[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

SBS 2003 VPN and No Name Resolution

I've done lots of searching here before asking this question, so here it goes.  

We're a small shop and we have one server running our production data & files, Exchange 2003, IIS6, and DNS and WINS.  Everything works well inside the network (192.168.117.x).  However, we do have 3 users (myself included) that will access the network via VPN.  Also this server has 2 NICs in it, but only one is being used at this time.  All connections for the internet goes thru a hardware firewall that stands in front of all servers and workstations.  

The VPN connection cannot resolve the server names, but I can ping them via their physical IP address.  I've looked at the IPCONFIG and noticed the subnet at 255.255.255.255, but after searching thru here, I know that's OK.  Using my experience, it appears when VPNed into the network here, it's not seeing the 192.168.117.x network, so my DNS configuration on my home setup (the ISP) tries to locate the server, which is doesn't find.  

Now I do have setup in the Active Directory Users section who has dialin access and what the assigned IP should be.  (For audit trails.)  I have setup a range of IPs and switch them to be DHCP assigned to no avail.  Another thought was to use the second network card and setup a seperate subnet, however my hardware firewall is a concern since it will not be on the new subnet.  (Or maybe I'm thinking this wrong.)

I've seen and used the suggestions to Microsoft's KB 29822, but it didn't work.  I've tried a few suggestions made for others here (uncheck default remote gateway, hard code DNS Server, etc) and the problem remains.  

I'll keep a lookout on this thread as possible to get more info to you, but that's about where I'm at right now.  It's pretty important to get this working since one of the remote users does publish his website on our server.  

Thank you for your time.  
Tom
0
Tommy_Joe
Asked:
Tommy_Joe
  • 7
  • 6
1 Solution
 
Tommy_JoeAuthor Commented:
Update:

Last night I accessed the work network thru the VPN and was able to resolve the server's name.  I was able to ping it and tracert to it.  However, when I reset the connection to see if it would still work, it did not.  

A tracert to the server takes me out of the server and out of the firewall.  Once I'm out of the firewall, I'm not able to get back.  

Thank you for your time
Tom
0
 
Tommy_JoeAuthor Commented:
May have found the answer.  I double-checked the registration addition per Microsoft's article #292822 and found the DNS A Record has the server name opposed to "(same as parent folder)" in the name field.  I corrected it and it seems to be working now.  I can trace and ping by name.  

I'm gonna run a test next for publishing websites.  If that works, I'll close the thread.  

Tom
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Tommy_Joe,

If that didn't correct your problem, I would suspect its because you have an unused NIC on your server. My first question is why don't you use it?  My second would be, if you aren't using it why haven't you removed it?

This will certainly cause problems in your configuraiton.

Please see http://sbsurl.com/twonics for a recommended configuration.

If you need further help, please post an IPCONFIG /ALL from your server.

Jeff
TechSoEasy
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Tommy_JoeAuthor Commented:
The problem still exist.  

We had this server configured and assembled by consultants, so I don't know why there are two NICs in it.  The one (in the main board) is being used and the other is disabled.  This server also holds three websites and I have a test intranet address dedicated.  

Server's IPCONFIG
C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SERVER1
   Primary Dns Suffix  . . . . . . . : Trustbuilder.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : Trustbuilder.com

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.117.169
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0E-0C-3F-04-AC
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.117.200
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.117.168
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.117.167
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.117.166
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IP Address. . . . . . . . . . . . : 192.168.117.7
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.117.254
   DNS Servers . . . . . . . . . . . : 192.168.117.7
                                       151.164.1.7
   Primary WINS Server . . . . . . . : 192.168.117.7

I reviewed other threads here and know that the 2nd NIC has to be on a seperate subnet.  Never set that up before (since I'm a dumb ol Programmer), but I can figure something out with that diagram.  Is it better to use the 2nd NIC or just remove it in this case.  (In your opinion.)

Thank you

Tom
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Why do you have so many IP addresses configured?  You should only have ONE, 192.168.117.7 (per your DNS and WINS configuration).  Also, remove 151.164.1.7 from the DNS servers... I'm assuming that this is your ISP's DNS server, so that would go in the appropriate place when you run the Configure Email and Internet Connection Wizard.

See http://sbsurl.com/ceicw for a visual example, and http://sbsurl.com/msicw for a complete overview of SBS's network configurations.

It is much better to use TWO NICs in my opinion, because then you gain the additional advantage that your LAN computers will be yet another step away from the Internet... it's better security.

If you review the diagram I linked above, you'll see that there is then an External NIC and an Internal NIC.  The external NIC goes to your Router and then the Router goes to the ISP connection.  The Internal NIC would go to a Switch that all LAN devices would connect to.

For now though, just to make sure everything is working, remove the 2nd NIC and make the changes I've noted above.  Before removing the actual NIC though, be sure to "uninstall" it in the Device Manager.  Otherwise, the system will still think it's there, but not working.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sorry, I missed what you said about the server holding 3 web sites... while it's not recommended to have PUBLIC web sites on your SBS (because it's a domain controller, and pretty much the heart of your network), you wouldn't want to use separate internal IP addresses for these sites... instead, you should use host headers which will read the actual URL that is requested and direct it to the appropriate site.

The how-to for that is here:  http://support.microsoft.com/kb/324287

But really you should consider putting a separate machine in a DMZ (Demilitarized Zone -- outside your actual LAN and directly open to the Internet).  This would be the more secure way to configure things.  

Also --- you mentioned that you set up remote users manually in Active Directory, etc.  You should use the Mobile User Template for these users... with SBS you should ALWAYS use the wizards which are provided.  So for mobile users... to change their settings, use the Change User Permissions wizard and select the Mobile template (selecting the option to REPLACE instead of append).


Jeff
TechSoEasy
0
 
Keith AlabasterCommented:
Nothing dumb about being just a Programmer Tommy. No one is an expert in everything :)

Keith
0
 
Tommy_JoeAuthor Commented:
Jeff... Thank you for your time and links.  I will use the external NIC to seperate the subnets.  

I'm not thrilled with running the websites out of the server that runs everything else either.  However my company is a small margin company, and the funds for a seperate DMZ is not available yet.  As soon as it is, I'll put it in play.  

I could take it out, but if I can add one more layer of security that would be better.  So I'll reconfigure the network and firewall for two cards.  (Honey.. I'll be late tonight.)

Keith...  That's true...  Frankly, I think I'm better at woodworking.  [smile]

Tom  
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
FYI, you can run websites quite well on an 1.5Ghz or so Pentium III running Windows XP Pro and IIS 6.0 depending on the type of web sites they are. The more complex the more processing power you'd need... but if they are data driven, you can keep the data elsewhere as well.

So, if you have an old PC lying around this is it's shining moment!

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
And, isn't it usually... "Honey, I'll be leaving in 20 minutes, right after this last reboot..."?
0
 
Tommy_JoeAuthor Commented:
The recent upgrades allowed us to trash pentium 166 PC with 95/98 and servers on NT4 with the same platform.  So no PIII, sadley.  I'll just keep bugging my boss about it.  (Maybe he'll use his credit card. [smile]

20 Minutes after the last reboot... LOL

Tom
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, you can find a decent 2.0Ghz P4 with XP Pro on Ebay for about $300.00.  The truth of the matter is that if you got hacked... it'd cost a ton more... that' what the boss needs to understand.

Good Luck!

Jeff
TechSoEasy
0
 
Tommy_JoeAuthor Commented:
I'll start looking for something like that.  

I do have another quick question for you.  I'm starting to plan this out and I'm thinking, in regards to email and websites, should I use the new external address as the mapping configs in my router/firewall?  Right now if something comes in one of my public IPs the firewall routes it (after security checks) to the server IP address.  For this to work, I'm thinking I have to use the external address in the router to get website calls and emails, and leave out the internal address.  (Kind of have to, anyway.)  Am I right, or am I missing something?  

Thank you for your time.  
Tom
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
No, there is no need at all to use an external IP address on your SBS... you are basically double NATting it. http;//sbsurl.com/twonics has a diagram and overview of the recommended configuration.

Jeff
TechSoEasy
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now