Solved

Hosted Application over VPN (Microsoft SBS 2003)

Posted on 2004-10-19
9
194 Views
Last Modified: 2010-04-12
We are hosting an application for a remote client.  Right now the clients VPN into through Microsoft SBS 2003 and attempt to access the application running on the same server.  We have two significant issues:

1) The application we're running has a proprietary database, and a client/server configuration.  When the users VPN into the network and open their application client they need to first associate their client with the server side database.  Unfortunately when they try this (by IP or by server name) they cannot find the server.

We tried some preliminary testing... When the WAN users VPNs into the network they can see their own local domain through My Network places but cannot see the remote domain we've setup for them.  They can ping the remote domain, and if they enter the server in the address bar (i.e. \\remoteserver) they can access the server.

2) We have very poor performance over the WAN.  Both sides have Dual T1 lines, and we have monitored the server and run the application locally to address any hardware issues (i.e. CPU, RAM, etc.).  I suspect that there is some kind of DNS / WINS replication issues; however, I believe that if they VPN into our network they should be receiving the correct IP Config from the remote domain... right?

Obviously there are no easy answers here, and this response is going to take some attention from experienced EE members.  Because of this, I'm assigning this question 500 points.
0
Comment
Question by:JABevan
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:JABevan
ID: 12350873
Additional info:  The clients ARE on a separate local domain from the remote domain we have setup.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 12352308
Have them try adding a LMHOSTS file to their workstation - just for initial testing.
Only need one entry, that of the server:
Change IP address, server name as appropriate

192.168.111.111 <tab>  SERVERNAME  <tab>   #PRE   <tab>  #DOM:yourdomain

Refresh the client's netbios name table:
  C:\>nbtstat -R


If this works, you can create a login script that will copy this to their LMHOSTS files when they login.

Else, you may need to have a domain trust relationship set up between the domains, and share WINS/DNS information through replication parterships..
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 250 total points
ID: 12369535
1)  Make sure DNS is setup properly on the client, so that name resolution works and network neighborhood is populated
2)  Some VPN clients / servers will handle fragments OK, some will be pretty disastrous.  For any remote client behind dial-up or ADSL, MTU tweaking should always be considered, especially with older operating systems and applications.

http://www.dslreports.com/faq/695

Could you clarify point 1 - you say that users cannot find the server by IP or server name, but then if they enter the server in the address bar they can see it ??
0
 

Author Comment

by:JABevan
ID: 12372154
lrmoore - Thanks for your response.  It looks like the LMHOSTS file did the trick for getting us connected; however, we are still having severe connection issues.  The data we're transferring is very minor.  

For example, if we take one of our own laptops home and remote into the application we can run benchmark reports in about 90 seconds.  If our clients login it takes them over 8 minutes to run the same reports.

tim_holman - Thanks for your response.  Our clients are on their own domain so we can't mess with their DNS too much.  However, when the VPN into our enivronment they are receiving all the correct DNS and WINS entries from the remote domain we've setup for them.

Also, all traffic is going through T1 lines.

On point 1, the client cannot find the server by IP or server name through the application.  In My Network Neighborhood they cannot see the servers, but if they enter the server name in the address bar it pops up right away.  We did take lrmoore's advice and edit the LMHOSTS file, we also did WINS replication between their domain and the remote domain we've setup for them.  That resolved the connection issue, but we're still having very very poor performance.  This is critical, and I'm still leaning towards some kind of translation issue somewhere but am not sure....

Any ideas would be great.  Thanks.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12379585
LMHOSTS shouldn't be necessary if WINS is working properly, and the remote clients can see the WINS server.  
Maybe there is some incorrect information in WINS if you're finding LMHOSTS solves the issue ?

I would definitely optimize your MTU size (don't ignore this - I've seen lower MTU settings work miracles before in exactly the same scenario!).

Also, the fact that it works via a browser, but not directly, indicates that perhaps a proxy server is referenced in IE config that is pulling down the page and resolving the host name on behalf of the client ?  Can you verify this ?

If performance is an issue, maybe the T1 link is full of unwanted traffic - is this filtered ?  Do you think a worm may be present ?

A trace may help get this resolved quickly - install it on the client, and see what the hold up is.

1)  Go to http://www.ethereal.com/download.html
2)  Under Windows 98/ME/2000/XP/2003 Installers, select a site near you
3)  Download WinPcap_3_0.exe and ethereal-setup-0.10.4.exe
4)  Install WinPcap_3_0 - double click on the WinPcap_3_0.exe file, just
click OK / Yes throughout
5)  Install ethereal-setup-0.10.4 - double click on the file, accept all the
defaults (OK / Yes throughout)
6)  Start the Ethereal application
7)  Go to Capture > Start
8)  Under Interface, select your Internet facing interface.  If you're
unsure, then select one, and continue.  If it displays results, then you've
got the right interface, if your capture is empty, then select another
interface and carry on...
9)  Under Capture Files, put \capture.cap
10)  Click OK
11)  Capturing will commence....
12)  Capture what you need to
13) Go back to Ethereal, click Stop
14)  Analyse the c:\capture.cap file, or send it to me - tim_holman@hotmail.com
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12379595
Also, spring cleaning your remote client of malware may mediate things -

Getting rid of malware...

1)  Run a full Stinger scan in Safe Mode - http://vil.nai.com/vil/stinger/
2)  Install and run LavaSoft AdAware - http://www.lavasoftusa.com/support/download/
3)  Download and run latest version of HijackThis (HJT) http://www.tomcoyote.org/hjt/
4)  Post the log at http://www.hijackthis.de/index.php?langselect=english
5)  Run MSBA - http://www.microsoft.com/technet/security/tools/mbsahome.mspx & take appropriate patching action

Preventing malware...

1)  Ensure WindowsUpdate is set to update your system
2)  Download a pop-up blocker - eg toolbar.google.com
3)  Install Lavasoft AdAware and run regular scans, or just leave it and have it handy for when problems start recurring.
4)  Keep your AV software up to date - daily updates recommended.  www.clamwin.org and www.grisoft.com are good free ones...
Also, check this link for some free, limited-time trials of commercial products - http://www.microsoft.com/windowsxp/downloads/updates/sp2/antivirus/default.mspx
5)  Enable Internet Connection Firewall, or use ZoneAlarm if you don't use XP
6)  Stay vigilant.  Don't bother opening non-work related email attachments, or install an on-access virus scanner so that it doesn't matter if you do.
7)  Look at a host IPS - eg www.prevx.com, www.abtrusion.com, System Safety Monitor  to cover your machine between when a virus hits the wild and when a patch is finally released that fixes it.  Average time is roughly 6 days.
8)  Take an online privacy test http://www.anonymizer.com/privacytest/2.0/privacytest.cgi?test=2
9)  Set IE Privacy to High - IE > Tools > Internet Options > Privacy
10)  Reset Internet Zone Security to High - IE > Tools > Internet Options > Security > Custom > (Select High) > Reset
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403514
Any progress? Are you still working on this? Do you need more information?
0
 

Author Comment

by:JABevan
ID: 12404285
Unfortunately the connectivity problems have kind of killed it.  The client (i.e. customer) has pulled the application back in house because of the slowness.  We're in a situation now where we need to come up with a solution, test, and propose it again.

This is definitely not a malware/spyware/adware issue.  We're using clean boxes for testing and tested the througput on both ends.  I'm still thinking it's a translation issue between the domains.  Again the client (i.e. customer, not client computer...) is on one domain in Colorado, we have setup anotherin North Carolina running this hosted application.  The customer is connecting by VPN and then opening a client of the hosted application which connects to the server side we have here in North Carolina.

Any (specific) suggestions would be definitely be appreciated.

Thanks.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12435989
Did you try the MTU suggestion ?
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Logmein alternative 10 102
Help with simple Cisco ASA 5505 setup 16 70
Server 2012 RAS VPN Issue 7 52
ACL per VPN User 12 101
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now