Server 2008

Here is a article that walks you through the steps needed to set up a Server 2008 machine as a remote access SSL VPN server.

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html

ok - but could you addres my sepcific question elements as relates to my scenario please?

Can you provide a more detailed overview of your network?

Do you use an ISA server?

What other functions does this server (the one that will be the VPN gateway) host for you?

I have 2008 server - two network cards in case I need them
Need VPN to outside users to get in - when I tried this using one network card - it creates a second A record in DNS assigning a second IP to the server in DNS which causes a conflict in folks resolving to PDC.

Just need to know best way to set this up without the conflict

If you could answer my three questions I could better help you.

SHould have added - I can run through the wizard just fine - there are no issues other than the DNS A record - unless I am setting this up wrong.  I HAD thought I could use a second NIC giving a different I{ scheme and somehow allow them access to the shares - just do not know enough about it yet

Good point:
1)NO ISA - server goes out to switch to firewall on primary NIC
2) Exchange 2007 runs on this server - only DC in domain - nothing else of value
3) Basic domain - nothing special - just need to allow outside users to access server through a VPN for network shares, etc...

The proper way to do this (from a security standpoint) is to not run the VPN server on your DC / DNS server.

That aside, read through this short article I posted on my blog about how to prevent multiple IP from registering on the same NIC in DNS.

http://www.r3portfolio.com/?p=28

Reading now - in the interim - I just select the main NIC when configuring a VON and do defaults - is that correct?

Correct.

Article is great!  -Solved that!  I will use the SECOND nic now to do the setup?

First card - main card 10.0.1.41
Second card 10.0.1.233 - removed DNS using that card

So I can select the second card now in creating ?

Right, it should ask you which card is facing the Internet and which is internal, we will lie to it and say that NIC1 is Internet facing and NIC2 is internal.

NIC 1 aand 2 face switch - nic 1 is primary server card for network etc...but both go right to the switch - had second card set on same IP scheme with no gateway (another guy recommended - please confiorm)

Correct, there should be only one default gateway per system.

Ok added a policy in network policy server allowinga group called VPN to connect - connected. You da man!

Nice, glad that worked out for you.

When I connect however - I then lose my internet - do I need to NOT use the PDC DHCP?

So from the client machine you can connect to the VPN successfully. You can browse the internal network successfully. When you try to go out to the internet you cannot, is this a correct statement?

Is the machine you are connecting from inside of the network that the VPN server is on? Once you are connected can you go Start -> Run -> "cmd" and type "tracert www.google.com" and post the results here?

Machine is outside the network - when I connect with VPN - I can map shares and explore fine.  But then I lose my internet on the machin e I am connecting from . It seems I am goin g through the server DNS then - which will not resolve on my end

GOt it - disable default gateway on VPN client setup?

If you do an "ipconfig /all" on the machine you are connecting FROM what do you see for IP information on both your real NIC and your virtual NIC (the one created when the VPN connection is initiated?

Do they both have a default gateway listed?

Does the network you are connecting FROM have the same IP addressings scheme as the one you are connecting to?

Disabling the gateway would be one method.

The VPN connection on  my remote end sees the server's Gateway - and my internet connection sees my current tmobile gateway. Second NIC in server is on the SAME IP scheme.  Should I set it to a different IP scheme?  What would you suggest I change rather than disable the client connection gatewya?

Quick question, when you specified the DHCP server to use during the VPN setup, did it let you specify a scope? If so I would just create a second scope that lacks a default gateway option and point the VPN to that for it's DHCP addresses.

You do not want to have different IP schemes on your DC. It is not good practice to multihome your DC.

Or of couse, on the client end you can go in the properties of the VPN connection and uncheck "Use default gateway on remote network".

Understood. I will create a second scope with no gateway - then by default a user connecting in will just use their primary gateway as defined by their intern et connection correct?

That is correct.

Will not let me create a second scope!

What does it say? Are you trying to create a second scope that contains addresses that are already defined in the first?

First scope 10.0.1.50-160
Second scope 170-190

Adress or subnet mask conflicts it says.  Subnet is same and addresses are above the first scope...

Do any devices on the network have addresses that might already exist in that 170-190 range?

So...

Scope 1: Range= 10.0.1.50 - 10.0.1.160  Mask=255.255.255.0 (?)
Scope 2: Range= 10.0.1.170 - 10.0.1.190 Mask=255.255.255.0 (?)

Try creating your second scope a little higher in the range if you can, like 200-220.

IP's are not being used - tried higher - same thing

Odd.... There is something obvious here that we are missing....

I agree - am looking

Or you can just specify certain IP addresses in the VPN configuration and bypass the DHCP server all together.

If you are feeling adventurous you could delete the existing dhcp scope and then re-create both from scratch.

I think set them manually - because user on the domai ncould pick up on  the second scope right?

That is correct. Duh. =D

Duh me, not duh you.

: )  Now I cannot not even VPN in.....killing me

After you stopped the VPN from using the DHCP scope?

Seems to be working now - but AD is dirt slow - I am thinking a rebuild

certutil shows no ca certificate either - any thoughts there?

Did you set it up to require a SSL certificate? Do you have a CA installed on your network?

Also, when you say AD is dirt slow, what are the symptoms?

If you click any AD tools - it takes over 4 minutes for them to finally pop up - anything AD related for admin is very slow

I did not install certificate authoirty on the server - should I? I did do a thrid-party UCC certificate for ssl and added it to exchange - works internal and external fine

There is no need to, the VPN should work fine without a Cert, as long as it isn't configured to require one.

Not sure about the slowness... but you are now able to connect fine to the VPN remotely?

seem to be from some locations and some nopt - gre packet problem server says - I assume a little limksys router does not do it properly or something from a users home

Hmm, you have all the proper ports forwarded through your company's router to the VPN server?

Yes - so they tell me and since some are working and others are not - dunno?  You've been a tremendous help  though - shoud we just close this out and move on?

Odd... could some people have the same IP scheme at home as you do in the office? If so, that could potentially cause routing problems.

Also, if you believe we have moved into another issue it may be worthwhile to open up a seperate question to get more input from other Experts. They see 50+ replies and they are less likely to jump in and help.

Great guy - great responses - thank you!  Weird crap to resolve!