[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

Server 2008

I have a Standard Server 2008 with exchange 2007.  I need to setup VPN access for remote clients fromn the internet - never done it.  I have NPS installed  - figured I needed it.  Have two nics on server - one - main one - is 10.0.1.41.  What do I set up the second NIC to - if anything - and how do I setup Routing and Remote access properly?
0
olyg
Asked:
olyg
  • 27
  • 26
1 Solution
 
dfxdeimosCommented:
Here is a article that walks you through the steps needed to set up a Server 2008 machine as a remote access SSL VPN server.

http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part1.html
0
 
olygAuthor Commented:
ok - but could you addres my sepcific question elements as relates to my scenario please?
0
 
dfxdeimosCommented:
Can you provide a more detailed overview of your network?

Do you use an ISA server?

What other functions does this server (the one that will be the VPN gateway) host for you?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
olygAuthor Commented:
I have 2008 server - two network cards in case I need them
Need VPN to outside users to get in - when I tried this using one network card - it creates a second A record in DNS assigning a second IP to the server in DNS which causes a conflict in folks resolving to PDC.

Just need to know best way to set this up without the conflict
0
 
dfxdeimosCommented:
If you could answer my three questions I could better help you.
0
 
olygAuthor Commented:
SHould have added - I can run through the wizard just fine - there are no issues other than the DNS A record - unless I am setting this up wrong.  I HAD thought I could use a second NIC giving a different I{ scheme and somehow allow them access to the shares - just do not know enough about it yet
0
 
olygAuthor Commented:
Good point:
1)NO ISA - server goes out to switch to firewall on primary NIC
2) Exchange 2007 runs on this server - only DC in domain - nothing else of value
3) Basic domain - nothing special - just need to allow outside users to access server through a VPN for network shares, etc...
0
 
dfxdeimosCommented:
The proper way to do this (from a security standpoint) is to not run the VPN server on your DC / DNS server.

That aside, read through this short article I posted on my blog about how to prevent multiple IP from registering on the same NIC in DNS.

http://www.r3portfolio.com/?p=28
0
 
olygAuthor Commented:
Reading now - in the interim - I just select the main NIC when configuring a VON and do defaults - is that correct?
0
 
dfxdeimosCommented:
Correct.
0
 
olygAuthor Commented:
Article is great!  -Solved that!  I will use the SECOND nic now to do the setup?

First card - main card 10.0.1.41
Second card 10.0.1.233 - removed DNS using that card

So I can select the second card now in creating ?
0
 
dfxdeimosCommented:
Right, it should ask you which card is facing the Internet and which is internal, we will lie to it and say that NIC1 is Internet facing and NIC2 is internal.
0
 
olygAuthor Commented:
NIC 1 aand 2 face switch - nic 1 is primary server card for network etc...but both go right to the switch - had second card set on same IP scheme with no gateway (another guy recommended - please confiorm)
0
 
dfxdeimosCommented:
Correct, there should be only one default gateway per system.
0
 
olygAuthor Commented:
Ok added a policy in network policy server allowinga group called VPN to connect - connected. You da man!
0
 
dfxdeimosCommented:
Nice, glad that worked out for you.
0
 
olygAuthor Commented:
When I connect however - I then lose my internet - do I need to NOT use the PDC DHCP?
0
 
dfxdeimosCommented:
So from the client machine you can connect to the VPN successfully. You can browse the internal network successfully. When you try to go out to the internet you cannot, is this a correct statement?

Is the machine you are connecting from inside of the network that the VPN server is on? Once you are connected can you go Start -> Run -> "cmd" and type "tracert www.google.com" and post the results here?
0
 
olygAuthor Commented:
Machine is outside the network - when I connect with VPN - I can map shares and explore fine.  But then I lose my internet on the machin e I am connecting from . It seems I am goin g through the server DNS then - which will not resolve on my end
0
 
olygAuthor Commented:
GOt it - disable default gateway on VPN client setup?
0
 
dfxdeimosCommented:
If you do an "ipconfig /all" on the machine you are connecting FROM what do you see for IP information on both your real NIC and your virtual NIC (the one created when the VPN connection is initiated?

Do they both have a default gateway listed?

Does the network you are connecting FROM have the same IP addressings scheme as the one you are connecting to?
0
 
dfxdeimosCommented:
Disabling the gateway would be one method.
0
 
olygAuthor Commented:
The VPN connection on  my remote end sees the server's Gateway - and my internet connection sees my current tmobile gateway. Second NIC in server is on the SAME IP scheme.  Should I set it to a different IP scheme?  What would you suggest I change rather than disable the client connection gatewya?
0
 
dfxdeimosCommented:
Quick question, when you specified the DHCP server to use during the VPN setup, did it let you specify a scope? If so I would just create a second scope that lacks a default gateway option and point the VPN to that for it's DHCP addresses.

You do not want to have different IP schemes on your DC. It is not good practice to multihome your DC.
0
 
dfxdeimosCommented:
Or of couse, on the client end you can go in the properties of the VPN connection and uncheck "Use default gateway on remote network".
0
 
olygAuthor Commented:
Understood. I will create a second scope with no gateway - then by default a user connecting in will just use their primary gateway as defined by their intern et connection correct?
0
 
dfxdeimosCommented:
That is correct.
0
 
olygAuthor Commented:
Will not let me create a second scope!
0
 
dfxdeimosCommented:
What does it say? Are you trying to create a second scope that contains addresses that are already defined in the first?
0
 
olygAuthor Commented:
First scope 10.0.1.50-160
Second scope 170-190

Adress or subnet mask conflicts it says.  Subnet is same and addresses are above the first scope...
0
 
dfxdeimosCommented:
Do any devices on the network have addresses that might already exist in that 170-190 range?

So...

Scope 1: Range= 10.0.1.50 - 10.0.1.160  Mask=255.255.255.0 (?)
Scope 2: Range= 10.0.1.170 - 10.0.1.190 Mask=255.255.255.0 (?)

Try creating your second scope a little higher in the range if you can, like 200-220.
0
 
olygAuthor Commented:
IP's are not being used - tried higher - same thing
0
 
dfxdeimosCommented:
Odd.... There is something obvious here that we are missing....
0
 
olygAuthor Commented:
I agree - am looking
0
 
dfxdeimosCommented:
Or you can just specify certain IP addresses in the VPN configuration and bypass the DHCP server all together.

If you are feeling adventurous you could delete the existing dhcp scope and then re-create both from scratch.
0
 
olygAuthor Commented:
I think set them manually - because user on the domai ncould pick up on  the second scope right?
0
 
dfxdeimosCommented:
That is correct. Duh. =D
0
 
dfxdeimosCommented:
Duh me, not duh you.
0
 
olygAuthor Commented:
: )  Now I cannot not even VPN in.....killing me
0
 
dfxdeimosCommented:
After you stopped the VPN from using the DHCP scope?
0
 
olygAuthor Commented:
Seems to be working now - but AD is dirt slow - I am thinking a rebuild
0
 
olygAuthor Commented:
certutil shows no ca certificate either - any thoughts there?
0
 
dfxdeimosCommented:
Did you set it up to require a SSL certificate? Do you have a CA installed on your network?
0
 
dfxdeimosCommented:
Also, when you say AD is dirt slow, what are the symptoms?
0
 
olygAuthor Commented:
If you click any AD tools - it takes over 4 minutes for them to finally pop up - anything AD related for admin is very slow
0
 
olygAuthor Commented:
I did not install certificate authoirty on the server - should I? I did do a thrid-party UCC certificate for ssl and added it to exchange - works internal and external fine
0
 
dfxdeimosCommented:
There is no need to, the VPN should work fine without a Cert, as long as it isn't configured to require one.

Not sure about the slowness... but you are now able to connect fine to the VPN remotely?
0
 
olygAuthor Commented:
seem to be from some locations and some nopt - gre packet problem server says - I assume a little limksys router does not do it properly or something from a users home
0
 
dfxdeimosCommented:
Hmm, you have all the proper ports forwarded through your company's router to the VPN server?
0
 
olygAuthor Commented:
Yes - so they tell me and since some are working and others are not - dunno?  You've been a tremendous help  though - shoud we just close this out and move on?
0
 
dfxdeimosCommented:
Odd... could some people have the same IP scheme at home as you do in the office? If so, that could potentially cause routing problems.

Also, if you believe we have moved into another issue it may be worthwhile to open up a seperate question to get more input from other Experts. They see 50+ replies and they are less likely to jump in and help.
0
 
dfxdeimosCommented:
Also, glad to have been helpful. =]
0
 
olygAuthor Commented:
Great guy - great responses - thank you!  Weird crap to resolve!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 27
  • 26
Tackle projects and never again get stuck behind a technical roadblock.
Join Now