VPN cannot be established outbound from workstations on our SBS 2003 network - Error 800. VPN outbound from our SBS Server is successful.

We are running Microsoft SBS 2003. Service Pack 1. Netcomm NB5 Plus 4 ADSL Modem router. Trend CSM Email, Internet, RWW  to our server and to other SBS networks all work fine.  I need to be able to VPN to external computers. I can successfully VPN from our SBS server to other external networks but when attempting to create a VPN from any of our SBS workstations, the VPN fails with Error 800. I have enabled and disabled the firewall client on the workstations but this has no impact. Have rerun the internet connection wizard, rerun the VPN wizard on the workstations, checked port forwarding on the router.  Port 1723 can be seen via canyouseeme when accessed from the workstation. The user has administrative rights on the network and the workstation. I can connect to the exchange server of the network that I am trying to establish a VPN - via OWA (from our server and our workstations). I cannot ping (from the workstation on our network) the IP of the VPN that I am trying to  establish but I can ping the same IP from our server. Any suggestions as to what is causing the lack of VPN communication from the workstations on our network? Wth thank in advance.
rapportgtbAsked:
Who is Participating?
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Geoff,

Thanks for the comments... funny that I had the exact same issue last week when trying to rejoin a workstation to the domain and had made a note that I needed to update the documentation.  I was actually planning on recreating the scenario so I could grab a screenshot of the error message.  It was the first time I had experienced the error because it's rather unusual to have a mapped drive from a local user account... but well worth noting since it took me about 15 minutes to figure out what the darn connection was!

You're right that the clue was that the SBS could establish the VPN and not the workstations... which is why I focused on a workstation-based firewall.  I wasn't thinking about ISA since you didn't mention it... and honestly, I've stopped using it and have uninstalled it from all networks I currently manage.  ISA won't be included in the next version of SBS --- which will only support a single NIC configuration in favor of a separate hardware-based firewall.  So, I figured, why keep fighting it and have moved everyone over to SonicWall TZ-170's.

Glad you got it working though!

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Please post a COMPLETE ipconfig /all from both the server and a workstation.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also, do you have the TrendMicro Firewall enabled on the workstations?

Jeff
TechSoEasy
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
rapportgtbAuthor Commented:
Hi Jeff,
Trend Micro is enabled on the workstations. IPConfig /all to follow.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
TrendMicro FIREWALL?  Or just the AV?

Jeff
TechSoEasy
0
 
rapportgtbAuthor Commented:
Hi Jeff,
Trend Micro AV only.

Workstation IP Config /all
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User01>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : WS01
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : gtb.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : gtb.local
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-0C-F1-C4-29-50
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.16.10
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.16.1
        DHCP Server . . . . . . . . . . . : 192.168.16.1
        DNS Servers . . . . . . . . . . . : 192.168.16.1
        Primary WINS Server . . . . . . . : 192.168.16.1
        Lease Obtained. . . . . . . . . . : Tuesday, 9 October 2007 10:58:16 AM
        Lease Expires . . . . . . . . . . : Wednesday, 17 October 2007 10:58:16
AM

Server IPConfig /all

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : gtbsrv
   Primary Dns Suffix  . . . . . . . : gtb.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : gtb.local

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
   Physical Address. . . . . . . . . : 00-1A-4B-ED-B6-3F
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter
   Physical Address. . . . . . . . . : 00-0E-0C-68-B1-0A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 172.16.10.251
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 172.16.10.254
   DNS Servers . . . . . . . . . . . : 192.168.16.1
   Primary WINS Server . . . . . . . : 192.168.16.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\Administrator>

Hope this helps. With thanks Geoff.

0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Your workstation isn't joined to the domain.  How come?

Also, this is not related, but you should not have a WINS Server IP configured on the EXTERNAL NIC.  After removing that entry you need to rerun the Configure Email and Internet Connection Wizard (CEICW).

Jeff
TechSoEasy
0
 
rapportgtbAuthor Commented:
Hi Jeff,
The Workstation is joined to the domain. What indicates that it is not?
Re the WINS Server IP configured on the EXTERNAL NIC - thanks for noticing. Have since removed and rerun the Configure Email and Internet Connection Wizard

With thanks Geoff
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
" Primary Dns Suffix  . . . . . . . :" is blank.  A computer that is joined to a domain would have the domain's name in that field.

FYI, clients on an SBS-based network should be joined using http://<servername>/connectcomputer.  If you have joined it in any other way, or are rejoining it for any reason you need to follow the steps outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 
rapportgtbAuthor Commented:
Hi Jeff,
first of all thank you for your assistance to date.  Much appreciated.  I ran the procedure to rejoin the the workstation to the domain as per your documentation.  Great documentation.  Could I make one suggestion?  In the scenario where somebody is rejoining a domain they may find themselves in the situation as I did where I had a mapped drive on the workstation.  This will initiate an error message indicating that be connect computer procedure cannot continue due to an existing open network.  As soon as I had disconnected the mapped drive, everything  ran smoothly.  The primary DNS suffix then showed the server as it should have.  But I still could not obtain a VPN connection from this or any of the other workstations.  I did resolve the problem however.  The clue was in the fact that the server could make and outbound VPN connection but no workstations on the network could achieve this.  The issue was the configurations of ISA.  The rule which controls Port 1723 was only allowing outbound access from the local host.  Hence the reason why I could obtain a VPN connection from the server but nowhere else.  Once I had added the internal network to this rule I immediately had VPN outbound access from all workstations connected to the domain.

You help to date has been really appreciated and I have learned some things along the way.  Once again thank you.

Best regards Geoff.
0
 
rapportgtbAuthor Commented:
Sorry about not mentioning that ISA was installed. The classic case of trying to diagnose a problem without having ALL the information. Your help has been appreciated - like many problems the solution is simple when we finally figure it out. The server was actually configured by another technician and it didn't click with me until very late in the investigation re the local host AND internal network specs in ISA. Once again thanks. Issue resolved. Geoff.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.