Solved

Connection to SBS server from remote site with Hardware VPN tunnel

Posted on 2006-06-20
19
1,576 Views
Last Modified: 2009-11-24
I am attempting to get workstations connected to a SBS server over a VPN tunnel. I have read several articles that detail the limitations of SBS2003 and the encouragement to use the wizards. I have tried that and still having difficulties. Below are the specific questions at hand.

- When I connect to \\servername\remote and download the remote connection manager all seems well. The extraction process stops with the following error "Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file."  I have manually copied the file to multiple workstations with the same error. I removed the sbspackage.exe file today and recreated it using the RRAS wizard and the error persists. The screen behind the error shows the file it is extracting is advpack.dll.

- All of the PC's that I am installing this on are members of the domain and worked at the main site.  Will this cause connection problems? Should I remove them from the domain and then re-join via the VPN connection?

- If I have a site-to-site hardware VPN can I connect to the internal IP address of the server for the VPN client? This would eliminate unauthorized users from getting to the server via the external IP address.

Any help is appreciated.
PLaw
0
Comment
Question by:plawCNE
  • 8
  • 5
  • 5
  • +1
19 Comments
 
LVL 12

Expert Comment

by:fruhj
Comment Utility
First let me say I haven't got answers to each question you asked - I hope other experts will add comments too...

What kind of VPN do you have now - do you control both ends of it?

I had similar problems - we had a cheap vpn router in the office connected to a cisco at a client site. the tunnel worked (our router showed it was up) but the boxes on the cisco end could not connect to the SBS box (they could ping it!)

we fixed that by taking over both ends - with both vpn routers the same, things seemed to work better.
Also I noticed that I was NOT Able to run the MS vpn inside our hardware created tunnel.  I don't know why this was, as I didn't need it, just know I tried and it didn't work.

lastly, if you're using hardware routers to do your VPN, have a CLOSE look at your DNS and WINS settings at the REMOTE machine.
Mine were set to the remote router, and my remote PC couldn't do anything with the SBS box.
That all cleared up when I set the SBS server to be the remote servers DNS and WINS server (ideally your remote router would let you do this via DHCP but many don't)

Again I don't have answers to everything, hopefully others can fill in.
0
 
LVL 5

Expert Comment

by:mickinoz2005
Comment Utility
Òk not sure exactly what you are trying to do but..

I assume you have a router to router vpn established - as long as you don't have any firewall rules over this vpn you should be able to do everything over it. (there will exceptions so lets try to clarify these)

On the remote side do you have a server etc..

What do you want to do with the sbs server from the remote site.

What is the connection speed between the two sites.

Fruhj - you can cannot create a vpn tunnel inside a tunnel A. it makes no sense and B - you are doubling encryption.


Michael
0
 

Author Comment

by:plawCNE
Comment Utility
Hope this helps....
"What kind of VPN do you have now - do you control both ends of it?"   DSL Internet at both ends using Cicso routers. I control both sides and routers. Main site has a 1.1Mb pipe and the remote is 768k.

"have a CLOSE look at your DNS and WINS settings at the REMOTE "    On the remote side the SBS is the DNS and WINS server. I can 'browse' the network in that I can see the names of PC's. I can ping across the tunnel to devices on either side of the VPN. I cannot access the file shares or login to the domain.

"On the remote side do you have a server etc.."   No server, only 2 workstations at this point.

"What do you want to do with the sbs server from the remote site."  I need the users at the remote site to login to the domain, access file shares, login to Exchange and run a Citrix app. I can run apps over the hardware tunnel....(ie. open a browser window on ip configured devices like printers). This works in both directions from the main office to the remote and from the remote to the main office.


PLEASE READ THE FIRST QUESTION POSTED ABOVE REGARDING SBSPACKAGE.DLL   I believe that if I can resolve why that package is corrupt I can resolve most of the other issues that I am having.

Thanks for your help and comments.
PLaw
0
 
LVL 5

Expert Comment

by:mickinoz2005
Comment Utility
Is your SBS using two nics and sbs firewall or just one nic.

Do you have firewall rules in linked to the vpn connection?

Can you ping the sbs server by name rather than IP address?
When you attempt to open shares on the sbs server do you use name or iP, what error do you get.

Have you checked your firewall logs after you attempt to open shares to see if anything is blocking it.

Michael
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
This is really the flaw in your thinking/design:

>>>>"If I have a site-to-site hardware VPN can I connect to the internal IP address of the server for the VPN client? This would eliminate unauthorized users from getting to the server via the external IP address"

The answer is no, that won't allow you to connect to the internal IP address of the server, and it has nothing at all to do with eliminating unauthorized users from getting to the server via the external IP address... your external IP would still be accessible to the Internet... assuming you want to keep getting email at the very least.

With only two workstations, I really wouldn't use a VPN Tunnel... if you want these computers to be members of the domain, then just follow the how-to here:
http://www.smallbizserver.net/Default.aspx?tabid=266&ArticleType=ArticleView&ArticleID=83&PageID=89

You have to use that workaround because you otherwise cant use the /connectcomputer wizard over a VPN connection.  Alternatively, if you can physically connect your workstations to the SBS and then deliver them to the remote location you could join them to the network beforehand.

Then, instead of using the SBS Connection Manager, create a manual VPN connection, and then when you log on remotely, you can select "log on using dial-up connection" which is actually not just for dial-up... and then connect to the LAN before actually logging in.

This is how I have my home computers connected to my office and it works just great.

Overview of other options:  http://sbsurl.com/multiserver

Jeff
TechSoEasy
0
 
LVL 5

Expert Comment

by:mickinoz2005
Comment Utility
Jeff,

Why could he not just join them to the domain and then ship them to remote site and use the hardware tunnel to log onto the domain, assuming his firewall not blocking any traffic there is no reason he could not log onto the domain.

However if he is using the SBS in the 2 nic config then it will get very very messy.

I think the hardware vpn is alot safer than using sbs as your vpn server it would be alot more secure as there is not client intervention plus it would means you can monitor all traffic going across it at your routers.

Michael
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Yes, they can configure and ship... I mentioned that option.

Your thought of using the hardware VPN is certainly possible... whether it's safer or not is up for debate.  You can configure SBS to use IPSec instead of PPTP if that's preferable... but all of that depends on the user requirements and their tollerance level for security issues.

But I was really just speaking to his premise about how the tunnel would work and what KIND of security it would provide... neither of which were accurate.

As for monitoring traffic, the direct VPN connections can always be monitored as well... no advantage there.

Jeff
TechSoEasy
0
 
LVL 5

Expert Comment

by:mickinoz2005
Comment Utility

yeah but direct vpns from a workstation would be encrypted traffic to a router and therefore can not be monitored at the router level which means you cannot control the sorts of traffic going across vpn, whereas the router level vpn you can restrict down to ports and protocols if required as the tunnel starts at the router.

Again all depending on level of security the company requires.

Just on that also if he has a pc on the remote side of the vpn and he can ping the server by name and dns is functioning across the vpn what is to stop him just adding that pc to the domain, using just my computer / computer name - network wizard. Can he do that?

Michael
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
There's nothing stopping him from connecting the computer that way, but the SBS method of connecting a computer is with http://<servername>/connectcomputer, and that will NOT work across a VPN.

If you want to see all that this does, please go to http://sbsurl.com/connectcomputer.  Not using it would result in limited availability of SBS's features and resources.

The workaround I linked to above would accomplish SOME of those items, but not all.  

Jeff
TechSoEasy
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:plawCNE
Comment Utility
Jeff & Michael..... THANKS!!! to both of you for your excellent comments and advice. It appears that in my attempts to resolve this I have taken too many paths and not finished any of them. I want to find the most effective way to connect the office. The initial 2 clients is only a starting point, there will be more. I will answer some of your speculations and hope that you can help develop a plan of resolution.

Local Lan 192.168.1.x     Server 192.168.1.100   Only one NIC
  2 workstations were installed and operating on the LAN as members of the domain. I moved them to the new remote Subnet connected via the hardware VPN tunnel.
Remote Lan 192.168.3.x
  On the remote network DHCP is being handled by the router. It is handing out DNS1 as the SBS server, DNS2 as the ISP server for the DSL, and WINS as the SBS server. I can login using a domain account on the remote computer... it is painfully slow... I assume using cached credentials. When I try to open a share using Win Explorer I get a message that security settings are preventing me from making this connection. If I go to a prompt the shares are mapped but I cannot do a directory listing.
   On the server I have created a zone in DNS for the 192.168.3 subnet. I do not see any log file that details what errors are preventing the previously mentioned connection from being completed.
OPTION 1 - Can I find the security settings and allow the stations to participate on the SBS network as they did on the local lan? This would utilize the existng hardware VPN and eliminate needing to install additional workstation software.


I read a post by Jeff that led me to think that using the hardware VPN tunnel was very troublesome and so I tried to use the software VPN within SBS. All computers that I tried to install the remote connection software on failed. All are members of the domain, I think that is the problem. I installed the VPN software on a pc yesterday that was not in the domain and it installed correctly. I could not connect because of incorrect settings when I ran the RRAS wizard.
OPTION 2 - Can I remove the computers in the remote office from the domain and then install the VPN software and connect them back?

Which option should I pursue? Or should I go with a different option that I have not mentioned. Security is a HIGH priority for this client as I have HIPPA issues to keep in mind with one application.

Thanks in advance for all your help.
PLaw
0
 
LVL 5

Expert Comment

by:mickinoz2005
Comment Utility
Hi there,

i think to be honest if it was me that was doing this I would be looking to terminal services or something like that, with the connection speed you are using and with the obvious need to access shares etc and the fact you are doing this over a DSL i would think terminal services and locally logged in pcs would be sufficient also would give you faster operating speeds on the clients and also less things to manage on teh remote side. Having done a vpn before over dsl and then tried what you are doing the speed was terrible really terrible and the client jumped up and down and said it was useless now we had highlighted this prior though. They finally went to terminal services and at least then when the line was working they could function at proper speeds. However not in ireland DSL has no SLA applied to it and therefore one minute is working fast the next slow - in the end on that site we got a leased line and then all our troubles went away.

So again to summarise I think terminal services is the way to go with this I know you may think more money can;t spend it but you will find that the money is well spent as your client will not tolerate dsl vpn speeds for opening documents or accessing DB applications.

Michael
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
Comment Utility
Okay, you're still going off in lots of directions... partially because you are making some assumptions that aren't really very close to what's happening... such as thinking to remove the computers from the domain.... there is no basis for that.  Also, there are really NO settings to make in the Remote Access Configuration Wizard other than selecting how to connect (dial-in or VPN).

Let's start with your initial question, now that I have reread it and looked back over this thread.  The advpack.dll is actually a known issue (unknown to me until a few minutes ago).  There is a recommended workaround for it by following these steps as posted to a public newsgroup by Microsoft Support:

1. Extract advpack.dll and cmstp.exe from SBS CD1
        expand CD1\i386\advpack.dl_ advpack.dll
        expand CD1\i386\cmstp.ex_ cmstp.exe

*** NOTE *** I've uploaded these files for you so you don't have to get them off of the SBS CD:
              https://filedb.experts-exchange.com/incoming/ee-stuff/239-SBS_RRAS_ERROR.zip

2. Reboot the server to Safe Mode.
3. Put the new advpack.dll and cmstp.exe to System32 and System32\dllcache folder.
4. Boot back to normal mode.
5. Delete Inetpub\Remote\SBSPackage.exe and ClientApps\Connection Manager\SBSPackage.exe
6. Server Management Console, To Do List, run Configure Remote Access.
7. Download and install the new SBSPackage.exe again.

So, let's just try to fix that first and see what happens.  You do need to have GRE Protocol 47 enabled on your routers as well... this is not port 47, it's usually labeled as VPN Passthrough (especially in Linksys routers).

Regarding the security issue... the standard SBS VPN which uses PPTP is HIPAA compliant.  There are certainly arguments as to the level of security that PPTP provides, but if you are looking to meet compliance, there are no issues with this.  A bigger issue would be the control and management of the workstations (including having them be in a secure location).  With the SBS VPN, you will be able to easily manage these workstations and enforce group policies as needed as long as they remain members of the domain.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Y'know.... Michael, your comment reminded me that I left out one piece here...

Once we got a bit more info... there was a mention of a Citrix application.  I'm not sure what your plans are for this PLaw, but you can't run that on the SBS.  SBS2003 does not allow Terminal Services in Application Mode... and further you can't run Citrix on an SBS.  You would need to run a separate Server 2003 for this.  If you already have one in place, then you would not use Terminal Services in the traditional manner... instead remote users connect through Remote Web Workplace and then click the link to "Connect to my company's application server" (see http://sbsurl.com/rww and http://sbsurl.com/sbstss)

If this is the case, please advise because then you wouldn't use VPN, you would do everything through RWW and then configure Outlook for RPC over HTTPS.

Jeff
TechSoEasy
0
 

Author Comment

by:plawCNE
Comment Utility
OK.... more clarification.

"Also, there are really NO settings to make in the Remote Access Configuration Wizard other than selecting how to connect (dial-in or VPN)."  I set the web address in the RRAS wizard to the internal IP address. Therefore when I downloaded the sbspackage to another PC and installed it the connection is looking for 192.168..... my mistake in thought process from earlier.

"there was a mention of a Citrix application. " We actually have a member server in the domain. It is running one app that is only supported for remote users using Citrix. I have published the application using Citrix so the users can launch the app without getting a desktop experience. (.... we have a second remote site that I have not mentioned to keep the water clear... it is connected via T1 and the users there can login to the sbs domain, use the shares, run Outlook and connect to the Citrix app. I added this site in AD and created the subnet in DNS and all worked well at that site. I attempted to use the same logic for the vpn site but ran into the 'Security settings....' message. )

"Okay, you're still going off in lots of directions"  Jeff... I see 2 directions use the hardware VPN or use the SBS software VPN. If this is incorrect let me know. I am trying to determine which direction is most effective. I was using the logic that was mentioned above by Michael "Why could he not just join them to the domain and then ship them to remote site and use the hardware tunnel to log onto the domain, assuming his firewall not blocking any traffic there is no reason he could not log onto the domain."  When I got the security messages I found posts that lead me to try the sbs software vpn.

It may take some time to attempt the steps described above to fix the advpack problem. I will need to schedule time to reboot the server. Before attempting that, is there a similar solution or steps to resolve the hardware vpn security issues? If so I would like to try that first for my own knowledge.

I do appreciate all of your assistance.
Thanks,  PLaw

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
Ah... well setting the VPN Server Name to the INTERNAL IP address is something I wouldn't have thought of... so, yes, you are rithg that it could never work that way.

If you want to stay with a hardware VPN solution, then the other question I would have is, "do you have an extra static IP address at the main office?".  If so, then your best bet would be to put the branch office on a ROUTED subnet.  A description of this solution is here:

http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx

You'll note that it involves some discussion about ISA, which I don't think you mentioned that you are using... but that doesn't matter... the solution works just fine without ISA.

Jeff
TechSoEasy

 
0
 

Author Comment

by:plawCNE
Comment Utility
Jeff,
  Thanks for the link.... I read and think that I understand. Do I need to change anything on the client or server to correct the security message from before? I will try this today or tommorrow and let you know.

Thanks again,
PLaw
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
No, if the VPN client never installed.  If it did, just delete it from Network Connections.

Jeff
TechSoEasy
0
 

Author Comment

by:plawCNE
Comment Utility
Jeff,
  Just wanted to send a followup comment.  I accepted the answer posted above with the instructions to correct the advpack.dll. What you described worked and corrected the original post that I made regarding how to download and install the remote connection manager. I am able to download and install that app now. However I still cannot get the VPN connection working. I get an Event ErrorCode = 800 ErrorSource = RAS on the remote when I try to connect.

   I had hoped to attempt the multiple IP hardware solution as well, but time is limited.

Thanks again for all your insight.
PLaw
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
for error 800:  http://support.microsoft.com/kb/319108

Jeff
TechSoEasy
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now