Need assistance with Windows 2003 domain controller / Netgear FVS318 VPN router setup?
I'm attempting to migrate the VPN access from a Windows 2000 Server to a Windows 2003 Server. Unfortunately, I can't access the Netgear FVS318 VPN router, which was installed prior to my working at this job, and nobody knows the password. I don't want to reset the router yet (the only way to reset the password and regain access to the config), until I get a better idea of how the router should be set up.
Here's how the current network is configured:
T1/DSL modem --> FVS318 router/firewall --> 24-port hub --> Windows 2000 Server/Primary Domain Controller --> workstations/printers, etc.
The FVS318 has a fixed WAN IP assigned by our ISP, with an internal LAN IP of 192.168.254.1. It's used as the default gateway within the network. The Win2k server has a fixed IP of 192.168.254.3, and provides DHCP IP addresses to the internal network in the range of 192.168.254.5 to 192.168.254.50. In addition, we have a mail server behind the firewall/router with an IP of 192.168.254.200. The Win2k server is set up as a Primary Domain Controller and requires everyone on the LAN to login w/username and password to access the file server. FWIW, I noticed the Win2k server does NOT have VPN/Routing enabled, but my boss claims he can access the network remotely.
My boss claims to access the network remotely using the built-in Windows XP VPN client, not the Netgear client (which we don't have).
I'm a little confused on how access is being given. I'm thinking the router, which allows six simultaneously connections, is set with username and password combination to allow the boss access, and is not being authenticated by the domain server. I would prefer to set the router to do a passthrough and authenicate users with their regular username/password combination they use at their LAN desktops.
I have the Win 2003 Server up and running (with all the settings duplicated from the Win2k server, including domain users and groups), everything else is working fine, but when I disconnect the Win2k server and connect the Win2003 server, the boss cannot get into the server.
Any assistance/direction you give me would be help. BTW, I purchased a new Netgear FVS114 VPN router with the intention of testing the settings/being able to switch back to the old router quickly to minimize network interruptions, so I have that available to test without resetting the current router.
Sherm
Here's how the current network is configured:
T1/DSL modem --> FVS318 router/firewall --> 24-port hub --> Windows 2000 Server/Primary Domain Controller --> workstations/printers, etc.
The FVS318 has a fixed WAN IP assigned by our ISP, with an internal LAN IP of 192.168.254.1. It's used as the default gateway within the network. The Win2k server has a fixed IP of 192.168.254.3, and provides DHCP IP addresses to the internal network in the range of 192.168.254.5 to 192.168.254.50. In addition, we have a mail server behind the firewall/router with an IP of 192.168.254.200. The Win2k server is set up as a Primary Domain Controller and requires everyone on the LAN to login w/username and password to access the file server. FWIW, I noticed the Win2k server does NOT have VPN/Routing enabled, but my boss claims he can access the network remotely.
My boss claims to access the network remotely using the built-in Windows XP VPN client, not the Netgear client (which we don't have).
I'm a little confused on how access is being given. I'm thinking the router, which allows six simultaneously connections, is set with username and password combination to allow the boss access, and is not being authenticated by the domain server. I would prefer to set the router to do a passthrough and authenicate users with their regular username/password combination they use at their LAN desktops.
I have the Win 2003 Server up and running (with all the settings duplicated from the Win2k server, including domain users and groups), everything else is working fine, but when I disconnect the Win2k server and connect the Win2003 server, the boss cannot get into the server.
Any assistance/direction you give me would be help. BTW, I purchased a new Netgear FVS114 VPN router with the intention of testing the settings/being able to switch back to the old router quickly to minimize network interruptions, so I have that available to test without resetting the current router.
Sherm
ASKER
Okay, I'm bumping up the point value to generate some interest in this question. Anyone care to assist?
Thought I did <G>
--Rob
--Rob
ASKER
RobWill -
Here's what I'm seeing in the 'Routing and Remote Access' panel in the existing 2000 server:
Routing and Remote Access
Server Status -- stopped (unconfigured)
I'm assuming the RRAS service is not running, that's why I'm deducing the router is doing all the work.
What I can't get a straight answer on from my boss is what client he's running from his home. I doubt he's running the Netgear client. Either way, I'd like to set the new router up to do passthru to the Win2k3 server if possible, so he and others can use the default windows client.
I did try 'admin/password' and 1,000 other passwords that are frequently used in this company, to no avail.
Sherm
Here's what I'm seeing in the 'Routing and Remote Access' panel in the existing 2000 server:
Routing and Remote Access
Server Status -- stopped (unconfigured)
I'm assuming the RRAS service is not running, that's why I'm deducing the router is doing all the work.
What I can't get a straight answer on from my boss is what client he's running from his home. I doubt he's running the Netgear client. Either way, I'd like to set the new router up to do passthru to the Win2k3 server if possible, so he and others can use the default windows client.
I did try 'admin/password' and 1,000 other passwords that are frequently used in this company, to no avail.
Sherm
ASKER
RobWill -- sorry, your response came thru about the same time I upgraded the point value. Either way, if you assist, I'll give you the points!
>>"Routing and Remote Access
Server Status -- stopped "
That pretty well guarantees that server is not the VPN endpoint.
You had mentioned a mail server. It could be on that. It's difficult to narrow down the configuration without knowing the client type, if Windows the protocol (L2TP or PPTP), and or the router configuration.
Does Canyouseeme shed any light ?
You could install your FVS114 and configure it and the server for VPN access an not worry about the existing configuration. If you need a hand with that, glad to provide details.
Keep in mind that although not as easy to configure, and you have to buy the client, the Netgear VPN is a little more secure and efficient.
Server Status -- stopped "
That pretty well guarantees that server is not the VPN endpoint.
You had mentioned a mail server. It could be on that. It's difficult to narrow down the configuration without knowing the client type, if Windows the protocol (L2TP or PPTP), and or the router configuration.
Does Canyouseeme shed any light ?
You could install your FVS114 and configure it and the server for VPN access an not worry about the existing configuration. If you need a hand with that, glad to provide details.
Keep in mind that although not as easy to configure, and you have to buy the client, the Netgear VPN is a little more secure and efficient.
>>"sorry, your response ..."
Just missed your second too <G> Not a problem at all I was just giving you a hard time.
Just missed your second too <G> Not a problem at all I was just giving you a hard time.
ASKER
>>You could install your FVS114 and configure it and the server for VPN access an not worry about the existing configuration. If you need a hand with that, glad to provide details.
Let's go with this one.
I have already done some preliminary setup on the FVS114:
• Set the WAN IP to the IP supplied by the ISP
• Disabled DHCP on the router
• Set the internal network IP address to 192.168.254.1
On the Win2k3 server, I have RRAS running, haven't done much config there. This is a primary (and only) domain controller on the internal network. I have added myself, my boss and a couple others to remote access group.
On a client computer, I've set up the Windows remote access client with the public (WAN) IP of the router, and entered my domain username and password. I did switch the router briefly the other day, but got an 800 error.
What I'm unsure about are all the protocols and port forwarding, etc. that must be setup to get this to work properly.
What's the next step?
Sherm
Let's go with this one.
I have already done some preliminary setup on the FVS114:
• Set the WAN IP to the IP supplied by the ISP
• Disabled DHCP on the router
• Set the internal network IP address to 192.168.254.1
On the Win2k3 server, I have RRAS running, haven't done much config there. This is a primary (and only) domain controller on the internal network. I have added myself, my boss and a couple others to remote access group.
On a client computer, I've set up the Windows remote access client with the public (WAN) IP of the router, and entered my domain username and password. I did switch the router briefly the other day, but got an 800 error.
What I'm unsure about are all the protocols and port forwarding, etc. that must be setup to get this to work properly.
What's the next step?
Sherm
ASKER
Oh, I forgot to mention, we're doing remote access only thru the internet, don't have to worry about configuring dial up.
Sherm
Sherm
ASKER
One more thing -- the setup on the mail server hasn't changed, so if that was handling the VPN it should still conceivably work, right? Let's move forward and set up the new router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>>"mail server hasn't changed, so if that was handling the VPN it should still conceivably work, right?"
Correct.
Correct.
ASKER
RobWill,
I do have the Dial-in access enabled on the users who will have access. We pretty much just need access to the file server remotely, so once we're in, we should be good, so I'm not going to worry about WINS just yet.
And we don't have a 'remote office' -- it's more a case of individuals needing to work from home or while they're travelling. My home office, for example, does assign IP addresses to my computers from a router, in a different range. If I'm connecting thru a hotel wireless net, I'm assuming my laptop will be assigned an IP from the hotel's router?
On the router, I can't find a setting to forward the built-in PPTP service. I'm thinking it would be under the VPN section of the router, but it is not. Under the SECURITY menu, on the RULES page, I see "OPTIONS to ENABLE VPN Passthrough ALG (IPSec, PPTP, L2TP)". Is that the setting we're looking for?
>You will also have to configure the router to forward the VPN traffic to the server. This is done by
> enabling on your router GRE pass-through, protocol 47 (not port 47), and also forwarding port 1723
> traffic to the server's IP.
> On the Netgear this is done by setting up forwarding of the built-in PPTP service. Do not forward port
> 1723. Forwarding the service automatically forwards port 1723 and enables GRE. There is no way to
> manually enable GRE on your router, so this is why you need to use the PPTP service.
I do have the Dial-in access enabled on the users who will have access. We pretty much just need access to the file server remotely, so once we're in, we should be good, so I'm not going to worry about WINS just yet.
And we don't have a 'remote office' -- it's more a case of individuals needing to work from home or while they're travelling. My home office, for example, does assign IP addresses to my computers from a router, in a different range. If I'm connecting thru a hotel wireless net, I'm assuming my laptop will be assigned an IP from the hotel's router?
On the router, I can't find a setting to forward the built-in PPTP service. I'm thinking it would be under the VPN section of the router, but it is not. Under the SECURITY menu, on the RULES page, I see "OPTIONS to ENABLE VPN Passthrough ALG (IPSec, PPTP, L2TP)". Is that the setting we're looking for?
>You will also have to configure the router to forward the VPN traffic to the server. This is done by
> enabling on your router GRE pass-through, protocol 47 (not port 47), and also forwarding port 1723
> traffic to the server's IP.
> On the Netgear this is done by setting up forwarding of the built-in PPTP service. Do not forward port
> 1723. Forwarding the service automatically forwards port 1723 and enables GRE. There is no way to
> manually enable GRE on your router, so this is why you need to use the PPTP service.
Is there an option under; Rules | Inbound Services | Service | PPTP ??
ASKER
That's it.
Service: PPTP(TCP-1723)
Action: Allow Always
Send to LAN Server 192.168.254.3 (the fixed IP of the Win2k3 server)
WAN Users Any
FWIW, I also added POP3 and SMTP to forward to the IP of the mail server.
One thing I'm unclear about: Do remote devices (like remote user laptops) get assigned another IP address for use while connected to the VPN router? Otherwise, if the remote device is on another subnet, it wouldn't be able to see devices on the VPN network (depending on the subnet mask)?
Also, regarding Windows domain users & computers. Do the remote COMPUTERS, as well as the USERS, have to be added to the list of computers in the Domain Users snap-in?
I realize i'm asking a lot of questions for the points awarded, but I can always ask one of these again and award additional points under another question, if necessary. I'm just trying to get my arms around this whole VPN concept!
Sherm
Service: PPTP(TCP-1723)
Action: Allow Always
Send to LAN Server 192.168.254.3 (the fixed IP of the Win2k3 server)
WAN Users Any
FWIW, I also added POP3 and SMTP to forward to the IP of the mail server.
One thing I'm unclear about: Do remote devices (like remote user laptops) get assigned another IP address for use while connected to the VPN router? Otherwise, if the remote device is on another subnet, it wouldn't be able to see devices on the VPN network (depending on the subnet mask)?
Also, regarding Windows domain users & computers. Do the remote COMPUTERS, as well as the USERS, have to be added to the list of computers in the Domain Users snap-in?
I realize i'm asking a lot of questions for the points awarded, but I can always ask one of these again and award additional points under another question, if necessary. I'm just trying to get my arms around this whole VPN concept!
Sherm
>>”That's it.”
Bingo !
>>”FWIW, I also added POP3 and SMTP to forward to the IP of the mail server.”
Good, no problem there.
>>” Do remote devices (like remote user laptops) get assigned another IP address for use while connected to the VPN router?”
Yes. They will be assigned an IP from the static address pool, you set up in RRAS. (you can also use the DHCP relay agent to do this)
>>”if the remote device is on another subnet, it wouldn't be able to see devices on the VPN network (depending on the subnet mask)?”
The remote site must use a different subnet. Routers route packets based on the subnet to which they belong. They cannot route packets if two network segments use the same. However, the VPN client is assigned its own IP. This IP will be in the subnet defined in the “static address pool” and have itself as the gateway. If the IP is part of the RRAS server’s LAN subnet you will be able to “talk” to all devices on the server’s LAN. If it is a different subnet you will be able to talk to only the RRAS server until you add a static route to the client.
Does that make any sense ? Sounds a bit cryptic to me.
Basically local LANS all need to be different, set the RRAS static address pool to be a subset of the RRAS server’s LAN subnet. Then routing will look after itself.
>>”Also, regarding Windows domain users & computers. Do the remote COMPUTERS, as well as the USERS, have to be added to the list of computers in the Domain Users snap-in?”
No. The user just needs to have a user account and “Enable access” checked on the Dial-in tab. If the computer is a member of the domain, it helps with name resolution, but it is not necessary at all.
>>”I realize i'm asking a lot of questions for the points awarded, but I can always ask one of these again and award additional points under another question, if necessary. I'm just trying to get my arms around this whole VPN concept!”
Don’t worry about the points. Glad to try to be of some help, they don’t buy much anyway <G>.
--Rob
ASKER
I'll be in testing mode for awhile. I truly appreciate your assistance, Rob. I'll award the points after I test it live, just so's I can ask more questions :) and keep the thread together.
How can I test the settings while I'm in the building? I'm thinking our ISP assigned us 3 static IPs -- I could snag one of those (only 1 is in use), then connect my laptop directly to a switch that's between the VPN firewall/router and the T1, appearing to be 'outside' the intranet? Or should I just be able to launch the Windows VPN client and login while connected to the intranet/Win2k3 server? [waiting for another cryptic answer]
Sherm
How can I test the settings while I'm in the building? I'm thinking our ISP assigned us 3 static IPs -- I could snag one of those (only 1 is in use), then connect my laptop directly to a switch that's between the VPN firewall/router and the T1, appearing to be 'outside' the intranet? Or should I just be able to launch the Windows VPN client and login while connected to the intranet/Win2k3 server? [waiting for another cryptic answer]
Sherm
Sure if you have multiple public IP's, assign one of those to the laptop connected directly to the switch, and connect away. Make sure Windows firewall is enabled, and virus and Windows updates current.
In the event you get an error, make note of the error # 691, 721, 800, etc.
In the event you get an error, make note of the error # 691, 721, 800, etc.
ASKER
Rob,
thanks again for your help earlier. After I put the correct settings into the Win2003 server, the remote access is working again for the boss. That's all that matters at this point. I still can't get into the router because of the password snafu, but I can always replace the router.
I'll go ahead and award the points for your assistance. Sorry for the delay, been on the road.
Sherm
thanks again for your help earlier. After I put the correct settings into the Win2003 server, the remote access is working again for the boss. That's all that matters at this point. I still can't get into the router because of the password snafu, but I can always replace the router.
I'll go ahead and award the points for your assistance. Sorry for the delay, been on the road.
Sherm
No problem, thanks very much. Sound like you are at least able to function.
Cheers !
--Rob
Cheers !
--Rob
User Name: admin
Password: password (earliest units were 1234)
I am skeptical the the Netgear is running the VPN. Though it is possible to set it up with the Windows client using L2TP, it is very difficult to do so. The Netgear is intended to be used with the ProSafe, or similar VPN client. Also when you change servers, your "boss" should still be able to connect to the network if the VPN were established with the Netgear.
You mention "the Win2k server does NOT have VPN/Routing enabled". Do you mean RRAS is not enabled, or routing within RRAS is not enabled. The VPN can be enabled without the latter. Also the VPN server does not necessarily have to be that server. It could be on another, or a Windows workstation though a workstation has limited capabilities.
One way you might also verify is by logging on to the existing Win2K server and going to
http://www.canyouseeme.org and test for port 1743. If it passes that should indicate the VPN port is open, on the Netgear, and forwarded to the windows server, which would be the VPN end point if using a Windows VPN PPTP connection.