Link to home
Start Free TrialLog in
Avatar of Dale303
Dale303Flag for United Kingdom of Great Britain and Northern Ireland

asked on

VPN Connects but no access when "Use default gateway on remote network" is unticked.

We have a remote user who connects to our SBS server via VPN (ISA2004) but just recently, whilst VPN seems to connect OK, she cannot ping, access any drives or use Outlook when "Use default gateway on remote network" is unticked.

It works fine when ticked but as I often have to manage her PC remotely, I really need it unticked to gain access at all times. (plus she like to browse the web whilst connected)

However, If I try to access the server fom my home with her login details I can access all services with no problems.

Ping reveals...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Jo>ping 192.168.16.2

Pinging 192.168.16.2 with 32 bytes of data:

Reply from 194.159.161.32: Destination net unreachable.
Reply from 194.159.161.32: Destination net unreachable.
Reply from 194.159.161.32: Destination net unreachable.
Reply from 194.159.161.32: Destination net unreachable.

Ping statistics for 192.168.16.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

ipconfig/all reveals...

Windows IP Configuration

        Host Name . . . . . . . . . . . . : MrDarcy
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connect
on
        Physical Address. . . . . . . . . : 00-12-3F-8B-3E-97
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.0.1
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        Lease Obtained. . . . . . . . . . : 03 March 2008 09:26:39
        Lease Expires . . . . . . . . . . : 04 March 2008 09:26:39

PPP adapter BACS:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
        Physical Address. . . . . . . . . : 00-53-45-00-00-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 169.254.152.238
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2


It was all working fine a couple of weeks ago.
SOLUTION
Avatar of Qlemo
Qlemo
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The problem is that the setup script is setting up the default gateway automatically. (SBS is a one site system by design so normally this should not be an issue)
You can remove the default gateway:
http://blogs.technet.com/sbs/archive/2007/12/05/sbs-2003-server-may-hand-out-incorrect-default-gateway-to-clients-at-a-remote-site.aspx
Olaf
Avatar of Dale303

ASKER

@Qlemo: Yes, I think you are on the right track there.

Unfortunately ISA is still my weakest link with regard to SBS (especially since I've only recently updraded to ISA2004). Any clues as to where to go fro mhere would be gratfully received.
I have to ask a collegue for clues, will be available not before Wednesday afternoon.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you use the conneccomputer wizard   to install your machines and internet connection wizard to configure your internet only authenticated users will be able to get to internet. That's standard (that's why you install the proxy client) and I thought you knew that. Hence I suggested to shut down your router because that's the only place someone could plug in and get free internet.
If the router is in bridge mode there is no more access except from the lan.
Olaf
Avatar of Dale303

ASKER

I'm still not sure exactly where the 'dial-in ip address pool assignment' settings are in ISA 2004.

I've found the 'Address Assignment' Tab in 'Virtual Private Networks (VPN) Properties'.
That is set to DHCP and 'Internal'. The Advanced settings are 'Obtain DNS Server addresses using DHCP configuration' and 'Obtain WINS server addresses using DHCP configuration'.

Other settings within 'Virtual Private Networks (VPN) Properties'...

Access Network Tab: - External is ticked
Authentification tab: - MS-CHAPv2 is ticked, MS-CHAP is ticked
RADIUS: - Nothing ticked

Am I playing in the right ballpark here?
Avatar of Dale303

ASKER

@Olafdc
Sorry if it seems I  igonored you. I did try your original suggestion on the offchance but it made no difference.
Yes, you are. I guess the DHCP service not running (anymore). Have a look into the serice applet for that service - if not started, it's time to kick it on!
If the service refuses to start, you should go into the Eventlog to find the cause.
Avatar of Dale303

ASKER

DHCP is and has always been running.

It the first thing I checked
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dale303

ASKER

@Qlemo
Thanks for the very prompt reply.

"DHCP server should show some reserved addresses for ISA, I think a 5 address block, which you should check. "

DHCP is only showing the local addresses of the pcs in the office. There are no VPN leases in 'Address Leases' .


In DHCP / Scope [192.168.16.0] SBS Scope...

Address Pool -
192.168.16.1 - 192.168.16.9 - Excluded
192.168.16.1 - 192.168.16.254 - Distribution Range

Address Leases -
192.168.16.5 - Managed Switch reservation
192.168.16.xx  
192.168.16.xx  
192.168.16.xx  
 ... etc, x9 local PC assignments
 
Reservations -
192.168.16.5 - Managed Switch

Scope Options -
003 Router - 192.168.16.2
006 DNS Server - 192.168.16.2
015 DNS Domain Name - bacs-net.local
044 WINS/NBNS Servers - 192.168.16.2
046 WINS/NBT Node Type - 0x8

So it seems the leases aren't being created. I do remember them being there before.

"I suggest you define a static address pool in ISA server itself, e.g. 192.168.16.252 - 254"

That's a good idea in any case. Is there anything more I need to do other than changing the details in ISA Management VPN / Address Assignment ?
You should exclude that address range in DHCP, of course. But that's all.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jax21
jax21

I have a related question; I VPN connect over pptp. When I untick the "Use default gateway on remote..." Outlook 2003 can't connect but IE7 can.