VPN and TS problems

TheMSsForum.com: The Microsoft Software Forum

One acount has a sbs on the 192.168.15.x network. They could not VPN
out from a workstation until I set up their server to accept incoming
vpn connection by running the RRAS vpn setup. Now that does not make
sense to me.

The frustration is that they can VPN to an account but they cannot ts
to the servers private ip. When the vpn connection is running they can
rdp to an exteranl real world ip on other servers. I have not tested
this situation on my SBS to see if it is something special on their
SBS install.
Jim B. SBS MVP
remove the mvp to send email
Top

Re: VPN and TS problems by Mark

Mark
Tue Nov 04 07:43:01 CST 2003

The first issue just sounds like an ISA thing but your issue with TS. Can
they ping the server's IP? NetBios? FQDN? Is the network address different
(I assume it is)? MS VPN shouldn't interfere with TS, some others do. But
as mentioned previously and acknowleged in the TS NG, MS VPN and TS is
redundant. Other VPN and TS is not.

--
Sincerely,
Mark Mancini, CCA, CCNA, Master CIW&CI, CNE 4&5, MCSE+I 4&2000
www.MCSE2000.com
www.AppLauncher.com



<JimBehningmvp@mindspring.com> wrote in message
news:l1aeqvk8rpkk864tls0k9quh5fhj71gkcm@4ax.com...
> One acount has a sbs on the 192.168.15.x network. They could not VPN
> out from a workstation until I set up their server to accept incoming
> vpn connection by running the RRAS vpn setup. Now that does not make
> sense to me.
>
> The frustration is that they can VPN to an account but they cannot ts
> to the servers private ip. When the vpn connection is running they can
> rdp to an exteranl real world ip on other servers. I have not tested
> this situation on my SBS to see if it is something special on their
> SBS install.
> Jim B. SBS MVP
> remove the mvp to send email


Top

RE: VPN and TS problems by petergal

petergal
Tue Nov 04 19:07:36 CST 2003



Hello Jim,

Couple of points here:
To VPN through ISA, you have to do 2 things:
1. Run the ICW and choose VPN.
2. Allow IP Routing on the properties of the servername in ISA Management.

#1 above goes against basic ISA stuff, as it opens a packet filter for VPN
on the server. Packet filters only affect stuff on the server, not
clients. VPN is the exception to the rule.

To TS into a server on the remote network, you will need to disable the
firewall client on the local machine.

Thanks for posting!!

Regards,
Peter Gallagher
Microsoft Product Support
Small Business Server Team



Top

Re: VPN and TS problems by Les

Les
Tue Nov 04 20:22:14 CST 2003

I wish I could remember what I did to be able to vpn and ts (either, or
both) from behind isa to servers also behind isa.

I think it's this:

10. addresses on the 'home' sbs. 192. addy's on all remote sbs. Add the 192.
addy to the lat on the home sbs. Now you can ts from a client box with the
firewall client enabled.

VPN: All SBS systems set up with separate scope ip pool for VPN, in the 172.
range. Add that to the home system lat. Now you can vpn and/or ts over vpn
without disabling the firewall client. (but you can't browse the web while
the vpn is active).

If you're interested give it a shot, or I can confirm the setup tomorrow.

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !



""Peter Gallagher [MSFT]"" <petergal@online.microsoft.com> wrote in message
news:UY6l2kzoDHA.2700@cpmsftngxa06.phx.gbl...
>
>
> Hello Jim,
>
> Couple of points here:
> To VPN through ISA, you have to do 2 things:
> 1. Run the ICW and choose VPN.
> 2. Allow IP Routing on the properties of the servername in ISA
Management.
>
> #1 above goes against basic ISA stuff, as it opens a packet filter for VPN
> on the server. Packet filters only affect stuff on the server, not
> clients. VPN is the exception to the rule.
>
> To TS into a server on the remote network, you will need to disable the
> firewall client on the local machine.
>
> Thanks for posting!!
>
> Regards,
> Peter Gallagher
> Microsoft Product Support
> Small Business Server Team
>
>
>


Top

Re: VPN and TS problems by Merv

Merv
Tue Nov 04 21:33:30 CST 2003

I think you're right on target Les (add remote SBS IP to LAT).

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=eRwp%24rklCHA.1864%40tkmsftngp02&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dhave%2Bto%2Bdisable%2Bfirewall%2Bcleint


--
Merv Porter [SBS MVP]
===================================
"Les Connor [SBS MVP]" <les.connor@cfiveDEL.ca> wrote in message
news:#NDGiO0oDHA.1632@TK2MSFTNGP10.phx.gbl...
> I wish I could remember what I did to be able to vpn and ts (either, or
> both) from behind isa to servers also behind isa.
>
> I think it's this:
>
> 10. addresses on the 'home' sbs. 192. addy's on all remote sbs. Add the
192.
> addy to the lat on the home sbs. Now you can ts from a client box with the
> firewall client enabled.
>
> VPN: All SBS systems set up with separate scope ip pool for VPN, in the
172.
> range. Add that to the home system lat. Now you can vpn and/or ts over vpn
> without disabling the firewall client. (but you can't browse the web while
> the vpn is active).
>
> If you're interested give it a shot, or I can confirm the setup tomorrow.
>
> --
> Les Connor [SBS MVP]
> -------------------------------------
> SBS Rocks !
>
>
>
> ""Peter Gallagher [MSFT]"" <petergal@online.microsoft.com> wrote in
message
> news:UY6l2kzoDHA.2700@cpmsftngxa06.phx.gbl...
> >
> >
> > Hello Jim,
> >
> > Couple of points here:
> > To VPN through ISA, you have to do 2 things:
> > 1. Run the ICW and choose VPN.
> > 2. Allow IP Routing on the properties of the servername in ISA
> Management.
> >
> > #1 above goes against basic ISA stuff, as it opens a packet filter for
VPN
> > on the server. Packet filters only affect stuff on the server, not
> > clients. VPN is the exception to the rule.
> >
> > To TS into a server on the remote network, you will need to disable the
> > firewall client on the local machine.
> >
> > Thanks for posting!!
> >
> > Regards,
> > Peter Gallagher
> > Microsoft Product Support
> > Small Business Server Team
> >
> >
> >
>
>


Top

Re: VPN and TS problems by JimBehningmvp

JimBehningmvp
Wed Nov 05 21:01:11 CST 2003

I will try to make sense of Mark, Peter, Les and Merv's suggestions
tomorrow assuming dead hard drives, power supplies and other gremlins
do not eat into my day. Thanks for all the suggestions. I will report
back soon.

"Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote:

>I think you're right on target Les (add remote SBS IP to LAT).
>
>http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=eRwp%24rklCHA.1864%40tkmsftngp02&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dhave%2Bto%2Bdisable%2Bfirewall%2Bcleint

Jim B. SBS MVP
remove the mvp to send email
Top

Re: VPN and TS problems by Jim

Jim
Tue Nov 11 13:35:22 CST 2003

I called MS PSS and solved one of the problems. We went
into HKLM software Microsoft MS Licensing store and
deleted a few keys. It appears that there were some
corrupt keys that were preventing that workstation from
accessing some rdp sites.

I have some lingering issues related to Cisco but someon
walked off with the Cisoc software so I am on a holding
pattern with PSS.


>-----Original Message-----
>I will try to make sense of Mark, Peter, Les and Merv's
suggestions
>tomorrow assuming dead hard drives, power supplies and
other gremlins
>do not eat into my day. Thanks for all the suggestions. I
will report
>back soon.
>
>"Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam>
wrote:
>
>>I think you're right on target Les (add remote SBS IP to
LAT).
>>
>>http://groups.google.com/groups?hl=en&lr=&ie=UTF-
8&oe=UTF-8&threadm=eRwp%24rklCHA.1864%
40tkmsftngp02&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%
3DUTF-8%26oe%3DUTF-8%26q%3Dhave%2Bto%2Bdisable%2Bfirewall%
2Bcleint
>
>Jim B. SBS MVP
>remove the mvp to send email
>.
>
Top

Re: VPN and TS problems by JimBehningmvp

JimBehningmvp
Sat Nov 15 10:51:54 CST 2003

The lat stuff helped with some problems. There was an issue of corrupt
mslicensing keys in hklm/software/microsoft/mslicensing. Also the
Cisco vpn client caused problems. My newsgroup reader was being fussy
and it took me a while to get it fixed. Alomost as long as it took me
to fix the clients problem. Keith at MS PSS fixed the corrupt
licensing key in about 5 minutes. That was well worth the call to move
forward.

JimBehningmvp@mindspring.com wrote:

>I will try to make sense of Mark, Peter, Les and Merv's suggestions
>tomorrow assuming dead hard drives, power supplies and other gremlins
>do not eat into my day. Thanks for all the suggestions. I will report
>back soon.
>
>"Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote:
>
>>I think you're right on target Les (add remote SBS IP to LAT).
>>
>>http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=eRwp%24rklCHA.1864%40tkmsftngp02&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dhave%2Bto%2Bdisable%2Bfirewall%2Bcleint
>
>Jim B. SBS MVP
>remove the mvp to send email

Jim B. SBS MVP
remove the mvp to send email
Top