the download section of mcse2000.com
>and setup
>>forwarders and have it give internal DNS addresses. If
>you look at your
>>event log and performance, it is lagging due to DNS
>misconfiguration.
>>Don't worry, that's common.
>>
>>--
>>Sincerely,
>>Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I
>4&2000
>>www.MCSE2000.com
>>www.AppLauncher.com
>>
>>
>>
>>"Robert" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:04b301c3dafe$3a610110$a401280a@phx.gbl...
>>> We have a pretty bizzare 2 server network configured as
>>> follows-
>>>
>>> SERVER 1
>>>
>>> We have a small biz2k server which runs a very memory
>>> hungy SQL ERP system. This server is the DC and also has
>>> DHCP, WINS and DNS installed.
>>> The server has one NIC for the Internal network. It has
>a
>>> static IP adddress of 192.168.16.2. The server assigns
>IP
>>> address' to the rest of the client PC's on the network,
>>> including server2.
>>> Subnet Mask is standard 255.255.255.0
>>>
>>> SERVER 2
>>>
>>> We also have a Windows2k member server which runs
>>> Exchange2k and ISA2k. The server also has WINS and DNS.
>>> (DHCP is installed but not configured).
>>> This server has two Nic's one facing the internal
>network
>>> and the other facing the BB Router.
>>> Internal NIC - IP address this server receives via DHCP
>>> from server1 is always 192.168.16.22
>>> External NIC - The external NIC is configured to use
>>> static IP of 211.XXX.XXX.252 an address leased from our
>>> ISP. (This is the address of our external NIC we VPN
>into).
>>> The External Nic is configured to use DNS of
>>> 6x.xxx.xxx.200, our ISP's DNS server. Subnet mask of
>>> 255.255.255.248
>>> RRAS is installed on this server to allow VPN traffic.
>>>
>>> We also have a range of leased IP address' from our ISP
>>> 211.xxx.xxx.250 to 211.xxx.xxx.260
>>>
>>>
>>> ROUTER
>>> We have a BB router configured for IP routing connected
>to
>>> server2. This has an IP Address of 211.XXX.XXX.251
>>>
>>> Problem - I have setup a VPN for our sales team to
>access
>>> from outside our company HQ. I have right clicked "Allow
>>> VPN connections" in ISA and also configured the users
>via
>>> AD to allow them remote dial access.
>>> They can dial in, authenticate and connect via VPN but
>>> that is all they can do.
>>>
>>> Here's the result from the client PC when we do an
>>> Ipcongig/all. This was when the VPN client had
>established
>>> a connection to the VPN server(server2).
>>>
>>> PPP adapter Virtual Private Connection:
>>>
>>> Connection-specific DNS Suffix . :
>>> Description . . . . . . . . . . . : WAN
>(PPP/SLIP)
>>> Interface
>>> Physical Address. . . . . . . . . : xx-15-42-00-
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . :
>169.254.19.240
>>> Subnet Mask . . . . . . . . . . . :
>255.255.255.255
>>> Default Gateway . . . . . . . . . :
>169.254.82.127
>>> DNS Servers . . . . . . . . . . . :
>6x.xxx.xxx.200
>>>
>6x.xxx.xxx.205
>>>
>>> It seems to be finding the ISP's DNS ok 6x.xxx.xxx.200
>so
>>> i have the following three questions.
>>>
>>>
>>> Question 1 - Why are VPN users being assigned
>>> 169.254.19.240 as their IP address when they dial in and
>>> why from the default gateway of 169.254.82.127?
>>> (This does not even relate to our internal network IP
>>> range)
>>>
>>> Question 2 - How do i change it in order that i can have
>>> VPN clients receive one of the leased IP address' we
>have
>>> 211.xxx.xxx.250 to 211.xxx.xxx.260 ?
>>>
>>> Question 3 -When a user connects via VPN they can only
>>> browse the network via Windows explorer. They see the
>VPN
>>> server (Server2) but the connection is drastically slow
>>> even when they come in over their own BB connection. How
>>> do i improve speed and also allow them to browse the
>rest
>>> of the network?
>>>
>>> Thanks in advance to all who have taken the time to
>>> struggle with this or who reply. Much appreciated....
>>>
>>
>>
>>.
>>

Jim B. SBS MVP
remove the mvp to send email