?
Solved

Connect to vpn when not on domain

Posted on 2006-04-07
14
Medium Priority
?
442 Views
Last Modified: 2013-11-21
Hello
I have some remote users who I want to connect to our vpn.  They work for a different company so are not on our domain.  Is this possible (if so how!) or do they have to join our domain?  Once connected to the vpn I want them to run an Access DB that sits on a Terminal Services Server.  They are currently using a Windows VPN connection in Win XP Pro.
Please advise, thankyou.
0
Comment
Question by:doddwell
  • 7
  • 6
13 Comments
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1200 total points
ID: 16399659
If they are connecting via VPN, then accessing through Terminal Server (Remote Desktop) you will need to create a Domain account for the user, but the computer will not have to join the domain.
You may have problems accessing resources by name because of the different Domain, so you can connect to devices using the IP addresses, or you may  be able to resolve by adding the domain suffix of the domain to which they are connecting, to the DNS tab of the TCP/IP properties, of the network adapter, of the connecting computer.
0
 

Author Comment

by:doddwell
ID: 16400060
RobWill
I can connect to the VPN using a computer that is on the domain but can't with one that is not.   It connects but fails to verify the username and password.  I get the following message
Error 721:the remote omputer did not respond.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16400236
Error 721, shouldn't be as a result of no Domain membership, unless there have been policies specifically set up for that purpose. You can check in RRAS. Expand the server name, click on Remote Access Policies and in the right hand window there are usually only 2 default policies. Check for any others or if you are running a Radius server for authentication there could well be policies there. Ah, yes, and if ISA server, there could be policies as well. However, no Domain membership requirements with basic Windows VPN.

Make sure the user has a legitimate User name and password for the Domain, and on their profile in Active directory, on the Dial in tab check "Allow access".

Also when connecting add the users appropriate domain name, so for UserName use:
UserName@VPNDomain.local   or    VPNDomain.local\UserName

I'm going to be out the next 3-6 hours but will check back and see if you have had any progress.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:doddwell
ID: 16402012
Something strange happening....
I have 2 laptops....
Laptop 1 has a user domain account
Laptop 2 has a domain account for a different domain

When I log on to the domain account using laptop 1 I can connect to the VPN
When I log on to a local Admin account on laptop 2 I cannot connect

Logic would therefore tell me that Laptop 1 should not be able to connect if I log on to it with a local account...but this is not the case (I can connect!?).

There are only 2 policies (default)
Not ISA server
Not Radius server (...don't know what this is but I set it up and don't remember any ref to this)

When I connected from laptop 1 using the local Admin account I did not need to use "UserName@VPNDomain.local   or    VPNDomain.local\UserName"

Please advise.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16404446
>>"When I connected from laptop 1 using the local Admin account I did not need to use "UserName@VPNDomain.local "
No you wouldn't where it is a member of the domain it would automatically add the appropriate domain suffix. The computer that is not a member, sometimes requires you add it there, or add the domain suffix to the DNS tab of the network cards TCP/IP configuration. Having said that, I just tried it here on a test environment and I didn't have to add the domain suffix, but the client computer is a member of a workgroup, where yours is a member of another domain. If you haven't tried it experiment with the domain suffix.
0
 

Author Comment

by:doddwell
ID: 16452074
Adding the domain to the username did not work....but adding the domain suffix to the dns did work.  For those who are not sure how to do this...right click on your NIC, Properties, Select INternet Protocol(TCP/IP) and click Properties. Click Advanced, Click the DNS tab and then type your domain name into the "DNS suffix for this connection".

So..Robwill, thanks for that but as soon as I did that on my "other domain" laptop, I could no longer VPN using the laptop that is on the domain (was able to do so 5 mins earlier)!  Added the DNS suffix to the laptop but that didn't fix the problem.

By using the domain suffix on the non-domain laptop have I done something to the server or the router?  I have tried to VPN in from the domain connected laptop using various different accounts but still no good.

Please advise (points increased), thankyou.
0
 

Author Comment

by:doddwell
ID: 16452715
After approx 15 mins I was able to VPN in using the "domain" laptop.....any idea why?  I tried several accounst so perhaps the server or router remembers the connection to the remote IP address and assigns an IP address to it..and it's not released for a while......if I'm right can you explain why this is?  Many thanks, Simon
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16453329
I assume you added the suffix in the "DNS suffix for this connection" box. This will probably override your existing DNS suffix on any connection made with that network adapter, or at least cause considerable delay. Fine for a computer in a workgroup, but it may block access or cause very slow name resolution for your existing Domain. Where you are using multiple domains, rather than entering the suffix there, it should work better if on the DNS 'tab' you check "Append these DNS suffixes in order", then click "add" and insert the primary domain suffix and then the second. Make sure they are in the correct order, and save. Then when making a connection it should try the primary suffix, and if no authentication it will, or at least should, try the secondary.
See if you have any better luck.
--Rob
0
 

Author Comment

by:doddwell
ID: 16477659
Robwill...did you see my last post? Simon
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16478324
Sorry missed part of that.

>>"By using the domain suffix on the non-domain laptop have I done something to the server or the router?"
Would only affect the PC/Laptop on which you made the change.

>>"After approx 15 mins I was able to VPN in"
Is this due to a change or waiting. If the computer is attempting to connect using the wrong DNS suffix there could be considerable delays while it tries to resolve a name. I would use the "Append these DNS suffixes in order" option. Also when you make a change you should probably run from a command prompt;
ipconfig  /flushdns
ipconfig  /registerdns

As for the IP assignment, check the DHCP scope you are assigning the VPN users and make sure there are sufficient, or even extra IP's available.
In RRAS right click on the server name, choose properties, IP tab, IP address assignment, edit
Some tips here:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16571116
Simon, how have you been making out with this?
--Rob
0
 

Author Comment

by:doddwell
ID: 16789920
Apologies for not following up - have been off.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16790536
Thanks again Simon.
--Rob
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question