Hello Everybody,

I have got windows 2003 sbs server running behind firewall, which has got fixed ip address:, and my router ip address is xx.xx.xx.xxx. I have already done port forwarding of L2TP AND PPTP ports to my server ip address.

I would like to access my folder from my home of this server, I have enabled Routing and Remote access of the server and setup an ip address pool for the remote users to allocate. But i am getting error saying, there is no server or i have not set correct security paramenters.

I have checked on server event viewer, and it was telling that remotes users are not allowed with security certificate. Is there any certificate which i need to buy for having VPN Server running behind firewall on W2K3 SERVER?? Can someone guide me how to access my data from home.

Can someone give any links or any info on this regard.

Many thanks,
Who is Participating?
LimeSMJConnect With a Mentor Commented:
** Since you want PPTP (for now at least) you can close off the L2TP ports and leave the PPTP ports open (should be 1723 and 47). **

** Next setup the RRAS server on your Win 2003 server (excerpts from http://support.microsoft.com/default.aspx?scid=kb;en-us;323415#3 ): **

1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. In the left pane of the console, click the server that matches the local server name.

--> If the icon has a red arrow in the lower-right corner, the Routing and Remote Access service is not enabled. Go to step 3.

--> If the icon has a green arrow pointing up in the lower-right corner, the service is enabled. If so, you may want to reconfigure the server. To reconfigure the server, you must first disable Routing and Remote Access. To do this, right-click the server, and then click Disable Routing and Remote Access. Click Yes when you are prompted with an informational message.

3. Right-click the server, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next.
4. Click Remote access (choose VPN) to permit remote computers to dial in or connect to this network through the Internet. Click Next.
5. Click VPN for virtual private access, or click Dial-up for dial-up access, depending on the role you want to assign to this server.
6. On the VPN Connection page, click the network interface that is connected to the Internet, and then click Next.
7. On the IP Address Assignment page, do one of the following:

--> If a DHCP server will be used to assign addresses to remote clients, click Automatically, and then click Next. Go to step 8.
--> To give remote clients addresses only from a pre-defined pool, click From a specified range of addresses.
         a) The wizard opens the Address Range Assignment page.
         b) Click New.
         c) In the Start IP address box, type the first IP address in the range of addresses that you want to use.
         d) In the End IP address box, type the last IP address in the range.
         e) Windows calculates the number of addresses automatically.

8. Click OK to return to the Address Range Assignment page.
9. Click Next.
10. Accept the default setting of No, use Routing and Remote Access to authenticate connection requests, and then click Next.
11. Click Finish to enable the Routing and Remote Access service and to configure the remote access server.

** Next you need to setup the users.  You can either use a RADIUS server or the Local or AD user list. **

--> You can use remote access policies to grant or deny authorization, based on criteria such as the time of day, day of the week, the user's membership in Windows Server 2003-based security groups, or the type of connection that is requested. If a remote access server is a member of a domain, you can configure these settings by using the user's domain account.  Go into AD and edit the user's Remote Access / Dial In rights (allow or disallow, etc).

--> If the server is a stand-alone server or a member of a workgroup, the user must have a local account on the remote access server.  Add users in the Users MMC.

** Finally, setup the client machines (the next steps really depend on the Operating System of the connecting client machine - these instructions are for XP but 2000 is similar) **

1. Click Start, click Control Panel, and then double-click Network Connections.
2. Under Network Tasks, click Create a new connection, and then click Next.
3. Click Connect to the network at my workplace to create the dial-up connection, and then click Next.
4. Click Virtual Private Network connection, and then click Next.
5. On the Connection Name page, type a descriptive name for this connection, and then click Next.
6. Do one of the following, and then click Next.

--> If the computer is permanently connected to the Internet, click Do not dial the initial connection.
--> If the computer connects to the Internet by way of an Internet service provider (ISP), click Automatically dial this initial connection, and then click the name of the connection to the ISP.

7. Type the IP address or the host name of the VPN server computer (for example, VPNServer.SampleDomain.com).
8. Do one of the following, and then click Next:

--> If you want to allow any user who logs on to the workstation to have access to this dial-up connection, click Anyone's use.
--> If you want this connection to be available only to the currently logged-on user, click My use only.

9. Click Finish to save the connection.

The instructions are long but following these steps should give you a working PPTP connection.  Let me know if there are any problems.
How did you setup the client connecting to the RRAS server?  Is it using PPTP or L2TP/IPSec?

The certificate error you are getting is due to the L2TP/IPSec... you need a server-side certificate as well as a client side certificate to authenticate using that method.  Certificates can either be bought or the server can generate one for free.

If you use PPTP, you don't need certificates.
mohankodaliAuthor Commented:
Hello LimeSMJ,

I am not quite sure what i am using, i mean i need to use without any certificates, sorry i am new to this exchange and windows. Can you please guide me how to setup PPTP, so that i can access data from my home computer using vpn or someother method mapping as network drive.

Many Thanks,
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

mohankodaliAuthor Commented:
Is there any security setting that need to be made in windows 2003 server, so that i can accept PPTP connection???? can someone please hele me out on this ASAP.

Many Thanks,
mohankodaliAuthor Commented:
Hello  LimeSMJ,

Many thanks for your information, but still I need more help.

As I have got only one network card on my server and it has got ip adress, and when i try to select --> Remote Access (Dial up or VPN) its giving the following warning:

"Less than two network interfaces were detected on this machine. For Standard VPN server configuration at least two network interfaces need to be installed. Please use custom configuation path instead."

So i have to use only custom method and select VPN accesss, but then i have done everything whatever you said, but still no joy.

And on the security tab--. you have got windows authentication i have got 3 options checked-->

1. EAP , 2. MS-CHAR V2  and 3 . MS-CHAP, I tried all options and one by one option, but still no luck.

Any advise or help on this would be much appreciated.

Many Thanks,

The only protocols that are used for non-certificate PPTP is MS-CHAP and MS-CHAP v2.  I would recommmend using only MS-CHAP v2 as it is the best out of the two.

As for setting up the VPN on a single NIC... Let me try to use my test Win 2003 server to see if I can get the VPN working on that using a single ethernet card.  I'll post results soon.
Hmm... can you ping the server (at your home) from the machine you are using to connect the VPN to?  What firewall are you using by the way?
mohankodaliAuthor Commented:
I cant ping to the server, as its behind firewall. Its netgear router which has got built in firewall.
Is it possible for you to test the VPN connection behind the firewall?  This is to eliminate the possibility that your Netgear is causing the problem.
mohankodaliAuthor Commented:
hi LimeSMJ,

Is there any specific confiration when using only one NIC card, or is it same??

I just tried implementing a single NIC RRAS session with my lab environment: Win 2003 Server and a Win XP VPN client.

Everything seemed to work fine with PPTP (without any certificate).  I did not check to see if an outside connection could be established since I can't since this testing lab is not connected to the outside world (and can't due to security issues).

From what I can tell, a single NIC RRAS configuration does not need any additional configuration to connect.  Now, since your problem is the connection we need to isolate the problem to either the Netgear or Win 2003.  Can you tell me if you are getting any connection attempts in your RRAS log files?  Can you test to see if you can connect to the VPN server on the LAN behind the Netgear (putting a computer in the same network as the server)?
Oh, I forgot to tell you how I setup this testing RRAS... On the Win 2003 server, I chose the Custom configuration and just checked the VPN box in the RRAS setup.  Nothing else.

On the client, I created a New Connection (VPN) and entered in all the naming information and put in the server's internal IP address.

I setup a local user on the Win 2003 server and gave the account Dial-In access.

Finally, on the client I just initiated the connection, entered in the username I setup and then I was connected via a PPTP VPN link.
By the way, I used the server's internal address since I am not connected to the outside world.  In your case, if possible, try to test the connection (as I mentioned before) internally before trying from the outside - just to see if you configured the server correctly.  Once that is done, then try the server's external address... if that does not work (and the internal test did) then your firewall is to blame.
mohankodaliAuthor Commented:
Comment from LimeSMJ
Date: 09/27/2004 03:55PM PDT -- if you use this it works fine. no issues. Thanks for the help.
Pete LongTechnical ConsultantCommented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.