Problems configuring Windows 2003 server (SP2)

Hello,

I've got an old windows 2000 server that's currently running VPN for my company.  This hardware is so old, it's been around longer then I have, and I've been here 9 years.  Needless to say, it's starting to act flaky. I'm working on setting up a 2nd VPN server that will eventually replace the old one.  I've taken some newer hardware, installed server 2003 SP2 and all the latest critical updates.  I've got Dual NIC's installed on the server as well but I'm not sure how they should be configured.  Currently, NIC 1 has an internal IP of X.X.1.19 with a gateway of X.X.1.2.  NIC 2 has an external IP of X.X.X.169 with a gateway of X.X.X.161.  When I configure the NIC's, windows pops up a message that I shouldn't have 2 different gateways.

First Question: Should I be leaving the gateway blank on one of the NIC cards?

After I've got the NIC's configured, I go through and configure the RRAS setup wizard selecting "Remote Access (dial-up or VPN)" and then selecting just the VPN checkbox. When prompted for "the network interface that connects this server to the internet" I select my NIC with the external IP address.  I then specify that I want a range of IP addresses from X.X.2.50 to X.X.2.74. Lastly, I use Routing and Remote Access to authenticate requests.  Once this is all set up, I run a few pings to sites on my WAN and make sure I can connect to the internet from the server.  All looks good.  

Second Question: Even though all looks good on the server and with no firewall between the server and the internet (except for the packet filtering that's automatically set up by the RRAS wizard) remote clients can't connect.  They get an Error 800.  What am I missing?  All the tutorials I've seen on this make it seem so simple but I must be totally missing something.

Thanks in advance!  
LVL 1
ladyjmayoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Firmin FrederickSenior IT ConsultantCommented:
first question answer yes...sorry gotta rush lol :)
0
cedarghostCommented:
Are your remote clients going through a firewall and do you have any kind of access list on your router?
0
ladyjmayoAuthor Commented:
No firewall except for the packet filtering that's automatically set up by the RRAS wizard.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

cedarghostCommented:
This may seem like a silly question, but is the IP address the clients are trying to connect to a public IP address?
0
ladyjmayoAuthor Commented:
Yes
0
cedarghostCommented:
Figured it was, and there are no firewalls on either side that would block the connection? Try to telnet to port 1723 and see if it opens.
0
cedarghostCommented:
I found some other things you can try also:
http://www.howtonetworking.com/vpnissues/error800.htm
0
ladyjmayoAuthor Commented:
I tried to telnet but was unable to.  When I went to a cmd and ran an ipconfig /all I see that the external NIC has no default gateway configured, but when I go into the properties of the card it is configured correctly??

I can telnet to the external IP from the server itself.
0
ladyjmayoAuthor Commented:
Well, it looks like my issue has everything to do with how the NIC's are configured and I'm not sure what the proper way to configure them is.  Having both NIC's with a default gateway configured and then running an "ipconfig /all" shows that windows has automatically disabled the default gateway on the external NIC.  This is why clients can't connect to the VPN server.  If I manually remove the default gateway from the local NIC, the external NIC takes over and *poof* remote clients can connect.  However, this causes another issue.  Most of my users that connect to VPN need to connect to servers that are not on the same subnet as the VPN server, but servers that are on my WAN.  

With the default gateway for the local NIC removed, neither the server itself nor VPN clients can connect to anything on another subnet.  I think it's got everything to do with how those NIC's are configured but I can't find any proper documentation on what the proper way to configure them is.  Any advice would be greatly appreciated!
0
ladyjmayoAuthor Commented:
More in this saga.  On Friday, I removed the default gateway for the local NIC, and it allows VPN clients to connect, and once I created static routes for all my remote locations through Routing and Remote Access, all was good.  Today, something has gone wrong.  While users can still connect to VPN, once connected to VPN, they can no longer access the internet.  Also, the server can't browse the internet anymore either.

Anybody have any ideas what could have gone wrong between Friday and today and how I can fix it?

(Not sure if this should be a separate question or not, but I posted to this one because I think the background info may be important.  Mods...if this isn't the right thing to do please let me know. Thanks!)
0
Firmin FrederickSenior IT ConsultantCommented:
I've had a chance to read and catch up - windows on it's own will not be able to handle both VPN and NAT on its own.  You would have greater success using ISA server to translate VPN requests from the router to NIC1 (external) with its different subnet and NIC2 with the private internal IP addresses.

Your problem is essentially NAT/routing

router (internet address) => NIC1 => ISA => NIC2

VPN client                                 NAT                Internal network

(Internet)  Router <= NIC1 <= ISA <= NIC2
                                                           192.168.x.x

ISA 2004 will work on win2K as well - ISA ties in RRAS and IAS for you with the settings you already have and will lock down your internet with its built in firewall rules.
0
ladyjmayoAuthor Commented:
Thanks for helping me try to sort this out!  I appreciate your help.

I am not sure it is NAT that I'm trying to accomplish though?  Because the server isn't set up as "VPN & NAT" (the selection from the RRAS wizard) I just chose the VPN selection.  From what the wizard makes it look like, if I chose the VPN & NAT selection it have would set NAT up for the entire network and that's not what I want.  Not sure if my interpretation of the wizard is correct?
0
Firmin FrederickSenior IT ConsultantCommented:
That's OK, the RRAS wizard would probably assume a direct internet connection; the last time I configured RRAS there was no reference to how my remote connections would be accessing RRAS services.  You need not worry about NAT as your objective, this will happen in the background.

It is from this experience and your reference to:
I removed the default gateway for the local NIC, and it allows VPN clients to connect, and once I created static routes for all my remote locations through Routing and Remote Access, all was good.  Today, something has gone wrong.  While users can still connect to VPN, once connected to VPN, they can no longer access the internet.  Also, the server can't browse the internet anymore either.

My last entry would hold true for this scenario.  The dual network card scenario requires either proxy, NAT or routing.  ISA or similar (wingate from http://www.wingate.com) will perform this for you otherwise, in a fairly simpler scenarion get a router that will do your VPN for you and eliminate the uncertainty from your network.

Then you can leave your dual network card scenario and allow built in windows proxy to handle your internal web requests.  You can leave the gateway address on your extenal NIC on your server to allow your server internet access and manually or GPO configure proxy for your clients.

:)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cedarghostCommented:
If all you need now is for the clients to be able to use the internet as well as their VPN, just uncheck the box that says "Use Default Gateway on the Remote Network". This is in the Advanced TCP/IP properties of the VPN connection, on the general tab. When Windows clients connect to a remote network with a VPN, Windows automatically adds a default router that has a lower metric than the internet. Clearing this box will allow them to access the internet but they may have issues accessing the VPN until they check the box. What you are trying to do is called split-tunnelling so that they can use both. To do this you will have to add some static routes on the clients. You can do this with a script or batch file if you can create them. Here is a link that explains how to do this:
http://technet.microsoft.com/en-us/library/bb878117.aspx
0
cedarghostCommented:
Meant to say Windows adds a default route...not router. And now that I read my post, I see I posted that unchecking this box will allow them to use both. It will not, unless you add the static routes.
0
ladyjmayoAuthor Commented:
Thanks so much!  I very much appreciate your help!
0
Firmin FrederickSenior IT ConsultantCommented:
Most welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.