Solved

Need assistance with Windows 2003 domain controller / Netgear FVS318 VPN router setup?

Posted on 2007-03-28
20
536 Views
Last Modified: 2012-06-21
I'm attempting to migrate the VPN access from a Windows 2000 Server to a Windows 2003 Server. Unfortunately, I can't access the Netgear FVS318 VPN router, which was installed prior to my working at this job, and nobody knows the password. I don't want to reset the router yet (the only way to reset the password and regain access to the config), until I get a better idea of how the router should be set up.

Here's how the current network is configured:
T1/DSL modem --> FVS318 router/firewall --> 24-port hub --> Windows 2000 Server/Primary Domain Controller --> workstations/printers, etc.

The FVS318 has a fixed WAN IP assigned by our ISP, with an internal LAN IP of 192.168.254.1. It's used as the default gateway within the network. The Win2k server has a fixed IP of 192.168.254.3, and provides DHCP IP addresses to the internal network in the range of 192.168.254.5 to 192.168.254.50. In addition, we have a mail server behind the firewall/router with an IP of 192.168.254.200. The Win2k server is set up as a Primary Domain Controller and requires everyone on the LAN to login w/username and password to access the file server. FWIW, I noticed the Win2k server does NOT have VPN/Routing enabled, but my boss claims he can access the network remotely.

My boss claims to access the network remotely using the built-in Windows XP VPN client, not the Netgear client (which we don't have).

 I'm a little confused on how access is being given. I'm thinking the router, which allows six simultaneously connections, is set with username and password combination to allow the boss access, and is not being authenticated by the domain server. I would prefer to set the router to do a passthrough and authenicate users with their regular username/password combination they use at their LAN desktops.

I have the Win 2003 Server up and running (with all the settings duplicated from the Win2k server, including domain users and groups), everything else is working fine, but when I disconnect the Win2k server and connect the Win2003 server, the boss cannot get into the server.

Any assistance/direction you give me would be help. BTW, I purchased a new Netgear FVS114 VPN router with the intention of testing the settings/being able to switch back to the old router quickly to minimize network interruptions, so I have that available to test without resetting the current router.

Sherm
0
Comment
Question by:sstevens69
  • 10
  • 10
20 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18808551
I assume you tried the factory defaults on the Netgear?
User Name:  admin
Password:    password  (earliest units were 1234)

I am skeptical the the Netgear is running the VPN. Though it is possible to set it up with the Windows client using L2TP, it is very difficult to do so. The Netgear is intended to be used with the ProSafe, or similar VPN client. Also when you change servers, your "boss" should still be able to connect to the network if the VPN were established with the Netgear.

You mention "the Win2k server does NOT have VPN/Routing enabled". Do you mean RRAS is not enabled, or routing within RRAS is not enabled. The VPN can be enabled without the latter. Also the VPN server does not necessarily have to be that server. It could be on another, or a Windows workstation though a workstation has limited capabilities.
One way you might also verify is by logging on to the existing Win2K server and going to
http://www.canyouseeme.org and test for port 1743. If it passes that should indicate the VPN port is open, on the Netgear, and forwarded to the windows server, which would be the VPN end point if using a Windows VPN PPTP connection.
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18808635
Okay, I'm bumping up the point value to generate some interest in this question. Anyone care to assist?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18808670
Thought I did  <G>
--Rob
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18808770
RobWill -

Here's what I'm seeing in the 'Routing and Remote Access' panel in the existing 2000 server:
Routing and Remote Access
    Server Status  -- stopped (unconfigured)

I'm assuming the RRAS service is not running, that's why I'm deducing the router is doing all the work.

What I can't get a straight answer on from my boss is what client he's running from his home.  I doubt he's running the Netgear client. Either way, I'd like to set the new router up to do passthru to the Win2k3 server if possible, so he and others can use the default windows client.

I did try  'admin/password' and 1,000 other passwords that are frequently used in this company, to no avail.

Sherm
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18808791
RobWill -- sorry, your response came thru about the same time I upgraded the point value. Either way, if you assist, I'll give you the points!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18808841
>>"Routing and Remote Access
    Server Status  -- stopped "
That pretty well guarantees that server is not the VPN endpoint.
You had mentioned a mail server. It could be on that. It's difficult to narrow down the configuration without knowing the client type, if Windows the protocol (L2TP or PPTP), and or the router configuration.

Does Canyouseeme shed any light ?

You could install your FVS114 and configure it and the server for VPN access an not worry about the existing configuration. If you need a hand with that, glad to provide details.
Keep in mind that although not as easy to configure, and you have to buy the client, the Netgear VPN is a little more secure and efficient.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18808855
>>"sorry, your response ..."
Just missed your second too <G> Not a problem at all I was just giving you a hard time.
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18808976
>>You could install your FVS114 and configure it and the server for VPN access an not worry about the existing configuration. If you need a hand with that, glad to provide details.

Let's go with this one.

I have already done some preliminary setup on the FVS114:
• Set the WAN IP to the IP supplied by the ISP
• Disabled DHCP on the router
• Set the internal network IP address to 192.168.254.1

On the Win2k3 server, I have RRAS running, haven't done much config there. This is a primary (and only) domain controller on the internal network. I have added myself, my boss and a couple others to remote access group.

On a client computer, I've set up the Windows remote access client with the public (WAN) IP of the router, and entered my domain username and password. I did switch the router briefly the other day, but got an 800 error.

What I'm unsure about are all the protocols and port forwarding, etc. that must be setup to get this to work properly.

What's the next step?

Sherm
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18808990
Oh, I forgot to mention, we're doing remote access only thru the internet, don't have to worry about configuring dial up.

Sherm
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18809150
One more thing -- the setup on the mail server hasn't changed, so if that was handling the VPN it should still conceivably work, right? Let's move forward and set up the new router.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 18809267
Sherm sounds like you are well on the way.

To confirm; the basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
Windows XP client configuration:
http://www.onecomputerguy.com/networking/xp_vpn.htm

You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router GRE pass-through, protocol 47 (not port 47), and also forwarding port 1723 traffic to the server's IP.
On the Netgear this is done by setting up forwarding of the built-in PPTP service. Do not forward port 1723. Forwarding the service automatically forwards port 1723 and enables GRE. There is no way to manually enable GRE on your router, so this is why you need to use the PPTP service.

You also have to give the user rights to use the VPN service. You mentioned "I have added myself, my boss and a couple others to remote access group." Do you mean the "remote Desktop Users group"? If so this is different. Or, any chance you are using Small Business Server? Easiest way to enable is under the dial-in tab of the user's profile in active directory. Select "allow access". (dial-in also applies to VPN access).

The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. If you are using 192.168.254.x at the office , the remote should be something like 192.168.100.x

Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName. If you want to resolve NetBIOS names we can elaborate on how to "fix" that, if not working properly.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18809273
>>"mail server hasn't changed, so if that was handling the VPN it should still conceivably work, right?"
Correct.
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18809812
RobWill,

I do have the Dial-in access enabled on the users who will have access. We pretty much just need access to the file server remotely, so once we're in, we should be good, so I'm not going to worry about WINS just yet.

And we don't have a 'remote office' -- it's more a case of individuals needing to work from home or while they're travelling. My home office, for example, does assign IP addresses to my computers from a router, in a different range. If I'm connecting thru a hotel wireless net, I'm assuming my laptop will be assigned an IP from the hotel's router?

On the router, I can't find a setting to forward the built-in PPTP service. I'm thinking it would be under the VPN section of the router, but it is not. Under the SECURITY menu, on the RULES page, I see "OPTIONS to ENABLE VPN Passthrough ALG (IPSec, PPTP, L2TP)". Is that the setting we're looking for?

>You will also have to configure the router to forward the VPN traffic to the server. This is done by
> enabling on your router GRE pass-through, protocol 47 (not port 47), and also forwarding port 1723
> traffic to the server's IP.
> On the Netgear this is done by setting up forwarding of the built-in PPTP service. Do not forward port
> 1723. Forwarding the service automatically forwards port 1723 and enables GRE. There is no way to
>  manually enable GRE on your router, so this is why you need to use the PPTP service.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18809871
Is there an option under; Rules | Inbound Services | Service | PPTP ??
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18810265
That's it.

Service: PPTP(TCP-1723)
Action: Allow Always
Send to LAN Server 192.168.254.3 (the fixed IP of the Win2k3 server)
WAN Users Any

FWIW, I also added POP3 and SMTP to forward to the IP of the mail server.

One thing I'm unclear about: Do remote devices (like remote user laptops) get assigned another IP address for use while connected to the VPN router? Otherwise, if the remote device is on another subnet, it wouldn't be able to see devices on the VPN network (depending on the subnet mask)?

Also, regarding Windows domain users & computers. Do the remote COMPUTERS, as well as the USERS, have to be added to the list of computers in the Domain Users snap-in?

I realize i'm asking a lot of questions for the points awarded, but I can always ask one of these again and award additional points under another question, if necessary. I'm just trying to get my arms around this whole VPN concept!

Sherm
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18810401

>>”That's it.”
Bingo !

>>”FWIW, I also added POP3 and SMTP to forward to the IP of the mail server.”
Good, no problem there.

>>” Do remote devices (like remote user laptops) get assigned another IP address for use while connected to the VPN router?”
Yes. They will be assigned an IP from the static address pool, you set up in RRAS.  (you can also use the DHCP relay agent to do this)

>>”if the remote device is on another subnet, it wouldn't be able to see devices on the VPN network (depending on the subnet mask)?”
The remote site must use a different subnet. Routers route packets based on the subnet to which they belong. They cannot route packets if two network segments use the same. However, the VPN client is assigned its own IP. This IP will be in the subnet defined in the “static address pool” and have itself as the gateway. If the IP is part of the RRAS server’s LAN subnet you will be able to “talk” to all devices on the server’s LAN. If it is a different subnet you will be able to talk to only the RRAS server until you add a static route to the client.
Does that make any sense ? Sounds a bit cryptic to me.
Basically local LANS all need to be different, set the RRAS static address pool to be a subset of the RRAS server’s LAN subnet. Then routing will look after itself.

>>”Also, regarding Windows domain users & computers. Do the remote COMPUTERS, as well as the USERS, have to be added to the list of computers in the Domain Users snap-in?”
No. The user just needs to have a user account and “Enable access” checked on the Dial-in tab. If the computer is a member of the domain, it helps with name resolution, but it is not necessary at all.

>>”I realize i'm asking a lot of questions for the points awarded, but I can always ask one of these again and award additional points under another question, if necessary. I'm just trying to get my arms around this whole VPN concept!”
Don’t worry about the points. Glad to try to be of some help, they don’t buy much anyway <G>.

--Rob
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18810465
I'll be in testing mode for awhile. I truly appreciate your assistance, Rob. I'll award the points after I test it live, just so's I can ask more questions :) and keep the thread together.

How can I test the settings while I'm in the building? I'm thinking our ISP assigned us 3 static IPs -- I could snag one of those (only 1 is in use), then connect my laptop directly to a switch that's between the VPN firewall/router and the T1, appearing to be 'outside' the intranet? Or should I just be able to launch the Windows VPN client and login while connected to the intranet/Win2k3 server? [waiting for another cryptic answer]

Sherm

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18810534
Sure if you have multiple public IP's, assign one of those to the laptop connected directly to the switch, and connect away. Make sure Windows firewall is enabled, and virus and Windows updates current.

In the event you get an error, make note of the error # 691, 721, 800, etc.
0
 
LVL 1

Author Comment

by:sstevens69
ID: 18889067
Rob,

thanks again for your help earlier. After I put the correct settings into the Win2003 server, the remote access is working again for the boss. That's all that matters at this point. I still can't get into the router because of the password snafu, but I can always replace the router.

I'll go ahead and award the points for your assistance. Sorry for the delay, been on the road.

Sherm
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18889233
No problem, thanks very much. Sound like you are at least able to function.
Cheers !
--Rob
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now