Tags:Microsoft, SBS2003R2SP1 with ISA2004SP3, Using SBS VPN
Hi Guys, I'm a little unclear about how certificates work with SBS2003 so need some help. I have an SBS2003R2 SP1 server with ISA2004 SP3 (also exchange 2003 ) there about 6 users some of which are remote. I use VPNs for remote users to gain access to exchange mail accounts.
The company moved premises recently and the broadband account changed (so the IP address changed too) after changing the DNS entries for the mx records and the server.XXXXX.com sub domain inbound mail started working and so did remote access to OWA.
My problem is that VPNs won't connect (I haven't seen the actual error yet I haven't been to a users site yet and no one has done a screen grab for me) Given this scenario can anyone tell me if I need to rebuild certificates IE after an IP change ???? If this is the case why does OWA still work OK.
If I have to rebuild the certificate, where do I start ???
Thanks, I'll get more info from the VPN client tomorrow.
First thing I would check is the actual IP on client's side on VPN dialup adapter, which is probably your old IP. Change it to new one.
And my comment: you don't need to use VPN only for remote Outlook access. Instead go with SSL certificate and establish RPC over HTTP connection from client's Outlook to your Exchange server. ISA supports this without a problem.
If you are using the standard Windows VPN, it uses PPTP and no certificates. However, the proper way to have users connect with SBS's VPN is using the Create remote access disk method or download the VPN client from the remote web workplace page. In order to update both of these after changing your public IP you need to re-run the Configure Remote Access Wizard (located: server management | internet and e-mail | configure remote access). Then have the clients install the updated client. As Labsy stated, they may be connecting to the old IP. You cannot manually change that on the SBS VPN client.
Hi Guys, Thanks to you all for your comments. RobWill, the original VPN clients were setup using the SBS connection wizard, etc. I've converted to the 'Run the wizards' school of thought for all SBS activities (it saves time in the long run). What I'm trying to understand is 'does the certificate change if the IP address changes' so does the SBSpackage contain a resolved version of the FQDN.
I'm going to run the Connection wizard again (since i now know the DNS propagations have happned) and try the VPN. If that doesn't work I'm going to rebuild the SBSpackage (thorugh the RRW) and download to a user and try that. I'll let you all know ho I get on.
Thanks again for your inputs, any more background would be appreciated, I'd liek to get on top of this once and foro all.
If OWA is working then your certificates are OK. The SBS VPN does not use certificates at all so that would not be the problem. But it does create the VPN client using the current IP, so rerunning the configure remote access wizard and redeploying the client "should" fix the problem.
And to answer the last question: NO, SSL cert is not locked to and does not contain IP, because it is not Layer3 protocol, but rather applied on top of it.
Hi Guys, OK so I get the picture with regard to SBS VPN. IE SBSpackage uses PPTP therefore no certificates involved. So all I need to do is ensure SBS VPN server is setup OK and download the resulting SBSpackage to the client, install and presto we should be go . . . .hmmmm. (By the way there is a Draytek 2820 router on the external side of the 2 NIC server this has VPN passthrough set both by unticking the PPTP,L2TP and IPSEC options but also by forwarding port 1723 to the servers external NIC.
I did that just now but the Connection manager has installed on the client with mini port configured as L2TP not PPTP. I have checked a machine which has not been updated and that still says PPTP. I have rerun the Routing and Remote access wizard on the server and see 5 wan mini ports setup for PPTP only, no L2TP. How do I ensure that teh SBSpackage is built for PPTP only not L2TP?? Is this a client configuration issue or is it (as I suspect) part of the SBSpackage build and/or config file.
I have never heard of the SBS "packager" creating L2TP VPN clients. Nothing you can edit so perhaps you are best just to create a manual VPN client on the user's machine, at least as a test. To do so follow the details outlined in the following: http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
Hi Guys, I've taken the heat out of the problem by setting up the VPN clients manually (I used to do this but converted to using the SBS tools as per advice) The connections worked straight away so the problem must be with the SBSpackager. Thanks for the pointers on this RobWill.
Can anyone tell me how to control what protocol is specifiied for use in the SBSpackager? I thought this might have been something to do with the Routing and Remote access wizard which builds the config file for the SBSPackager. There was nothing obviously available to indicate the use of L2TP or PPTP I'd really liek to get this understood as I can see it is going to come back and bite me again.
There is no way to configure the SBS "packager". The only thought I would have is to re-run the "configure remote access" wizard, but choose disable, then go to RRAS and make sure it is disabled. Then re-run the "configure remote access" wizard again.
My guess is that L2TP might get created through wizard in case your server has private addresses on both NIC cards, so wizard assumes L2TP Compulsory tunneling needs to be created, which makes your SBS box as a forwarding machine for VPN requests between clients on one side and another server on the other side. But his is just a guess.
Another guess: Since PPTP does not need certificate, just user authentication and then establishes encrypted link, and L2TP/IPSec DOES need SSL cert, it might be SSL cert guilty for your wizard, which then automatically thinks L2TP needs to be created for client VPN. I guess RobWill's advice might get rid of it.
Hi Labsys Both NICs have private IPs yes, but this has always been the case on this a the other servers that I run. The SBSpackager normally instals OK . . .hmmm. Can anyone say when the packager actually gets built. Is it at the point of download (RWW), after Routing and Remote Access wizard is run, or when the Email and Internet connection wizard is run . . . or some other time. This may help determine the issue . . . but there again . . . Haven't tried RobWills suggestion yet as I've had to play catchup.
