Internet Access with Linksys RV042 and SBS 2003 Standard

Why not have you config go
DSL modem > Linksys RV042 >  Netgear GS608 GbE switch >Server and computers.  
If you go the way you suggested, all traffic will be going through your server and then you also have to deal with the different subnets. It seems you are already having problems with your different subnets, just make it all one internal network and be done with it.

I believe the XP home cannot join an AD domain.

I certainly agree that doing NAT through one of the computers, server or not, is a complication that you don't need.

DHCP is sort of independent of what appear to be your more difficult issues.  Any DHCP device on the system should do the job - so long as different devices don't provide DHCP or, at least. DHCP in overlapping address ranges.

So, I'd get rid of the NAT in the server and just let the server be one of the devices on the LAN.
Let the RV042 LAN side be on the same LAN.  Then the RV042 should be able to provide DHCP and you can be done with that aspect.

Adding switches is only necessary if you're going to be adding more devices than the RV042 can handle with its number of ethernet ports.  That's a minor detail.  Add a switch if necessary.

You didn't say how the VPN is to be terminated at the other end.
You didn't say where the VPN is terminated (e.g at another company site or ....) or whether the idea is to have remote client computers using VPN to get into the one company site.
The answers depend on this....
You didn't say what the interface to Verizon is like (presuming that Verizon is the ISP).

A little more information should help get the VPN up and running.

Trickz_2

I did not use that config because I wanted a linear path from the internet (will eventually be used for VPN) to the server. I also want to physically separate the private LAN traffic.

I may use your config if this topology doesnt pan out.  Thanks for your help. Ill keep you informed.  

>>"Ive setup this config on SBS 2003 Enterprise servers in the past without a problem."
This is likely your biggest problem, you know too much :-)  Seriously, SBS is very unique and it is EXTREMELY important that you use the built-in wizards to configure almost everything. There are so many different integrated services with SBS it is not possible to manually configure them all. The default services such as DHCP must be installed as well, on the server. In case you are trying to manually configure:

SBS works very well with a single network adapter, assuming you are behind a firewall/router. However, its default configuration, though not necessary, is 2 network adapters. Regardless of which way you configure it, you need to use the CEICW (Configure e-mail, and Internet connection wizard), located server management | Internet and e-mail | connect to the Internet. You can re-run this as often as you like. This will configure the NIC's, DNS, firewall, NAT, routing and all.

Then it is equally important the computers be joined to the domain correctly. You must add the computer accounts first using again the sever management console, under client computers, and then set up client computers. Once done the computers are then joined to the domain, not in the usual way but by opening a browser and going to  http://YourSBSname/connectcomputer
Computers should now have Internet access.

As for the VPN. Are you using the built-in SBS VPN, RV042 PPTP VPN, or RV042 QuickVPN? All work well and I would normally recommend using the RV042, but using the SBS VPN will work better with name resolution, and allow clients to connect to the VPN before logon so that logon scripts and group policy are still applied remotely. To configure see:
http://www.lan-2-wan.com/SBS-VPN-instr.htm

Your router has the option to designate a DMZ and point it to your server. This will allow outside traffic through or directly to your server but not to anything else on your LAN. Using this setup is a much better option than passing all internet traffic through your server. It will also allow you to use the VPN features in your SBS

Not to be difficult, but I would not recommend puting SBS, a domain controller, in the DMZ, very risky. VPN will work fine behind the router with port 1723 forwarded and GRE pass-through enabled, as per instrctions in the link provided.

fmarshall:

Sorry to have taken so long to respond but the answers to your questions are:

1.      You didn't say how the VPN is to be terminated at the other end.
a.      The other end will be mobile units ( laptops and Treo 700wx phones)
2.      You didn't say where the VPN is terminated (e.g at another company site or ....) or whether the idea is to have remote client computers using VPN to get into the one company site.
a.      The users will be able to use VPN via their phones or laptops to access a server application.
3.      You didn't say what the interface to Verizon is like (presuming that Verizon is the ISP).
a.      Correct. Verizon is the VPN ISP.

Robwill

I know too much!?... Have you been talking to my wife? :)

The plan is to use QuickVPN on the laptop and an application-specific VPN utility on the Treos.

Thanks for this advice,  & using the SBS VPN will work better with name resolution, and allow clients to connect to the VPN before logon so that logon scripts and group policy are still applied remotely..

There is a script which will be run to map a data drive.  Ill test both programs.  I do not have a preference, whichever works for  to make the application work properly will be used.

Thanks for your input

FYI,

My next window to work at the client location is tomorrow.  I'll update you on the outcome.

RobWill:

I agree.  I prefer to have the server behind the router.

burthigh, based on the selection of equipment you are going to use, you could use both the SBS/Windows VPN with the RV042 having PPTP passthrough enabled, as well as the QuickVPN client if you like.

With your mobile devices, if they are new (Mobile 5 compatible) you can use RPC/Http with the SBS and have a secure SSL connection with no neeed for VPN on those devices.

For the record if using the SBS VPN solution you need to use the wizard to create the client installation disk as well. That is included in my earlier link as well.
I was serious about the wizards though. Numerous folk on the message board, including myself, have set up SBS in the traditional ways as we are familiar with doing so using the standard tools/snap-ins, only to find months later we have damaged some key componet. For example changing the server IP without using the wizard can result in a server rebuild. Swallow the pride an use them, you will actually learn to like them. ;-)

Let us know how you make out.
--Rob

update:

Yesterday was a tough day.  After all of the backups of the server and clients, I upgraded the server to SBS SP2 and applied all current upgrades.  At this point, I can reach the internet from the server but not from a client behind the server.

 Workstations plugged into the rv042 reaches the internet without an issue (original config).

I tried to run the CEICW again but I recive the error:

The wizard cannot set the DHCP scope options. Ensure that the DHCP server service is running and that a scope is defined.  Alternately, disable the DHCP service manually, anf then configure your client computer IP Adress properties. For more information....

I've tried both of these options to no avail.   So I reaching out for help.  this is the configuration.

RV042 VPN Router
 IP 192.168.1.1
mask: 255.255.255.0
WAN IP: 71.249.130.75, 255.255.255.0
default GW: 71.249.130.1
DNS: 151.202.0.85, 151.203.0.85
Mode: gateway (if in router mode, I cannot reach the internet form the server.)
DHCP disable

Server: yvonne

nic1: Internet
ip - 192.168.1.1, 255.255.255.0
GW - 192.168.1.1
dns - 192.168.20.100

nic2: LHD
lan IP: 192.168.20.100, 255.255.255.0
gw- blank
dns- 192.168.20.100

I flushed DNS (ipconfig flushdns and displaydns) on both the clients and server... same results
Checked forwarders informaiton and the ISP's nameservers were not listed.  I interred them mannually .. i know, I should use the wizard, but it does not work.

Below is informaiton I collected from a workstation (ws1) that's behind the server.  Again, Workstations plugged into the rv042 reaches the internet without an issue (original config).



ANY input, guesses,  extra bullets?

H:\>tracert google.com

Tracing route to google.com [72.14.207.99]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  yvonne.lava.local [192.168.20.100]
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7  ^C
H:\>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : lava.local
        IP Address. . . . . . . . . . . . : 192.168.20.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.20.100

H:\>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : ws1
        Primary Dns Suffix  . . . . . . . : lava.local
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : lava.local
                                            lava.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : lava.local
        Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
        Physical Address. . . . . . . . . : 00-0F-1F-5A-31-AD
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.20.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.20.100
        DHCP Server . . . . . . . . . . . : 192.168.20.100
        DNS Servers . . . . . . . . . . . : 192.168.20.100
        Primary WINS Server . . . . . . . : 192.168.20.100
        Lease Obtained. . . . . . . . . . : Monday, July 23, 2007 3:08:22 PM
        Lease Expires . . . . . . . . . . : Tuesday, July 31, 2007 3:08:22 PM

Is this a typo:
"nic1: Internet
ip - 192.168.1.1, 255.255.255.0"

The server cannot have the same IP as the router.
Try changing to 192.168.1.2

The IP is 192.168.1.101

Everything looks good, so Iwould say the problem is the fact that you cannot complete the CEICW. Without that, the basic NAT firewall and routing in RRAS have not been properly configured, allowing the client machines access through the server.

It may not be much help, but have you seen the following article regarding your error?
http://support.microsoft.com/kb/875422

As i suggested before, there is no good reason to put your workstations behind the server and use two different subnets. If you had them all in one subnet I doubt you would be having these issues. If its an issue of being determined to make it work then good luck and i hope you get it figured out. If you want to be done with it, connect everything to one switch, use one subnet and your problems will go away.

Tricz 2,  

I disagree with you. Unfortunately I think the other consultants used the 'to be done with it' approach to this environment. I believe that good topology that provides a good foundation for growth and another layer of security is a good reason for this configuration.    

There will be a lot of growth at this site over the year.  This includes additional desktops and laptops, wireless and LAN access to video and music, NAS, disaster recovery, and other operational features.  So to configure the network to support these features is paramount.  

We use the 2-card server configuration at my company so I know it works& and works well.

RobWill

As far has this issue is concerned, I think the based of the problem was the initial configuration including CEICW and other components (also having communication problems to business databases, internet email, and Exchange).  My belief now is that this server is at such a point of entropy that the best thing to do is to re-install SBS.

Ill re-install SBS this weekend. Ill let you know how it goes.

Sounds like re-building is a good idea, however a pain the the neck.
Try to stick with all of the defaults when installing. I used to think I knew better and would customize as I went, not installing some features as I had no intention of using them. Over the years I, as others here have, learned SBS is a special case and you need to just say "yes sir" and carry on. It has so much packed efficiently into a little box, and was intended to be installed and managed by non-IT folk, that you require most default features and options to have everything work well.

Good luck and let us know how you make out.

Sorry its taken me so long to respond.  Robwill, you were right.  The main trouble was the internet and E-Mail setup.

I did the following.

1.      Reinstalled SBS 2003 on a new HD.  This was done to, 1) protect the original data and 2) to allow a quick fall back method.  By leaving the original disks in the server, one can create a dual boot server. One can select the servers config by choosing the original or the new disks as the boot disks.
2.      Once I completed the to-do list, all of the missing components of Advanced Server appeared and Exchange worked properly.
3.      Configured the NIC cards (192.168.20.x  local LAN, 192.168.1.x  Public).
4.      Turned off DHCP on the RV042.
5.      On the RV042, forwarded L2TP, PPTP, and HTTP ports to the public IP address of the server.

I was able to VPN from a laptop to the server while within the LAN subnet. When I VPN using the same laptop from outside the clinets office or from my home computer, I reciev the following errors from Quick VPN.

====
Warning: Servers certificate doesnt exist on your local computer.  Do you want to quit this connection? Yes/no

Connection error: Failed to establish a connection. This could be caused by one of the following:
1.      Incorrect password
2.      no valid IP for the network card
3.      Incorrect server address.
4.      You may need to disable your windows firewall.

=======




I ran a tracert from my home computer to the DSl static IP and received the follow output.

H:\>tracert 71.249.b.c

Tracing route to static-71-249-b-c.nycmny.east.verizon.net [71.249.b.c]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.20.100
  2    <1 ms    <1 ms    <1 ms  192.168.25.1
  3     1 ms    <1 ms    <1 ms  192.168.15.1
  4     7 ms     5 ms     5 ms  10.39.128.1
  5     8 ms     7 ms     7 ms  pos0-2-nycmnyg-rtr1.nyc.rr.com [24.29.98.97]
  6    27 ms     9 ms     7 ms  pos4-0.nycmnyb-rtr1.nyc.rr.com [24.29.98.5]
  7     7 ms     6 ms     5 ms  pos3-2-nycmnya-rtr1.nyc.rr.com [24.29.101.254]
  8    36 ms     8 ms     7 ms  tenge-3-0-0.nwrknjmd-rtr.nyc.rr.com [24.29.119.106]
  9    14 ms     8 ms     8 ms  tenge-0-1-0.nycsnyoo-rtr1.nyc.rr.com [24.29.119.149]
 10     9 ms     8 ms     6 ms  so-1-1-0.c0.buf00.twc-core.net [66.109.1.101]
 11    61 ms    15 ms    12 ms  ge-0-1-0.c0.dca91.twc-core.net [66.109.3.109]
 12    14 ms    12 ms    13 ms  ge-6-0-0.p0.dca91.twc-core.net [66.109.1.134]
 13    17 ms    12 ms    18 ms  ge-1-1-2-0.PEER-RTR2.ASH.verizon-gni.net [130.81.15.121]
 14    13 ms    14 ms    13 ms  so-6-1-0-0.BB-RTR1.RES.verizon-gni.net [130.81.17.176]
 15    21 ms    21 ms    20 ms  so-7-2-0-0.BB-RTR1.NY325.verizon-gni.net [130.81.8.254]
 16    36 ms    21 ms    20 ms  so-7-0-0-0.BB-RTR2.NY325.verizon-gni.net [130.81.19.49]
 17    21 ms    21 ms    19 ms  130.81.20.179
 18    20 ms    21 ms    21 ms  130.81.13.230
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *     ^C
H:\>


Any ideas?

A few thoughts:
-This version of the QuickVPN client requires you to export a certificate (.pem file) from the RV042 and put a copy of it in the QuickVPN client's install directory. In order to do so you have to have the new firmware installed on the RV042 so that the create certificate option is available on the "VPN client Access" page of the RV042. Have you done this? The error would imply maybe not.
-This version of the client will not work if the Windows firewall is enabled on the QuickVPN client machine. There is an MS patch that is supposed to fix that:
http://support.microsoft.com/kb/889527/en-us
-Apparently with the newer QuickVPN clients, they will only work if the user is an administrator of the PC (must be a new problem)

Things are moving along. This process is taken a long time because I can only test, config, update the system 1 day a week.  

I think Im almost finished. Ive checked the RV042s port forwarding (80, http; 433, https; 4125, RWW; 1723, VPN; 3389, terminal services) functionality. I was able to connect to the email via RWW, but I received a 403.6 Error when I tried to use QuickVPN or Remote Connection to launch an application.  

Ive found a few articles on Error 403.6, will try to resolve the problem once Im back on the system.  My question: As far as the RV042 is concerned, can you think of any issues regarding setting up tunneling?  Is there an advantage or disadvantage to using tunnels instead of groups?

If you are using the RV042 as the VPN server, there is no need to forward ports. All traffic will be through the tunnel, and within the tunnel all traffic is permitted by default. If you want to use RWW outside of the VPN tunnel, then you will want to forward 443 and 4125.
I don't recommend using SBS as a web server and forwarding port 80 for security reasons.
1723 would only need to be forwarded if using the SBS built-in PPTP VPN server feature. If you do this you cannot use the PPTP server feature of the RV042, but it will not affect the QuickVPN connection.
Also if you are using Exchange on SBS you will want to forward port 21.

>>"Is there an advantage or disadvantage to using tunnels instead of groups? "
Tunnels and groups are on the Client to gateway configuration page. You don't have to touch that page at all. The Quick VPN only requires configuration on the VPN client Access Page. You need a User name and password and you are done. You have the newer firmware, so you also have to generate and export the certificate for the client, at the bottom of the same page.

riteheer, in response to; "It is assumed that any participant not responding to this request is no longer interested in its final disposition.", I will respond to say I am still interested<G>. I feel though there actually are a series of question here, each was addressed, until communication stopped. The comment;  "Robwill, you were right.  The main trouble was the internet and E-Mail setup.
" would imply the initial question was resolved correctly.
Just my thoughts.
Thanks.
--Rob

Sorry for the long delay but I was OOT for a couple of weeks and not able to get onto the server until Monday night.


Riteheer:

There are 2 parts to this question,
1.      setting up the server with 2 NICs.  this had a 2 part solution of reinstalling SBS2003 and reconfiguring CEICW. For this portion, I think Robwill deserves credit.
2.      Setting up VPN using SBS 2003 Standard, a Linksys RV042, and Verizon, to work with a laptop and Treo handheld.  this is still opened.


 This is where I am.

I updated the RV042s firmware and created a new certificate.  When I use QuickVPN, I receive a warning Servers certificate doesnt exist on your local computer. Once the server is available, I will create an SBS2003 certificate and place it onto the test clients Linksys VPN directory.

I am able to use RWW and connect to a workstation on the local LAN.  Once on a workstation, I can run an application without an issue.

A list of those who can VPN has been placed on the Client Access Page.

A group was created but if its not needed, I will delete it.

SBSs built-in PPTP VPN server is enabled. I will turn off PPTP on the RV042.

Note: this is beyond my comfort level and skill set so if I need to do more due diligence, please let me know.

Burthigh

Are you wanting to use the SBS PPTP VPN (recommended), RV042 PPTP VPN, RV042 Quick VPN, or SBS PPTP VPN and RV042 QuickVPN? ans why?
Quick VPN can be flaky, from some sites, and with SBS , rather than Server 2003 std, you are best to use Windows VPN as you will have guaranteed name resolution.

This is SBS 2003 std, not premium with ISA server, right?

Are you wanting to use the VPN with the Treo? If so what O/S Windows mobile or Palm? also why?

A couple of notes while waiting for replies.
If setting up the SBS VPN see:
http://www.lan-2-wan.com/SBS-VPN-instr.htm

SBS offers RWW, OWA, RPC/Http, and more such that often no VPN is necessary, and can put the server at a greater risk from infected, connecting clients.

>>"Servers certificate doesnt exist on your local computer. Once the server is available, I will create an SBS2003 certificate and place it onto the test client"
This is not an SBS certificate, but rather a Linksys certificate created by the RV042 and saved to a location of your choosing. It must be copied to the Linksys program folder on the client machine. Does the RV042 have the latest firmware? It should to use the latest VPN client.

A1. I would prefer to use SBS PPTP VPN
A2. SBS Standard...correct.
A3. I need to use laptops with XP SP2 and Palm Treo running windows mobile ver 5.0, OS 5.1.1700(buile 14359.0.2.0).

I'm able to use RWW and login to a client computer but I'm not able to run the main program (millennium 2005 Professional, a sheduling application) while using RWW.

The RV042 firmware is the lastest version (1.3.8.2). I placed the certificate in c:\Program Files\Linksys\Linksys VPN directory and its parent directory.

The lastest  VPN client software is being used.

RobWill,

I used the mmc to relocate the certificate  on the client (ims on the road so i'll provide details later)  and created a VPN connection using the Dail-up wizard. I'm now able to connect to the site via VPN.   PHEW!!!! thanks for your help.

now that i'm over the VPN issue, I need to run a database over the VPN connection and test VPN over the Treo.  I'll open new questions for each of these issues.

Once I open the other questions, I  place the titles here as related subjects.

Once again, thanks for your help.

thanks rob for your help.  i will close this question.

Thanks burthigh.
Cheers !
--Rob