Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

VPN cannot be established outbound from workstations on our SBS 2003 network - Error 800. VPN outbound from our SBS Server is successful.

Posted on 2007-10-08
11
Medium Priority
?
867 Views
Last Modified: 2008-01-09
We are running Microsoft SBS 2003. Service Pack 1. Netcomm NB5 Plus 4 ADSL Modem router. Trend CSM Email, Internet, RWW  to our server and to other SBS networks all work fine.  I need to be able to VPN to external computers. I can successfully VPN from our SBS server to other external networks but when attempting to create a VPN from any of our SBS workstations, the VPN fails with Error 800. I have enabled and disabled the firewall client on the workstations but this has no impact. Have rerun the internet connection wizard, rerun the VPN wizard on the workstations, checked port forwarding on the router.  Port 1723 can be seen via canyouseeme when accessed from the workstation. The user has administrative rights on the network and the workstation. I can connect to the exchange server of the network that I am trying to establish a VPN - via OWA (from our server and our workstations). I cannot ping (from the workstation on our network) the IP of the VPN that I am trying to  establish but I can ping the same IP from our server. Any suggestions as to what is causing the lack of VPN communication from the workstations on our network? Wth thank in advance.
0
Comment
Question by:rapportgtb
  • 6
  • 5
11 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20038912
Please post a COMPLETE ipconfig /all from both the server and a workstation.

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20038915
Also, do you have the TrendMicro Firewall enabled on the workstations?

Jeff
TechSoEasy
0
 

Author Comment

by:rapportgtb
ID: 20038970
Hi Jeff,
Trend Micro is enabled on the workstations. IPConfig /all to follow.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20038998
TrendMicro FIREWALL?  Or just the AV?

Jeff
TechSoEasy
0
 

Author Comment

by:rapportgtb
ID: 20039033
Hi Jeff,
Trend Micro AV only.

Workstation IP Config /all
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User01>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : WS01
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : gtb.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : gtb.local
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-0C-F1-C4-29-50
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.16.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.16.1
        DHCP Server . . . . . . . . . . . : 192.168.16.1
        DNS Servers . . . . . . . . . . . : 192.168.16.1
        Primary WINS Server . . . . . . . : 192.168.16.1
        Lease Obtained. . . . . . . . . . : Tuesday, 9 October 2007 10:58:16 AM
        Lease Expires . . . . . . . . . . : Wednesday, 17 October 2007 10:58:16
AM

Server IPConfig /all

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : gtbsrv
   Primary Dns Suffix  . . . . . . . : gtb.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : gtb.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-1A-4B-ED-B6-3F
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 00-0E-0C-68-B1-0A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 172.16.10.251
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.10.254
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\Administrator>

Hope this helps. With thanks Geoff.

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20046401
Your workstation isn't joined to the domain.  How come?

Also, this is not related, but you should not have a WINS Server IP configured on the EXTERNAL NIC.  After removing that entry you need to rerun the Configure Email and Internet Connection Wizard (CEICW).

Jeff
TechSoEasy
0
 

Author Comment

by:rapportgtb
ID: 20046937
Hi Jeff,
The Workstation is joined to the domain. What indicates that it is not?
Re the WINS Server IP configured on the EXTERNAL NIC - thanks for noticing. Have since removed and rerun the Configure Email and Internet Connection Wizard

With thanks Geoff
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20046955
" Primary Dns Suffix  . . . . . . . :" is blank.  A computer that is joined to a domain would have the domain's name in that field.

FYI, clients on an SBS-based network should be joined using http://<servername>/connectcomputer.  If you have joined it in any other way, or are rejoining it for any reason you need to follow the steps outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 

Author Comment

by:rapportgtb
ID: 20062516
Hi Jeff,
first of all thank you for your assistance to date.  Much appreciated.  I ran the procedure to rejoin the the workstation to the domain as per your documentation.  Great documentation.  Could I make one suggestion?  In the scenario where somebody is rejoining a domain they may find themselves in the situation as I did where I had a mapped drive on the workstation.  This will initiate an error message indicating that be connect computer procedure cannot continue due to an existing open network.  As soon as I had disconnected the mapped drive, everything  ran smoothly.  The primary DNS suffix then showed the server as it should have.  But I still could not obtain a VPN connection from this or any of the other workstations.  I did resolve the problem however.  The clue was in the fact that the server could make and outbound VPN connection but no workstations on the network could achieve this.  The issue was the configurations of ISA.  The rule which controls Port 1723 was only allowing outbound access from the local host.  Hence the reason why I could obtain a VPN connection from the server but nowhere else.  Once I had added the internal network to this rule I immediately had VPN outbound access from all workstations connected to the domain.

You help to date has been really appreciated and I have learned some things along the way.  Once again thank you.

Best regards Geoff.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 20063447
Geoff,

Thanks for the comments... funny that I had the exact same issue last week when trying to rejoin a workstation to the domain and had made a note that I needed to update the documentation.  I was actually planning on recreating the scenario so I could grab a screenshot of the error message.  It was the first time I had experienced the error because it's rather unusual to have a mapped drive from a local user account... but well worth noting since it took me about 15 minutes to figure out what the darn connection was!

You're right that the clue was that the SBS could establish the VPN and not the workstations... which is why I focused on a workstation-based firewall.  I wasn't thinking about ISA since you didn't mention it... and honestly, I've stopped using it and have uninstalled it from all networks I currently manage.  ISA won't be included in the next version of SBS --- which will only support a single NIC configuration in favor of a separate hardware-based firewall.  So, I figured, why keep fighting it and have moved everyone over to SonicWall TZ-170's.

Glad you got it working though!

Jeff
TechSoEasy
0
 

Author Comment

by:rapportgtb
ID: 20070348
Sorry about not mentioning that ISA was installed. The classic case of trying to diagnose a problem without having ALL the information. Your help has been appreciated - like many problems the solution is simple when we finally figure it out. The server was actually configured by another technician and it didn't click with me until very late in the investigation re the local host AND internal network specs in ISA. Once again thanks. Issue resolved. Geoff.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question