Solved

VPN Setup with Server 2003

Posted on 2006-10-29
18
584 Views
Last Modified: 2008-01-09
I would like to setup a new VPN using a VPN gateway capable router.  We currently have a static IP and Server 2003 in the office where the VPN endpoint will be.  

I would like to use a router and equipment I can buy at a retail location.  Is there equipment that sets up more easily than others or that someone can walk me through the setup?

I have never done this before. We would like to have a network date file  from the HQ location available at anther office location using our broadband connection like a mapped network drive. Both locations have high speed internet.  The remote location will only consist of one user using XP Professional.

I'm family with Remote Desktop connection but I'm not familar with the setup of the router or if there's a necessary setup on the server.

I currently have a xincom XC-DPG603 (Twin WAN DNS-to-IP VPN Gateway) if someone is familiar, but I am not against getting another piece of equipment if it's easier or more easily managed.  I don't know anything about the xincom, so I'm not much help there.  

I appreciate any help. Thanks.
0
Comment
Question by:MKSKCS
  • 9
  • 9
18 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Looks like you have a couple of options as it is now, without adding equipment. You can make the Server 20003 machine the VPN endpoint as you have indicated above, by enabling and configuring RRAS (Routing and Remote access Service, and forward the VPN traffic using the route. The other option is to use the XC-DPG603 router as the VPN gateway and connect directly to it. This has slightly better performance and security, but I am afraid I am not familiar with that unit and cannot therefore help to configure. Likely they supply a VPN client to use in conjunction with it and you configure the router and client with matching IP and policy information. As for using the server as the VPN endpoint have a look at the following instructions:
The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, the following link should be similar to your unit:
http://www.portforward.com/english/routers/port_forwarding/Xincom/Xincom-502/Point-to-Point_Tunneling_Protocol.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x

Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName. If you want to resolve NetBIOS names we can elaborate on how to "fix" that, if not working properly.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Opinion - Would it be easier to setup with something other than the Xircom? I'm inheriting the equip so I don't know much about it.  
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
The Xircom, looks like a good unit, but I am not familiar with it. If you can set up the port forwarding  with it, the setting up of the Windows VPN above is actually fairly straight forward if you follow the directions supplied. I know there are a lot of steps, but it's not bad.

The simplest VPN to set up is probably the Linksys RV042 with it's QuickVPN client. However, Although I have never had a problem with it, a lot of others seem to have difficulty getting it to work from some sites. The RV042 runs about $200 US.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
RobWill - I just want to make sure I have this correct...I apologize for the simplicity....

1.  Enable server as RRAS to give clients IP addresses
2.  Ensure that clients are allowed access in AD
3.  Forward port 1723 on the router to the server
4.  Setup Client Config on XP Pro with Add New Network Connection (username and password for the connection are set in AD)
5.  Ensure that both client and server networks are on 2 different subnets


Did I miss anything? I feel like it can't be this easy.  
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Doing a little digging the Xincom looks like  great unit. I have never come across them before.
You can find specific port forwarding information at:
http://www.xincom.com/support/Port_Forwarding.pdf
Should you want to set up a VPN to connect directly to the Xincom the following is very detailed, but there is quite a bit of configuring with this method if you are not familiar with it:
http://www.xincom.com/support/twr_user_guide/Chapter_5/
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"I apologize for the simplicity...."
Don't apologize. VPN's seem fairly complex the first time you set one up, but once you have done one or two, yes they are that simple. Your steps look perfect.
The one thing not mentioned is allowing the GRE protocol to pass. I looked at your router manual, which does not look complete, and I couldn't find where to enable this. It is usually called "PPTP pass-through" or "VPN pass-through", though on numerous routers it is enabled by default. If there is a problem, when you try to connect you will probably get a 721 error. Just watch for it in the Router configuration.
Also your router's WAN/Internet interface should have a true public IP, not a private such as 192.168.x.x, 10.x.x.x, or 172-16.x.x. Most do, but if not, you may need to put your modem in bridge mode.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Excellent.  I'll try it tomorrow / Tuesday and let you know.  Thanks.  I appreciate your help and speedy answers.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very welcome. Good luck with it.
--Rob
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, I kinda scratched using the Xircom at the moment.  Only because I'm home and I'm on a roll configuring what I have which is a linksys WRT54GX.  Problem is, I've enabled the PPTP Pass Through (enabled by default) and I've set up port forwarding for port 1723 to the server.  I've set the server up and am dialing in from a different subnet but I'm getting a 721 error.  Any ideas?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
721 error usually indicates GRE is being blocked. "PPTP pass-through" should allow GRE, so perhaps it is being blocked somewhere else. First verify the basic forwarding is working by logging onto the server and connecting to  http://www.canyouseeme.org  and test for port 1723. If that is OK, and it likely is, then check if the modem supports PPTP and so does your ISP. Some do not. Also does the WRT54GX have a true public IP assigned to it's WAN port? If not you may need to put the modem in bridge mode.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, I went to the site you suggested and tested port 1723 and it says it's not being blocked by the ISP.  The router does have a true (70.x.x.x) public IP address.  
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
I've also checked in Active Directory and under the Dial In, I've made sure the "allow access" is checked.  From the client, I get all the way to "verifying username and password" then it bombs on me.  I've tried from two different machines, 2 different locations, 2 different subnets.  :-(
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I can almost guarantee it is GRE. The "canyouseeme" test checks for port 1723, but not GRE protocol. If you want to do a specific test, Microsoft has a pair of test tools pptpsrv and pptpclnt which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
Ok, for arguements sake, let's say it is GRE...we're using Bellsouth business static IP and I'm sure they aren't blocking...so what would be the next step? I'm checking the firmware on the router now and will check out the tools you mentioned.  
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Your router should support GRE, might want to look into the modem, and don't rule out the ISP. Some ISP's offer their own VPN services and therefore block some VPN traffic. Also verify any software firewalls such as the Windows firewall, Zone Alarm, McAfee or Symantec Security suites are disabled as a test. Symantec's newer virus software has a feature called Internet Worm protection that sometimes blocks VPN traffic.

One other thing, make sure your DHCP options are configured for your VPN clients. Compare your configuration with:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
It looks like the firmware resolves a PPTP issue so I'm going to try that....standby.
0
 
LVL 1

Author Comment

by:MKSKCS
Comment Utility
That worked!  It was a firmware issue.  I should've checked that first.  I'm only able to browse the network by IP and even when I do, I have to enter username and password info, but I think most of that will iron itself out...right? Thanks again for the help.  
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Glad it worked out. You will always have to enter your Windows credentials (user name and password) the first time you access a resource after the VPN connects, but only the once, but as for browsing by IP there are ways to work around that. NetBIOS names are not as a rule broadcast over a VPN. Using a WINS server, the LMHosts file, or IP address will allow you to function. I'll list below some of the "work arounds" for name resolution.
Thanks MKSKCS ,
--Rob

1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now