Solved

VPN to LAN

Posted on 2008-06-13
38
529 Views
Last Modified: 2011-09-20
Issues with VPN to Exchange Server.
From XP Pro I can VPN to the main server, however at that point I do not have access to the LAN through My Computer.
I am Admin.
Is this normal?
I am able to Remote Desktop to any computer that is logged on to the LAN.

I am trying to set up a way for certain employees to work from their work stations remotely.

Is this the best way to do it?   [i.e.   VPN to server & RDT to workstation? ]
0
Comment
Question by:Horn E. Towed
  • 20
  • 12
  • 3
  • +1
38 Comments
 
LVL 11

Assisted Solution

by:phileoca
phileoca earned 65 total points
Comment Utility
Do you mean you don't have access to your local LAN or to the LAN you VPN'd to.

It is normal that you lose access to your local LAN while connected on the VPN *Unless* you have 2 nics in your computer.  Then you can Use one NIC for the VPN, and the other NIC for your local LAN.

VPN to Server, then RDT to workstation would be best practice, and I can attest that Kaiser Permanente Uses this method with an RSA Security server and Timbuktu Remote software.
0
 
LVL 11

Expert Comment

by:phileoca
Comment Utility
Multiple NICs may help you
Very Much, but
Til you do that,
You will just have to do a work around.
Progess is imminent and security is necessary
Overcoming these challenges will only make you stronger.

:-)
0
 
LVL 9

Assisted Solution

by:authen-tech
authen-tech earned 65 total points
Comment Utility
You might also want to consider using www.logmein.com
It's a totally free service first of all.  Then you can install it on all the workstations and then create secondary users to give each user permission to just their workstation.  It's directly connected through the internet to their computer to you won't slow your server down with many VPN connections.  You also don't have to mess with any firewall settings at all on either side.  It's a secure tunnel as well.  

I have a computer running a VPN connection to another site...and I stil have access to all my local network resources.  It's not normal not to.  

Good Luck!
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
>Do you mean you don't have access to your local LAN or to the LAN you VPN'd to.<

*The LAN I VPN'd to.
sorry

My home computer is a stand-alone on DSL.

I actually seem to have access to the LAN as I can Remote Desk Top to any computers that are logged in on the LAN by using the computer's network name.
However when I try to view the LAN domain [My Network Places> Entire Network>...] there is nothing there.

I'd prefer not to get involved with a web based service if possible, but I'll keep Log Me In in mind.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Ky-el>
I just saw your comment >VPN to Server, then RDT to workstation would be best practice<

[my personal strings are a bit slow today]

I may just wind up keeping that option.
This is all new to me so I'm not sure what options are available. :-\
0
 
LVL 9

Expert Comment

by:authen-tech
Comment Utility
Ok, check to see if you are using default gateway on remote network option.  Not sure if this will help, but it's worth a try...

Go to the control panel/network connections.  Right click on your VPN connection and select properties.
With TCP/IP highlighted click Properties again, then click Advanced.  On the General tab, make sure the Use Default Gateway on Remote Network is checked.  This may allow you access to the remote connections local network resources.  


Otherwise LogMeIn is very powerful, easy, and free.  It's very simple for the end user as well if you have some less technically savvy employees out there.

Good luck!
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Thanks authen-tech.

I will check this weekend.


>Progess is imminent<

That's good to know.
0
 
LVL 11

Expert Comment

by:phileoca
Comment Utility
I use Logmein for personal stuff.  It's a great program, but i'd be cautious about using a program like that for business since logmein.com will take 0 liability if your information is compromised by someone getting the information from logemin.com

When you establish your VPN, you should get an additional IP Address.  If you're not getting an IP Address from your server, you may want to look at your DHCP server, and the TCP/IP settings in your VPN properties to assure that it's set on Obtain.
0
 
LVL 9

Expert Comment

by:authen-tech
Comment Utility
While I agree they won't take responsibility, I have hundreds of business computers on it and have used it for years for free without problems.  

He wouldn't be able to RDT into other computers on the network if he wasn't getting an IP address.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Yeah.
I'm getting in with VPN.
Heck, I can even get in with RDT but it's not a secure connection like VPN...as I understand it.

In a way, I guess not being able access the domain tree in Entire Network can be a good thing.
If you don't know the computer name you can't RDT to it & if you don't know the name you have no business being in there to begin with.

It still bothers me that I can't access that.
I'll play with it from home this weekend and see if I can finger something out for y'all to chew over.

Thanks for the input.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Firstly you would be much more secure using Remote Web Workplace which is unique to SBS. RWW uses SSL for security, and although I am a big fan of VPN's there is one major security flaw, and that is it a wide open tunnel to your user's homes over which you have no control. If you are not familiar with RWW, as opposed to remote desktop, please advise and we can help out. It is easy to set up on SBS, and can ONLY be done on SBS.
http://www.lan-2-wan.com/SBS.htm#q1

>>"I actually seem to have access to the LAN as I can Remote Desk Top to any computers that are logged in on the LAN by using the computer's network name.
However when I try to view the LAN domain [My Network Places> Entire Network>...] there is nothing there."
You probably will not be able to browse my network places. Network Places relies on NetBIOS. On a LAN NetBIOS primarily uses NetBIOS broadcasts, but broadcast packets are not routable and can therefore not be forwarded over a VPN. The other option is to use WINS servers, but this usually requires having a WINS server at the corporate site (the SBS is a WINS server) and a WINS server at the client site. It is seldom necessary to have browsing capabilities, as you are connecting to known resources.

You did say you can RD over the VPN. If so great, but if not you either have the same subnet at the client site as the server site, or you need to add a static route. (the SBS VPN wizards should have done the latter for you)
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Here's the latest.
I probably misspoke earlier.

I can connect with the LAN server at work with VPN.
The connection is active.
But that seems to be all that I can do.
RD on my home computer doesn't see any computers...I left mine logged on and locked on Friday so I could try the connection.

If I RDT to the server's IP I can then RD to any active computer on the LAN.
That seems horribly un-secure & inefficient. It sure is slow but that might be my connection.
I will look at the VPN wizard when I get to work in the morning.
I suspect I am missing some setting.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
*From home* I can connect with the LAN server at work with VPN.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds like a routing or firewall issue.:
-If the home site uses the same subnet as the server site (such as both using 192.168.1.x) you will only be able to connect to the RRAS/VPN server, if that. VPN's require the subnets be different so that the packets can be routed between sites. It will work to the VPN server if the default gateway option is checked on the client , but no other device
-If the SBS uses 2 NIC's you will need to enable "LAN routing" in RRAS and may need to add a static route to the client. For example if the VPN client is assigned an IP of 192.168.222.1 and the SBS LAN uses 192.168.111.x you would then add to the client:
route add 192.168.111.0  mask 255.255.255.0   192.168.222.1
However, if you used the SBS "configure remote access" and "create remote access disk" wizards this should all be automated
-When remote desktop access is enabled on a PC an exception is automatically created for the firewall, however this only allows access from the local subnet. If your VPN client is using an IP from a different subnet you will be denied access. You need to adjust the firewall exception scope options to allow access by "any computer even those on the Internet". See:
http://www.lan-2-wan.com/RD-FW.htm
-Why not use Remote Web Workplace (not TSWeb) as mentioned. It is specifically designed for this, built-in, easy to configure and more secure? Some people buy SBS for this feature alone.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
different subnets
Home connects through a major ISP's DSL

>Remote Web Workplace<

I will look into that.
Thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"different subnets
Home connects through a major ISP's DSL"
I assume at home you have a router? If so what is the local subnet such as 192.168.0.x. It must be different than the corporate. Often folks use the default router subnets and they must be different at either end of the tunnel, even if they are different than the tunnel itself. This is a very common problem.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Really?

I have a DSL modem but no router.
Would I have the same issue?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Would I have the same issue?"
If it assigns your home PC a private address and they conflict yes. Private addresses include 192.168.x.x, 10.x.x.x, and 172.16-31.x.x

The reason for this is packets are routed by their network address (subnet to which they belong). If the same subnet exist localy and on the remote system the packet will not be forwarded but rather kept in the local subnet and lost. The RRAS server itself can be a different case.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Thanks.

I may be suffering from a case of Monday Idiot Syndrome but I cannot find how to run RWW on the server.
Everything I have found on the Net seems to assume I have it up and running.
There are all sorts of references to the RWW Wizard but I'll be dipped & fried if I can find it.
Is there a RWW for Dummies that I link to so I can see how to get started?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 77

Accepted Solution

by:
Rob Williams earned 367 total points
Comment Utility
:-) no problem, it's a bit hidden.

Remember CEICW, you will here it a lot with SBS. It is the Configure E-mail and Internet Conection Wizard and is found by going to server management | internet and e-mail | connect to the Internet. This is where you add, delete, and edit all of your Internet services.
Run the wizard and one option will be to enable RWW. It will also want you to create a certificate within the wizard. Use what ever address you will use to connect from the Internet whether IP or a domain name like SBSname.MyDomain.abc
If your router has UPnP enabled (not recommended) SBS should configure the router for you, but if not you need to forward ports 443 and 4125 (not 3389) to the SBS.
Then to connect from the Internet just use (note the 'S")  https://SBSname.domainname.abc/remote
It presents you with a list of option available such as connecting to desktops, servers (if you are an admin), Outlook Web Access (if you enabled), and server reporting. Choose the desktop to which you wish to connect and bingo, you have a remote desktop session.
By the way since you are using the SBS certificate (rather than a purchased one) when connecting you will probably get a warning about an unknown certificate. Just accept it and continue.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
I found some stuff that would help if this was a proper installation of SBS.
It seems that RWW may not have been installed in this particular SBS installation.
The browser URL that should take me to RWW login
http://mail.xxxxxx.com/remote dies as not available.
http://mail.xxxxxx.com/  works & we always have been able to access our mail that way.

I tried to run the Create Remote Connection Disk and I get told the Remote Access Wizard could not start & to "run SBS setup again & reinstall Networking component."
Carp.
This is turning into more of a mess than I expected.
*Is this something that can be done without risking the functions of the server?

On the side of the original part of the Q. I found an MS article that describes a couple of workarounds to allow a remote user to see the server.
I will have to wait until I get home to try it.



0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Rob,

I refreshed my view but your last post didn't show until I posted.  :-\

Thanks.
I'll get back.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"http://mail.xxxxxx.com/remote dies as not available."
It won't work if RWW has not been configured with the CEICW.

>>"I tried to run the Create Remote Connection Disk"
That is for the VPN client, nothing to do with RWW
CEICW is on the same page as the "Create Remote Connection Disk" wizard but called "Connect to the Internet"

0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Well all I get is "can't find file" errors when I try to run the Connect to the Internet wizard [or other connect wizards].

I don't know if this is a result of some sort of strange installation of SBS or there has been some system corruption that caused this stuff to so south.
I know the Exchange backup system is non-functioning and the Windows backup has been used for forever to back up the Exchange db.

I'm going to have to root around and see what I can find about the missing files.


0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Do you know how the SBS was originally set up? SBS requires that all features be installed, wizards used, and defaults chosen whenever possible. A lot of qualified IT folk "customize" SBS when they set it up, not realizing than SBS2003 is not Server 2003, and as a result break some of the features. I Know I and several others on this board did the same thing with our first SBS installs.
The reason this is necessary is SBS has numerous applications and features packed into one box in a way that cannot normally be done. The integration is so tight that it is not possible to make all changes manually. For example something as simple as changing the LAN IP of the server without using the wizard will break numerous services.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
"The instalation was typical" per our old IT guy.
"We originally installed the server with the internet proxy on and later decided to disable it as the load on the server was too great"
:-/
I'm not sure what he is talking about but it looks like they ininstalled the connection Wiz.

I found an MS article that shows how to reinstall the Inet Con.Wiz.
I'm going to give it a try.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility

kb/ 829712
I got the the final steps for the reinstall but the dropdown options for "Networking" did not have an "Install" or "Reinstall" as the article said.
It just had "None" & "Remove"
Networking is also the only component that is not checked...just a couple of dashes.

This being our main server, I'm going to make sure I know what I'm doing before I jump into a "Remove"

I'll check back once I get back on track.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Interesting. I haven't tried that procedure before so out of curiosity I checked 2 working SBS servers. Both had the networking reinstall option.
I agree "remove" networking on a key server could be risky.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Yeah.
I do not get it [surprise!]

VPN still has the prob from home.
the connection is there & live [I get sent & received status] but I can't seem to be able to do anything with the connection.
kb/ 827603 tried to show me how to list shared stuff from the server on my Network Places or mapped drives but all I got from that was "can't connect".

nbtstat -c shows my local IP as 71.xxxxxx, my server IP as 192.168xxxxx & my client [me?] as 192.168xxyyy.
I guess you may be right about the IP addresses but I can't determine how to do anything about that.

I'm going to bed.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If the  PC's "local area connection" is 71.x.x.x you are fine (this is the one to be concerned with). The VPN/PPP adapter should be the same as the server.

There is no security concern with showing us your private 192.168.x.x addressing, just keep the 71.x.x.x private.
What is the 3rd octet of the 192.168.???.xx addresses? If they are the same good, if not you need to add a static route route.

As for browsing the remote network, that likely won't work, but once configured you can connect by IP using \\192.168.x.x\Sharename
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Thanks.

I'm at work but I'll see about that tonight.

I really want to use RWW if I can figure out how to get that stuff installed.
I can't even run the Remote Connection Disk app.

I'm getting in touch with my local pros this morning to get them to look at it.
I'll keep you posted.
Thanks for all the help so far.

Since this thread has taken a different turn I will open a new thread [maybe today] for any additional work or just to share info.
I'll post the link to it here.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Putting things on hold for a day or two until I get this component thing iron out with SBS.

I'll be back.


FYI: I tried the "Remove" option for the Networking component to see if i could get an "install" or "Reinstall".

It errored out on me and changed nothing.  :-/
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds like the original installation may not have been completed properly or was corrupted.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
Yeah.

Yesterday the pro tried to install the missing components from the original Cd's.
He failed miserably.
His opinion is that the Networking components were never installed [ or were deleted for some reason ] but here's the rub:
Since I have installed the service packs, the system is "locked" into the original configuration.
He believes that the only way to get the Network components is to reinstall the whole O/S.
He says he has seen web evidence of a number of admins with this same problem.

Reinstall is NOT an option at this point.

I'm thinking about hunting down the "expert" who installed this system and...well I will not be kind & any surviving family members will be glad when I leave.  
On the good side, I am learning stuff I didn't even know existed. ;-)

I'll return.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I too have seen several debates about running the "continue set up wizard" (same as the add/remove method you are using) after service packs have been installed. It is the key pro argument for installing all SBS components whether you plan to use them or not.

You could always add a VPN router for as little as $200 like the Linksys RV042, use one NIC on the SBS and give users access that way.
0
 
LVL 10

Author Comment

by:Horn E. Towed
Comment Utility
I was finally able to use VPN to connect to our server from home last night but it was really involved.
Nobody who is going to remote into us is going to be able to deal with it effectively.
I plan on playing with it from home this weekend so I can see if I can streamline the process...or at least have an idea of the kind of questions to ask.

Apparently the previous admin had the few remote users use RDT to the server & then RDT to the computer..
Not something I want to continue for a number of reasons [when I have an option].

I want to split the points in this thread between everybody because I got good usable info from all.
RobWill has provided the most continuing support so the mother load goes to him with much thanks to all of you

I will open up a new thread    VPN Settings   to see about trouble shooting the VPN setup items.
0
 
LVL 10

Author Closing Comment

by:Horn E. Towed
Comment Utility
Thanks everybody!

New Thread  "VPN Settings"  will be posted shortly.
Everybody is welcome. Bring your significant other if you want.
Drinks by the pool.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks StoneG
Cheers !
--Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now