More VPN Issues
We are running Microsoft Small Business Server 2003 SP1. The SBS has the conventional 2 NIC setup - one for internal LAN and one for (external) WAN access. We are not running ISA. The WAN NIC is connected to a Netopia 3347NWG-006 DSL Router provided by our ISP - BellSouth. We have a static "public" IP. The following is a diagram of our setup:
__________________________
| |
| |
| |
| |
NIC 1 NIC 2
IP 192.168.16.254 IP 192.168.0.2
| |
| |
| |
Dell PowerConnect Switch Netopia 3347NWG-006 DSL Router/Switch
(XP Pro worksations also attached to switch) IP 192.168.0.1
|
|
Internet
We have a customer that has a single XP Pro Computer behind a Netgear FVS 114 Firewall. The customer has a VPN configured with the FVS 114. The customer IT staff furnished us with Netgear Prosafe VPN client software (with a profile) to install on one of our XP workstations to use for accessing the customers VPN using IKE. We are not successful making the connection thru our SBS network. The customers IT staff can "see" us trying to connect, but we are not able to "receive" commands back from the VPN to complete the connection.
If we remove our workstation from the SBS network and attach it directly to the Netopia DSL Router/Switch, we can make the connection successfully. I don't mean this in a negative way (because I think the engineers went the distance to exhaust their resources), but I spent 6 hours on the telephone with Microsoft support yesterday. We were not able to ascertain the reason for SBS not letting us make the connection. The "thinking'' was perhaps having the 2 NIC setup in SBS was preventing the routing of "receive" info to our workstation. Tech support at Netgear maintains that the VPN client is compatible with SBS.
This is a good one.......any help would be appreciated.
James
__________________________
| |
| |
| |
| |
NIC 1 NIC 2
IP 192.168.16.254 IP 192.168.0.2
| |
| |
| |
Dell PowerConnect Switch Netopia 3347NWG-006 DSL Router/Switch
(XP Pro worksations also attached to switch) IP 192.168.0.1
|
|
Internet
We have a customer that has a single XP Pro Computer behind a Netgear FVS 114 Firewall. The customer has a VPN configured with the FVS 114. The customer IT staff furnished us with Netgear Prosafe VPN client software (with a profile) to install on one of our XP workstations to use for accessing the customers VPN using IKE. We are not successful making the connection thru our SBS network. The customers IT staff can "see" us trying to connect, but we are not able to "receive" commands back from the VPN to complete the connection.
If we remove our workstation from the SBS network and attach it directly to the Netopia DSL Router/Switch, we can make the connection successfully. I don't mean this in a negative way (because I think the engineers went the distance to exhaust their resources), but I spent 6 hours on the telephone with Microsoft support yesterday. We were not able to ascertain the reason for SBS not letting us make the connection. The "thinking'' was perhaps having the 2 NIC setup in SBS was preventing the routing of "receive" info to our workstation. Tech support at Netgear maintains that the VPN client is compatible with SBS.
This is a good one.......any help would be appreciated.
James
ASKER
Rajesh,
Are you suggesting that we use only 1 NIC in the SBS server and let the Netopia perform the security/firewall functions?
Thanks,
James
Are you suggesting that we use only 1 NIC in the SBS server and let the Netopia perform the security/firewall functions?
Thanks,
James
Yes, you could change the network topology like this;
SBS Server
IP 192.168.0.2
|
| |-------------------------
| | |
Dell PowerConnect Switch Netopia 3347NWG-006 DSL Router/Switch
(XP Pro worksations also attached to switch) IP 192.168.0.1
|
|
Internet
So all your client xp workstations and SBS server are on one network (192.168.0.x) and all the machines will have the default gateway of Netopia router (So the router can do routing/firewall).
The only place where I have seen the SBS thing the way you have is to have ISA or something running on the machine as proxy.
Cheers,
Rajesh
SBS Server
IP 192.168.0.2
|
| |-------------------------
| | |
Dell PowerConnect Switch Netopia 3347NWG-006 DSL Router/Switch
(XP Pro worksations also attached to switch) IP 192.168.0.1
|
|
Internet
So all your client xp workstations and SBS server are on one network (192.168.0.x) and all the machines will have the default gateway of Netopia router (So the router can do routing/firewall).
The only place where I have seen the SBS thing the way you have is to have ISA or something running on the machine as proxy.
Cheers,
Rajesh
ASKER
Rajesh,
Thanks......will I have to use a "crossover" ethernet cable to connect the Netopia DSL/Router/Swith to the Dell Switch.
James
Thanks......will I have to use a "crossover" ethernet cable to connect the Netopia DSL/Router/Swith to the Dell Switch.
James
I agree with Rajesh, I don't thing RRAS will support NAT-T, where ISA will. As a result I would set up the SBS with a single NIC, if this is a priority. There has also been a security restriction added to XP using NAT-T connecting to Windows servers that may be coming into play:
http://www.windowsecurity.com/articles/NAT-Traversal-Security.html
http://www.windowsecurity.com/articles/NAT-Traversal-Security.html
Use a straight cable to connect SBS to the dell switch.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
RobWil
We have ISA......we purchased SBS 03 Premium....we chose not to install. Are you suggesting that our problem may also be solved by maintaining the current hardware configuration and installing ISA?
Thanks,
James
We have ISA......we purchased SBS 03 Premium....we chose not to install. Are you suggesting that our problem may also be solved by maintaining the current hardware configuration and installing ISA?
Thanks,
James
ASKER
Rajesh,
I'm sorry...maybe I did not phrase the question well. The Dell PowerConnect is a switch. The Netopia is also a switch (DSL/Router/Switch). Won't I have to use a "crossover" cable to connect the two? Your answer indicated a straight cable to connect the SBS to the Dell switch.
Thanks,
James
I'm sorry...maybe I did not phrase the question well. The Dell PowerConnect is a switch. The Netopia is also a switch (DSL/Router/Switch). Won't I have to use a "crossover" cable to connect the two? Your answer indicated a straight cable to connect the SBS to the Dell switch.
Thanks,
James
James I am not very familiar with ISA, others are, but there are articles suggesting it is compatible with NAT-T, but there is an add-on or update required. It might solve the problem, but unfortunately I have never tried. Perhaps Rajesh is more familiar with it. If not, try putting a pointer question in the Microsoft Networks topic area. Keith Alabaster is a great ISA man.
Nowadays switches are capable of find out the end devices and I don't know both of them. So I would first try with the straight through cable.
Also lets see if Keith has an opinion about this, I'll just pull him in.
Cheers,
Rajesh
Also lets see if Keith has an opinion about this, I'll just pull him in.
Cheers,
Rajesh
I have put a pointer to Keith, lets wait.
Cheers,
Rajesh
Cheers,
Rajesh
Evening.... Sorry I am late home from work tongiht so only just pulled in my emails. Hey Rob/Rajesh, looks like you are pretty much on top of this one anyway. One thing I would try though is to put the VPN client software onto the SBS server itself. Does that work OK? If it does then the SBS box is definitely not allowing the passthrough.
Yes, ISA supports VPN passthrough as it holds the session information rather than the SBS box itself. I assume there must have been a reason for not installing ISA in the first place (maybe you have ISA2000 rather than a decent version such as 2004/2006 in which case I wouldn't have installed it either).
When you make the VPN connection to the remote site, what subnet are you using/ip address etc are you been allocated? Does the client PC you have been using so far know the route to the other end? Does the other end have a route back to your internal clients?
Just a few pennies worth so i am clear on the position....
regards
Keith
Yes, ISA supports VPN passthrough as it holds the session information rather than the SBS box itself. I assume there must have been a reason for not installing ISA in the first place (maybe you have ISA2000 rather than a decent version such as 2004/2006 in which case I wouldn't have installed it either).
When you make the VPN connection to the remote site, what subnet are you using/ip address etc are you been allocated? Does the client PC you have been using so far know the route to the other end? Does the other end have a route back to your internal clients?
Just a few pennies worth so i am clear on the position....
regards
Keith
ASKER
Keith,
The Security Profile that we received with the ProSafe software contains the following info:
Remote Party Identity and Addressing
ID Type = IP Subnet
Subnet = 192.168.1.0
Mask=255.255.255.0
Protocol=All
Connect using=Secure Gateway Tunnel
ID Type=Domain Name=customers domain name
Gateway IP Address=the "public" IP address of the domain
I assume that the profile provides my client PC with the route to the other end. I think the other end being able to route back is the problem......not sure about that info. The problem just about has to be the SBS configuration as we are able to connect successfully when our workstation is disconnected from the SBS and connected directly to our Netopia DSL Router.
Thanks,
James
The Security Profile that we received with the ProSafe software contains the following info:
Remote Party Identity and Addressing
ID Type = IP Subnet
Subnet = 192.168.1.0
Mask=255.255.255.0
Protocol=All
Connect using=Secure Gateway Tunnel
ID Type=Domain Name=customers domain name
Gateway IP Address=the "public" IP address of the domain
I assume that the profile provides my client PC with the route to the other end. I think the other end being able to route back is the problem......not sure about that info. The problem just about has to be the SBS configuration as we are able to connect successfully when our workstation is disconnected from the SBS and connected directly to our Netopia DSL Router.
Thanks,
James
ASKER
Keith,
We have ISA 2004.....is it your opinion to install ISA (given the use of 2 NIC's) or do we even need 2 NIC's with the Netopia hardware firewall?
We have 12 workstations attached to the SBS server. I'm sure that ISA would "speed up" the Internet throughput. We currently share the DSL connection.
We are planning to upgrade to SBS 2003 R2. I would like to have a "good" plan of action about whether to use 2 NIC's or just 1.
Thanks,
James
We have ISA 2004.....is it your opinion to install ISA (given the use of 2 NIC's) or do we even need 2 NIC's with the Netopia hardware firewall?
We have 12 workstations attached to the SBS server. I'm sure that ISA would "speed up" the Internet throughput. We currently share the DSL connection.
We are planning to upgrade to SBS 2003 R2. I would like to have a "good" plan of action about whether to use 2 NIC's or just 1.
Thanks,
James
If the server only has one NIC then it cannot operate as a firewall, merely a Proxy Server.
ISA will improve the peformance of the Internet access by the Proxy services & caching of content; itr will not improve performance for the VPN as you can appreciate.
For SBS, it is best geared to dual NIC's and given the choice it is something I would always use. There are a number of papers and web sites that cover the SBS/dual NIC discussion if you would like me to forward them on to you through this question link.
ISA will improve the peformance of the Internet access by the Proxy services & caching of content; itr will not improve performance for the VPN as you can appreciate.
For SBS, it is best geared to dual NIC's and given the choice it is something I would always use. There are a number of papers and web sites that cover the SBS/dual NIC discussion if you would like me to forward them on to you through this question link.
ASKER
Keith,
Thanks for your advise. We decided to revert to a single NIC server (for now). Our problem accessing the remote VPN was caused by the Outbound Connection being NAT’d twice causing IPSec IKE negotiation to fail. We configured SBS server as a Single NIC server and let everything Route thru the Netopia Router so NAT-T would function.
We are now able to make the remote VPN connection thru SBS. We have the ability to do the remote VPN with a 2 NIC setup/ISA; however, we must have mutiple static IP's with our ISP. We currently have a single statice IP.
Again, thanks for your help. I also appreciate the input from Rajesh and RobWil.
Thanks for your advise. We decided to revert to a single NIC server (for now). Our problem accessing the remote VPN was caused by the Outbound Connection being NAT’d twice causing IPSec IKE negotiation to fail. We configured SBS server as a Single NIC server and let everything Route thru the Netopia Router so NAT-T would function.
We are now able to make the remote VPN connection thru SBS. We have the ability to do the remote VPN with a 2 NIC setup/ISA; however, we must have mutiple static IP's with our ISP. We currently have a single statice IP.
Again, thanks for your help. I also appreciate the input from Rajesh and RobWil.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So was wondering why this setup ? You could have it directly onto a single subnet (Or even 2 subnets) but not VIA SBS ?
The problems that arise in case of VPN with networking devices are the 'passthrough' not enabled thingy. But since now you have ascertained that when directly connected to Netopia router it works just fine. I would think of changing the network layout.
Cheers,
Rajesh