2003 small business server - Routing and Remote Access Setup

On the Linksys do you have PPTP passthrough enabled?   This allows the GRE Protocol (#47, not port 47) along with port 1723. Depending on the model router, check in Advanced, Filters, or Security, VPN.

Is this in an Active Directory Domain or Workgroup Environment. If it's a Domain, I believe it requires an additional Group that is setup when you use the RASS snapin.

Cheers,

Gary

PPTP Passthrough is enabled on the linksys. This Server is set up as Active Directory Domain. It really doesn't need to be because some of the clients at this site are using XP home. When I set up this 2003 Small business server I just went through with the default settings. I am hoping to eventually get everyone at this site on XP pro and active directory soon for security reasons. All they really need this for now is for a file server, accessing when they are home, and an invoicing application that runs on the server.

Where do i set the group for the RASS Snapin?

And does it matter which VPN schema i use (Routing and remote access or just allowing remote access under network places)? I want the simplest approach, as there will only be a couple clients connecting here and there.

Thanks!

Adam

Darn,  I was hoping it was the PPTP passthrough that was the problem.  

I haven't set up the server side of a VPN recently and don't have access to one to test with.

Maybe someone else can comment.

Gary

Are you running ISA server on the SBS box?

geeksinsneaks,

The problem is that you are using Standard Server 2003 configuration procedures for an SBS.  You can't do that.  You need to use the wizards!

Since SBS is a pre-configured server environment, and has elements and roles that you would never combine on a single Standard Server 2003, the wizards make sure that you keep everything configured properly and don't break one SBS part to fix another.

See http://sbsurl.com/itpro for an overview of SBS and it's gotcha's.  Once you understand the design of SBS you'll like the wizards (which are really just GUI scripts).

So... to configure the VPN/RRAS run the Configure Email and Internet Connection Wizard (CEICW) followed by the Configure Remote Access Wizard.  I mention here that you should run the CEICW because it will auto-configure your Linksys Router if you have UPnP enabled on it.

For an overview of this please see http://sbsurl.com/ceicw and http://sbsurl.com/msicw

Then, the Configure Remote Access Wizard will create a special SBS VPN client which can be downloaded remotely from Remote Web Workplace, or you can just copy it to a USB drive or floppy.... you'll find it at http://localhost/Remote/sbspackage.exe on your server after you run the wizard.

Jeff
TechSoEasy

FYI, when you said that the server really doesn't need to be set up as Active Directory Domain, you should know that you can't install an SBS any other way.

Jeff
TechSoEasy

Thanks Jeff! I will look into this and get back to you.

Adam

Also, does each client machine that will connect through VPN need a client access license? The computer i was using to test the VPN connection is a Windows 2003 Server at another location.

No... not if your CALs were added as USER CALs (the most common way to add).  However if they are DEVICE CALs then you would need one.  Are these people who only work remotely?

Jeff
TechSoEasy

Well, i purchased this server with 5 CALs included. Do i still need to add these after i install windows? During the windows install, i did per user. The people who will need to vpn in work in the office, but some have laptops and will need to connect to get files when they are home.

What do you mean after you install Windows?  You nean SBS?  There is no option on the first 5 cals, they are either/or.  How many people are in your company?  You will need a CAL for each one.

Basically User CALs are all that's necessary.  If a user logs in at their desktop and then via VPN it only takes one CAL.  However, I should note that users who have a desktop at the office (not laptops) should not use VPN, they should use Remote Web Workplace.  (http://sbsurl.com/rww) This will allow them to work directly on their desktop machine as if they were at their desk in the office.

The VPN client is really only for Laptop users.  See http://sbsurl.com/mobile for the complete mobility overview.

Jeff
TechSoEasy

THere are only 5 at this clients site. I went through the wizards, and created the connection manager file to download to the clients. THis cant connect. Under the Log i am getting thes:

******************************************************************
      Operating System      : Windows NT 5.1 Service Pack 2
      Dialer Version        : 7.2.2600.2180
      Connection Name       : Connect to Small Business Server
      All Users/Single User : Single User
      Start Date/Time       : 6/8/2006, 16:52:03
******************************************************************
      Module Name, Time, Log ID, Log Item Name, Other Info
      For Connection Type, 0=dial-up, 1=VPN, 2=VPN over dial-up
******************************************************************
[cmdial32]      16:52:03      03      Pre-Init Event      CallingProcess = C:\WINDOWS\Explorer.EXE
[cmdial32]      16:52:19      04      Pre-Connect Event      ConnectionType = 1
[cmdial32]      16:52:19      06      Pre-Tunnel Event      UserName = administrator Domain = CENTRATEL DUNSetting = Connect to Small Business Server Tunnel DeviceName =  TunnelAddress = dc-centratel.Centratel.local
[cmdial32]      16:52:19      20      On-Error Event      ErrorCode = 800 ErrorSource = RAS
[cmdial32]      16:52:25      06      Pre-Tunnel Event      UserName = administrator Domain = CENTRATEL DUNSetting = Connect to Small Business Server Tunnel DeviceName =  TunnelAddress = dc-centratel.Centratel.local
[cmdial32]      16:52:25      20      On-Error Event      ErrorCode = 800 ErrorSource = RAS
[cmdial32]      16:52:28      19      On-Cancel Event
[cmdial32]      16:52:35      04      Pre-Connect Event      ConnectionType = 1
[cmdial32]      16:52:35      06      Pre-Tunnel Event      UserName = remote Domain = CENTRATEL DUNSetting = Connect to Small Business Server Tunnel DeviceName =  TunnelAddress = dc-centratel.Centratel.local
[cmdial32]      16:52:35      20      On-Error Event      ErrorCode = 800 ErrorSource = RAS
[cmdial32]      16:52:39      19      On-Cancel Event

Where are you connecting from?  This looks like the IP Address subnet of the router at the remote location is the same as that of your SBS's.

Try to connect to the VPN from within the LAN first.  That will tell you if you have the server configured properly.  Then, if you can't connect from outside it would most likely be a router issue.

Jeff
TechSoEasy

This was trying to connect within the LAN. Sorry for not specifying that.

Please post a complete IPCONFIG /ALL from your server as well as a sample workstation on the LAN.

Thanks.

Jeff
TechSoEasy

Server

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc-centratel
   Primary Dns Suffix  . . . . . . . : Centratel.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : Centratel.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-13-72-1B-5B-FF
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.107
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.107
   Primary WINS Server . . . . . . . : 192.168.1.107



Workstation on LAN
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\adam>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : awelch
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : tampabay.rr.com

Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . : tampabay.rr.com
        Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connecti
on
        Physical Address. . . . . . . . . : 00-08-02-1F-92-C8
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.105
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 65.32.5.74
                                            65.32.5.75
        Lease Obtained. . . . . . . . . . : Friday, June 09, 2006 1:03:29 PM
        Lease Expires . . . . . . . . . . : Saturday, June 10, 2006 1:03:29 PM


NOw i just have my PC set up as a workgroup pc and not on any domain. Do i need to change this?

You need to move the DHCP service from your router to the SBS.  That way your workstations will not have external DNS servers or DNS suffix's and will instead resolve through your server as is necessary on an SBS network.

So, disable DHCP on the router.  Reinstall the DHCP Service on the Server and then rerun the Configure Email and Internet Connection Wizard to allow your SBS's DHCP service to re-enable itself.  

Then, I have to question how you joined your workstation to the domain to begin with... because with that configuration you couldn't possibly have used the required method of http://<servername>/connectcomputer.  You will need to correct this in order to be able to have the workstations be configured properly.

Please follow these steps to correct:

The following needs to be done with the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Ensure that DHCP is enabled and there are  no manually configured network settings
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine and join the domain by opening Internet Explorer and navigating to http://servername/connectcomputer

Jeff
TechSoEasy

My workstation is not on any domain. Like i stated it is just part of a workgroup at this point. I didnt think this would matter as some of my client's workstations at the site will have XP home. I didnt think you could join an XP Home computer to a domain.

You're right you can't join XP Home to a domain.  If they have SBS, then they should upgrade their workstations to XP Pro because otherwise you really lose most of the functionality of having SBS.

But let me try to at least sort out what you're trying to do by connecting within the LAN with a computer that isn't a member of the domain.

Have you run the "Configure Remote Access Wizard" yet?

When you are connecting to the VPN from within the LAN, did you create a new VPN connection and use 192.168.1.107 as the address to connect to?

Jeff
TechSoEasy

Correct. Hopefully they will be upgrading to XP Pro soon. As for now they just basically need a share for files, run an application off the server, and to connect remotely from home to access files. I was trying to connect to the local IP of 192.168.1.107 when getting that error. I have run the Configure Remote Access Wizard. I will try running it again. Maybe there was something i missed. Ill let you know how it goes. Thanks!

Adam

Run it again, and then grab the updated Small Business Server Connection Manager from the RWW website or just directly from the link I provided above.

The problem with not having XP Pro is that when users want to connect from home, they can't use Remote Web Workplace to connect to their office desktop machines since XP Home doesn't support remote access.  This would make a rather cumbersome to synchronize files if they are also working from a home computer.  I'd suggest that shared files be set up in SharePoint (http://companyweb) if you want to at least give them some semblance of order.

Jeff
TechSoEasy

OK. I removed DHCP From my router, re-ran the Configure email and internet on the SBS. It asked me if i wished to have small business server configure the router for me for SBS to run properly. I clicked yes to that. It gave me an error when trying to configure the firewall. I clicked yes to continue configuring eveything else.

Now from my client machine here. I am still on a workgroup and not a domain. Do i need to be on the domain for me to connect? If i go to http"//dc-centratel now, which is the small business server from within my LAN, i get to the homepage, with the welcome screen etc. When i click on the network configuration wizard. I click that, the next screen has the "Connect to the network now" link. I click on that and get a blank white screen.

However, if i click on the "Remote web workplace" on the welcome screen, i do get to the SBS Login page, where i can then log in to the server.

Isnt there a way i can just set something up so the clients can VPN into the server, just by using a basic vpn and not the remote web workplace, then once VPN's in, can just connect to the share on the server?

Thanks

Adam

Also, users will still be able to access this SBS having XP Home right?

You need to go and find out what the error was, you'll find the log at C:\Program Files\Microsoft Windows Small Business Server\Support\icwlog.txt

If people are connecting from their home computers you really do not want them using VPN because then you are connecting computers whcih are not controlled to your network... which means that viruses can EASILY transmit across the VPN to the server, and then you have no data for them to connect to at all.

But even so... what I had recommended above was for you to go to the Remote Web Workplace main menu and get the VPN Client... you stopped at the login screen for RWW... how about going beyond that to see what RWW really is.

Jeff
TechSoEasy

gotcha. I'll give it a try. Sorry I'm pretty new at this Small Business Server stuff. Also, i do not see any DHCP stuff under Administrative tools. And if I go under Routing and remote access, there is nothing configured there. Is this ok?

Adam

here is the log:

6/12/2006 9:36 PM
C:\Program Files\Microsoft Windows Small Business Server\Networking\ICW\wizemail.dll, version 5.2.2893.0
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6e50c).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x16863c0, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling CNetCommit::Commit (23618496).
calling CNetCommit::ValidatePropertyBag ().
Call to Querying for the property bag () returned ok.
Property bag is not dirty, skipping validation
calling CNetCommit::Common ().
calling CNetCommit::GetLanNicInfo ().
LAN NIC Guid: {E412D402-891B-4F36-9F04-0496DD07794A}
Call to Converting LAN NIC Guid () returned ok.
Call to Getting IP address for the LAN NIC () returned ok.
Call to Reading in the LAN NIC info () returned ok.
Call to Fixing the TCP/IP NIC Binding order () returned ok.
DNS server is installed and not disabled
Call to Changing startup type for DNS () returned ok.
Call to Clearing DNS server entries on the LAN NIC () returned ok.
Call to Setting DNS server IP for the LAN NIC () returned ok.
Call to Resetting DNS recursion timeout () returned ok.
Call to Resetting client dns query timouts in config.dat () returned ok.
Call to DsGetDcName for local domain name () returned ok.
Call to Disabling RRAS routing () returned ok.
calling CNetCommit::DoRouter ().
Call to Clearing the default gateway on the LAN NIC () returned ok.
Call to Setting default gateway on the LAN NIC () returned ok.
Call to Setting DNS forwarders () returned ok.
Call to Preparing DNS for DNS listener reset () returned ok.
Call to Resetting DNS listeners () returned ok.
URL to the router is http://192.168.1.1
Call to Adding routers IP address to the intranet zone () returned ok.
Call to CNetCommit::DoRouter () returned ok.
Call to Configuring for router connection () returned ok.
calling ConfigureIE ().
calling SetInternetOptions ((null), (null), (null)).
calling InternetSetOptionA (NULL, INTERNET_OPTION_PER_CONNECTION_OPTION).
Call to InternetSetOptionA () returned ok.
Call to SetInternetOptions () returned ok.
calling InternetSetOption_AutodialConnection ().
Call to InternetSetOption_AutodialConnection () returned ok.
calling InternetSetOption_AutodialMode (4).
Call to InternetSetOption_AutodialMode () returned ok.
calling InternetSetOption_DisableAutodial (0).
Call to InternetSetOption_DisableAutodial () returned ok.
Call to ConfigureIE () returned ok.
Call to Configuring IE for router connection () returned ok.
Call to Notifying client setup for Default gateway as the router () returned ok.
calling RegisterMSBOExchangeBP (0).
Error 0x1 returned from call to RegisterMSBOExchangeBP().
Call to Unregistering the smtp sink () returned ok.
Call to GetLocalDomainName () returned ok.
Call to Reading in the local domain name () returned ok.
Local Domain Name is: Centratel.local
Call to Enabling secure dynamic DNS updates () returned ok.
Call to Disabling RoundRobin for DNS server () returned ok.
Call to Configuring the DHCP server on the UPnP device () returned ok.
Call to Disabling the RASUTO service () returned ok.
Call to Configuring w32time parameters for fulltime () returned ok.
Call to Configuring the time service () returned ok.
Call to Notifying RWW for ISA () returned ok.
Call to CNetCommit::Common () returned ok.
Call to CNetCommit::Commit () returned ok.
calling CRFireCommit::CommitEx (0x16863c0).
calling CRFireCommit::ValidatePropertyBag (0x16863c0).
Upnp URL is http://192.168.1.1:2869/IGatewayDeviceDescDoc
Call to Initializing Upnp Device () returned ok.
Error 0x1 returned from call to HttpGetDeviceXML().
Error 0x80004005 returned from call to GetServiceConfigURL for WANPPPConnection().
Call to GetServiceConfigURL for WANIPConnection () returned ok.
Router supports WANIPConnection
Service config URL http://192.168.1.1:2869/WANIPConnCtrlUrl
Call to Reading web publishing selection () returned ok.
Call to Reading OWA publishing selection () returned ok.
Call to Reading RUP publishing selection () returned ok.
Call to Reading Monitoring publishing selection () returned ok.
Call to Reading OMA publishing selection () returned ok.
Call to Reading RPC publishing selection () returned ok.
Call to Reading Companyweb publishing selection () returned ok.
Call to Reading ROOT publishing selection () returned ok.
Web publishing selections:
OWA publishing: 0
RUP publishing: 1
Monitoring publishing: 1
OMA publishing: 0
RPC publishing: 0
Companyweb publishing: 1
ROOT publishing: 1
Call to CRFireCommit::ValidatePropertyBag () returned ok.
DeleteAllPortMappings 0
AddUpnpPortMapping with TCP 25 returned 0x80004005
Error 0x80004005 returned from call to CreateUpnpPortMappings().
Signaling upnp config failure
Error 0x80004005 returned from call to CRFireCommit::Commit().
Calling CCertCommit::CommitEx
Calling CCertCommit::ValidatePropertyBag
Require SSL for OWA: 1
Require SSL for Remote Portal: 1
Require SSL for Monitoring: 0
Require SSL for OMA: 0
Require SSL for CompanyWeb: 0
Require 128 Bit Encryption: 1
Cert selection: -1
CCertCommit::ValidatePropertyBag returned OK
Opening the cert store returned OK
Reading the computer name returned OK
Reading the fully qualified server name returned OK
CCertCommit::EnableSSL returned OK
CCertCommit::RequireSSL returned OK
CCertCommit::NotifyRemoteUserPortal returned OK
Reading the Internet Server Name returned OK
OMA is not published, will not update the server name
Sending RUP intro mail returned OK
CCertCommit::SaveUserSelections returned OK
CCertCommit::CommitEx returned OK
calling CEmailCommit::Commit (0x258340).
calling CEmailCommit::ValidatePropertyBag ().
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6e488).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x16863c0, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling CValidatePropertyUtil.ValidatePropertyInteger ().
Call to CValidatePropertyUtil.ValidatePropertyInteger () returned ok.
Call to CEMailCommit::ValidatePropertyBag () returned ok.
calling pdispPPPBag->QueryInterface (IPropertyPagePropertyBag, 0x6e4f4).
Call to pdispPPPBag->QueryInterface () returned ok.
calling ReadInt4 (0x16863c0, DB5E5E45-3598-4F1D-8FF7-0ED35B9EB6A4).
Call to ReadInt4 () returned ok.
The out param of ReadInt4() is -1.
calling GetDomainAndControllerNames ().
Call to GetDomainAndControllerNames () returned ok.
calling GetOrganizationName (\\dc-centratel.Centratel.local, DC=Centratel,DC=local).
Call to GetOrganizationName () returned ok.
calling GetFirstAdministrativeGroup (\\dc-centratel.Centratel.local, DC=Centratel,DC=local, CENTRATEL).
Call to GetFirstAdministrativeGroup () returned ok.
calling GetFirstRoutingGroup (\\dc-centratel.Centratel.local, DC=Centratel,DC=local, CENTRATEL, first administrative group).
Call to GetFirstRoutingGroup () returned ok.
Call to SetCookieAuthentication () returned ok.
Call to Enabling Wireless admin for OMA () returned ok.
Call to Getting NETBIOS domain name () returned ok.
NETBIOS domain name: CENTRATEL
Call to Enabling NTLM on /public () returned ok.
calling CommitPOP3 (0x16863c0).
Call to CommitPOP3 () returned ok.
calling _SetRegInt4Value (HKEY_LOCAL_MACHINE, SOFTWARE\Microsoft\SmallBusinessServer\Connectivity\ICW, Last_MailOption_Exchange, -1).
Ignoring return value from call to _SetRegInt4Value().
Call to CEMailCommit::Commit () returned ok.
calling GetBOConnector ().
Error 0x80072030 returned from call to GetBOConnector().


As for Going into remote web workspace further, i can remote into the server ok. So this will be the better way of having them connect i am assuming. Also, about the DHCP not showing up under Admin tools. IS this ok?

Remoting into the server and RWW are two completely different things, and NO it's NOT a better way of having them connect.  You should NEVER allow users to access the server desktop.  Plus, SBS2003 does not support Terminal Services in Application Mode... RDP is only for administrative purposes.

So, go to http://dc-centratel/Remote and log in to see what RWW is all about.

Also, it is NOT okay that DHCP is not showing up under Admin Tools... that's what's probably causing your CEICW errors as well.  You need to reinstall it, so open Help & Support on the SBS and search for "Installing a DHCP server" to get the detailed instructions on how to do this.

Finally, you may benefit from watching the TechNet SBS On Demand Web Seminar:  http://sbsurl.com/seminar

Jeff
TechSoEasy

ok. I will do the re-install. I did run everything in the To-Do list. However i believe i did run the updates prior to this. I will let you know how it goes after the re-install. Thanks

OK. A quick question. I re-installed the SBS. I am at the To Do List now. I read the Security Practices. The next item on the list is Connect to the internet. I went through the wizard, put in My ISP's DNS entries, created a certificate. Right after it finished it. I get a Pop up saying that i should connect to the internet and install the latest criticall updates. Should I do this now, or wait till i'm done with the To Do List? Thanks

Adam

No, do not install any updates until you are done with the list.

Jeff
TechSoEasy

Thank you Jeff for all your help. Things are working ok at the moment her at the site

cool!