VPN Disables Internet & Email

My partner uses his laptop (running Microsoft Windows XP Professional SP3) to connect remotely (from his home office) to our firm server (running Microsoft Small Business Server 2003, SP2), which lives in my home office.  He has access to firm files located on the server by way of the Virtual Private Network / VPN function that is built into SBS 2003 and which we enabled on his laptop.

Here's the problem:  Whenever he's using the VPN connection, he CAN'T also use his laptop to browse the Internet or to send or receive email.  As soon as he terminates the VPN connection, his laptop can surf and handle email traffic again, but those functions will not work simultaneously with VPN.  (This "either / or" dynamic imposes burdens and inefficiencies too tedious to describe here.)

I suspect that the VPN connection that SBS 2003 provides is somehow blocking my colleague's normal access to the Internet from his LAN, but since I'm the administrator of the server, so I'm hoping there's some way to alter that constraint.  Please advise.

NOTE:  I'm not too tech savvy, so I'd ask that in offering suggestions, you assume I don't know much jargon and need simple, step-by-step instructions.  Thanks much.

~ David K.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

When you set up the VPN you have the option of enabling filtering on the interface assigned to the VPN connection.  When filtered, only the VPN traffic is permitted back out this interface and nothing else.  If this interface is also your Internet access point it's gateway setting is also the default route for the VPN server to reach the internet.  

You can do one of two things.  Turn off this filtering, or from the client side do not use the default route from the VPN (SBS) server.  From the client you can clear "use default gateway on remote server" under advanced TCP/IP settings. On the server you can adjust the filtering under routing and remote access,  IP routing, general, outside interface...
dkatzenAuthor Commented:
Thanks for the feedback, dathho, but I'm afraid that (as I feared) I can't really tell how to employ your guidance, because of my limited foundational knowledge.  If possible, please tell me what specifically--in step-by-step mode--I or my partner would do to alter settings on the SBS server or on his laptop.  

More on my ignorance:  I just can't tell what novice-friendly "clicks" we would execute to make needed changes.  I understand things like: (a) On the laptop, press the "Start" button; (b) double-click "Control Panel"; (c) double-click "Network Connections"; (d) right-click "Local Area Network," then click "Properties" . . . .

Also, as between adjusting the server or my partner's client laptop, can you steer me to some way to evaluate the pros and cons of each approach?  For example, what are the security risks, and what other functionality might be affected on each end?

I appreciate your help, and I'm sorry I'm so dense.    ~ David
Hello dkatzen
Has our friend dathho was seying to clear the check mark to use your default gateway..meanining that when you VPN you are going to use the traffic from you LAN connection and not where the SBS is..Do do this you have to go in the client VPN settings..
-Right click on the VPN connection the the client computer> select properties> go to netwrok tab>under (this connection uses the following items:> click on Internet protocols>then properties>advance> then on the general tab uncheck the box..click ok..then close vpn properties..try to VPN again an let me know if this work for you..
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

dkatzenAuthor Commented:
Thanks for the input, raiqi.  Unfortunately, I'm not able to find my way to the adjustments you propose.  On the client computer, there are two ways to get to some sort of dialog box for the VPN connection, neither of which affords access to the kind of network protocol properties you reference.  Here's what I see:

If I go to the desktop icon labeled "Shortcut to Connect to Small Business Server," I can right-click and get a "Properties" dialog box.  I'm attaching a pdf file with screen shots of the different tab views available through that box, which I've named "Screenshot--Desktop Icon Props."

If I go to "Network Connections" through the Control Panel, there's an item labeled "Connect to Small Business Server," which yields a different properties dialog box.  Again, I'm attaching a screen shot of those tab views, which I've called "Screenshot--Network Item Props."

If there's another path to the adjustments you describe, please tell me how to get there.  Thanks much for any assistance you can provide.

~ David
attach are the direction to change this properties..let me know if that help
From the client.
Rt click on the connection.
Select Networking tab.
Select Internet Protocol (TCP/IPv4)
Select Advanced Button
Uncheck "Use Default Gateway on Remote Network"

This should allow the remote client to use it's own gateway setting.

From the VPN Server
Open Routing and Remote Access
Expand IP Routing
Select General
Select Your outside interface
Rt button
outbound filters button
delete all the filters and select at the top transmit all packets except those below

I can't remember if you need to do the inbound filters also.

This is perfectly safe if you have a firewall between the VPN server and the internet that is only permitting inbound traffic on L2TP, PPTP,  & IKE ports. 1721, 1723, & 500.  If you don't then I would not expose the SBS server like this.  Alternately you can add the ports you need outbound...
http - 80
https - 443
pop3 - 110
smtp - 25

both udp and tcp.

Good luck.  Sorry for the delay.  Busy at the real job this afternoon.  


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dkatzenAuthor Commented:
Raiqi--In my last post, I sent files showing the dialog boxes that appear when I access the "properties" for our VPN connections on the laptop clients.  As you will see, UNLIKE the exemplar you sent, there is NO tab called "Networking"--just isn't there.  Maybe that's because the VPN connection was imported/created by the SBS 2003 server.  I'm clueless, other than to say that (as shown in the previously attached screen shots) there is no "Networking" tab in the properties dialog box for our client-side VPN item under the "Network Connections" window accessed via "Control Panel"--we've just got "Options" and "Advanced" (the latter offering info about "Internet Connection Sharing," which I don't think figures in the VPN issue).

So, I remain stumped.  How do I get to a place the actually affects how the client's VPN works--the settings that affect gateways and filtering?  We just don't seem to have those settings to adjust.
what about if you create another vpn connection from scratch...do you know you vpn ip address..
don't look at the shortcut.
If XP rt button on network -> properties
then manage network connections
choose your SBS connection
then rt button properties again.
dkatzenAuthor Commented:
Thanks, guys.  Here's what I can report:

On the client side, the "Network Connections" window (via Control Panel) has an item called "Connect to Small Business Server," but its properties just don't have a "Networking" tab, only "Options" and "Advanced" as shown in the prior screenshot file.

I don't know how to create another VPN connection on the client.  The one that is there was created automatically when the client was joined to the SBS domain, based on the attributes I said the client computer or its user should have--I think this comes as part of the "Mobile Users" package.  Or else it's part of the "Remote Connection" feature that's either installed when the client computer is added or via a disk one can have the server generate using a feature called "Create Remote Connection Disk."  

(If it matters, I suspect the VPN address is tied to how one gets to the server over the Internet, and I do know how the system routes that.  We don't have a static IP address, but there's a service that keeps track of what our dynamic address is at the server from time to time, and then redirects traffic that is addressed to us sort of "care of" the redirection service on over to the server.)

On the server-side adjusments that dathho suggested, I was able to get to Routing and Remote Access>IP Routing>General, where there are three items called "Server Local Area Connection," "Loopback," and "Internal."  The first and last items have a properties dialog, both of which include (under a "General" tab) buttons for "Inbound Filters" and "Outbound Filters."  HOWEVER, for "Internal" those buttons are greyed out, and for "Server Local Area Connection," they both have the button labeled "Receive (or Transmit) all packets except those that meet the criteria below" checked (and greyed out), and NO inbound or outbound filters are shown in the space for them to be listed.  Therefore, best I can tell (and unless there is a "VPN" item I didn't find by following "Routing and Remote Access>IP Routing>General"), the server is already configured appropriately in this respect.

Okay, sorry to be so long-winded.  For a "newbie" though, it's hard to know what matters and what's just junk that wastes the reader's time.

Other ideas?  Does it seem this might be peculiar to SBS 2003?  Should we be soliciting input from somebody who just lives and breathes that system?  Not questioning your mastery, just recognizing that it's hard for anybody to be a whiz at ALL this intricate stuff.

~ David K.
Yeah sorry, no SBS here.  I guess you have connection manager in the way... -(


To do step 2. It's a little different if it's XP or Vista but the basics are the same.



dkatzenAuthor Commented:
Thanks for additional leads, dathho--this looks promising, but it will take me a while to experiment, since I don't have immediate access to my partner's client-laptop.

If you happen to know, is it the case that the "step 1" proxy setting change would mean my partner couldn't use  Internet/email UNLESS he was also using the VPN and connected to the server?  In other words, if his laptop is configured to use the server's IP connection, would that mean he has no access without the server via VPN?  This wouldn't be optimal, since he can't alway be connected to the server.

~ David
dkatzenAuthor Commented:
Hallelujah!  We've managed to implement the second (client-side) fix from dathho's post of 11-7.  Works like a charm.

Truly a pleasure to have guys like you guide us to good solutions.  Many thanks.

~ David K.
dkatzenAuthor Commented:
Again, though it took a bit to work back to my sticking point and novice level, the solution was most welcome, and I appreciate all the effort you guys invested.  Many thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.