We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

VPN, RWW, OWA Just a remote NIGHTMARE!

Perkdaddy
Perkdaddy asked
on
Medium Priority
584 Views
Last Modified: 2013-11-21
I'm finally just minutes away from losing my mind.

Here is my config


I have SBS 2003 premium running a VM with WinServ2003
I have ISA 2004 Installed on SBS 2003
I have a dual NIC, 1 for internal traffic, and 1for external (internet) traffic)
My SBS server runs everything SBS premium should, DCHP, ISA 2004, SQl 2005 etc.
I have a DYN DNS name to point to my servers DYNAMIC IP because static IP's in the country I work in are almost impossible to get.
My router is a duel ASDL VPN (linksys Rv042) router, I have 2-2mb ASDL lines from separate companies because:
A. the net is crappy at best
B. One company is always down
C. My company requires 100% uptime
(I say this for reference)

Also ALL ports are forwarded from the gateway to the servers IP

Company web works internally NOT externally
I have currently tried almost everything to get this resolved by searching other posts.

I'm a webdesigner and java-linux man, I was  put into the position of managing over 45 systems, 2 servers and 1 VM (almost all installed myself) when our old IT manager was , ahem, released... I'm a super fast learner, and set up the SBS server and VM also. I have a good Idea about the technologies etc.


Ok here is the problem.
I cannot access my RWW from outside my network. I have ran all the wizards to allow remote access, CEICW, etc.

ISA 2004 seems to be stopping me somewhere. I'm sure I have problems with my certificate and local domain name (i just made it up), and I dont have a SSL certificate from an outside source because I don't know what domain name I should get the certificate name in my DynDns? (geteg.office-on-the.net)
Or my local (publishing.geteg.local)
Or should I just keep my self signed certificate? Or this doesnt matter?

Another thing is, I'm not really sure why or how no traffic is being let in to my SBS box outside from the default rules in ISA that SBS creates.

I also cannot set up the VPN in ISA to allow a remote support team to access my server to fix one of there products. Thats another post that can be found here http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24125298.html (just adding it here because maybe someone will stumble along and help me.

the point of all this is I absolutely need to get remote access up and running yesterday, if you know what I mean. I dont know how to test the VPN or my companyweb from an external source to see if any config is working ( i must go home and try), and currently it isn't.

I'm just at my wits end, Someone please help me to configure this all correctly, because somewhere I took the wrong path. I cannot re-install this production server, the delays would be enormous. I need to have someone work with me to troubleshoot the issues I'm facing...
Comment
Watch Question

Commented:
Just to start.. I would just go with the self-signed certificate.  The only problem is when you connect to RWW, you will get that "bad certificate" error.  I just ignore it and connect anyway.  

Company web is designed to only work internally by default.

Is your DynDns pointing at both IP addresses?  You mentioned you have 2 DSL lines. ISA needs to be configured properly to work with 2 ip addresses which is what is coming out of the back of your router.  

My first order of business would be just to get it working with one of the DSL lines directly coming out of the back of one of the DSL modems.  Then have it go directly to the SBS server on your external interface.  Let SBS do it's own routing.  If you run the Connect to the Internet wizard in the Server Management tool, it will whip it up rather quickly for you.  Then you could move on to the second DSL line.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
the primary ASDL line is the one that the DYNDNS ip is configured for. The DYNDNS domain resolves internally and externally (from a few tools I found on the net) to the correct IP.

Author

Commented:
The 2 Ip address are handled by the router, I just added all the proper DNS entries for the lines into SBS and configured the gateway to the IP of my router. the net works great.

Should I remove line 2, and just deal with a slower net for now? Or keep it and keep going?

Author

Commented:
Ok, I did what you said. I went to the router and configured it to only use one line.

The ip from DYNDNS is exactly the current Dynamic ip assigned to my router from the ISP

Commented:
I'm suggesting working with only 1 line simply to get it working properly.  Then you can add the other line once you get it working properly.

Is the problem that you get that certificate error when you go to your https://[yourdyndns]/remote?  If that's the problem, then skip it and connect anyway.  Or do you get something else?

Remember that the ISA server pretty much blocks out any requests that don't match the list of IP addresses or host headers that you set up for it.

What is the error message you get when you try to connect via RWW?

Author

Commented:
The certificate error isnt a problem, I just wanted to know how or what name I should purchase a SSL certificate in and to rule out if the certificate is causing problem.

Internally I accept the certificate and can connect to RWW and OWA with the DYNDNS name

Externally, I will get back to you in a minute, I will change my ip and connect to the router direct and skip the sbs box for now...   I'm pretty sure the error is page not found...

Commented:
The certificate won't cause a connection problem other than you will be warned in the browser if it doesn't match the name of the server you are connected to.  The name of the certificate should be the DYNDNS name you have, however, it might not be allowed because you don't own the root domain of dyndns.  You should probably stick with your self-signed certificate.

Author

Commented:
ok.

Can you try geteg.office-on-the.net? tell me what happens?

Commented:
I get nothing.  My ISA server says that the server did not respond in a timely manner.

Open up your RWW Publishing rule on ISA.

Look at the Public Name tab.  Tell me what you have for the public names and IP addresses there.

Commented:
You should not have the geteg.office-on-the.net address in the Public Name tab because you are behind a Router.  If you had SBS serving as your router, then you would want that, but instead you should simply have the IP address of the external ethernet port in the Public Names tab.  Unless your DSL router does host header forwarding, which I am not sure that it does, you are going to be receiving requests with the IP address assigned to that ethernet connection - so probably a private IP address.

Author

Commented:
ok, I'm doing now, your right geteg.BLAH was there.. I will change to the ip of the internet Nic

Author

Commented:
ok, can you check again?

Author

Commented:
at least we are getting somewhere, can I send you a check???

Commented:
No connection still - make sure the Public Names tab has the PRIVATE IP address that it was given BEHIND the DSL router.   For example

--> Public Dynamic IP (41.236.175.129) -->  [DSL ROUTER] --> Private IP (192.X.X.X) -> [SBS Server]

Don't use the 41.236.175.129 address.  Use the address BEHIND the DSL router.

Author

Commented:
I did, the private IP of the internet nic
192.168.xxx.101

I'm going to try the server IP

Commented:
Ok, so this is how it looks?

[DSL Modem] -> (41.236.175.129) -> [DSL Router] -> (192.168.xxx.101) -> External Network Interface [SBS Server] Internal Network Interface-> (xxx.xxx.xxx.xxx)

I'm hoping that we've been on the same page with the concept of the DSL Modem and Router.

Author

Commented:
yes, I understand

Dsl Modem 41.236.175.129
DSL Router 192.168.XXX.20
External Nic  192.168.XXX.101
Internal  Nic or Server ip 192.168.XXX.2

you think maybe its too much equipment here? I have all ports forwarded to the server ip on the router, the modem is in bridge mode and has basically every feature disabled...

Tracert looks like it stopping at my router, because it is the one assigned the 41.blah IP because it has the modem in bridge mode...

Author

Commented:
It must be something in the rules, it has to be... I'm going to open the floodgates and see what happens..

Commented:
Yes, you can do that.  My suggestion at this point would be to minimize the situation down to  just your DSL modem and SBS server.  Let the DSL Modem provide the SBS server's External NIC with the public facing IP address, set up the TCP/IP properties of that nic to receive the address via DHCP, then run the Internet and Email connection wizard inside of the Server Management application with the new information.  

I have 4 SBS servers running this configuration and they are on autopilot with all features operational.  Granted, they also have static IP addresses, but if you are using DYNDNS, then I don't know why it wouldn't be any different.

Well, I'll check up on this tomorrow.  Right now I have to get some sleep.  Sorry I couldn't help tonight.

Author

Commented:
Yeah, I just tracert the domain again, with the floodgates open and still the same error (or it stalls out at the router)

It seems the DSL modem and server, I'm going to reset that sucker back to factory fresh and see what happens.

Author

Commented:
Have a nice night... I will let you know if anything comes up tonight...

Author

Commented:
shall we continue?

Author

Commented:
ok here is the status. I opened the flood gates, and RWW and OWA started working on my dyndns name... STRANGE. And Viola, VPN access! So now I just need to narrow the rule down to allow RWW and VPN only and stop all the other crazy crap trying to ping my server on odd ports, and everyone not aloud to have the Internet to stop wasting my bosses time by surfing all day... Does anybody have a clue why it works with ISA flood gates open, and why it doesnt when the gates are closed? I have all the rules I need to have in ISA as SBS installs default rules for RWW,OWA and VPN...

Commented:
PerkDaddy.. I notice that something has changed because the last time you opened the floodgates, nothing was working.  How did the network configuration change?

Commented:
Now that everything is working, I would run the Internet and Email connection wizard FROM WITHIN Server Management.  I would go through the wizard not clicking on any of the "Keep existing settings".  This would force the wizard to reconfigure everything.

Author

Commented:
I have no clue, I opened the flood gates the first time and It didnt work. I kept it open and restarted the server and sometime in those 2 days it started working. But the problem is now, with that rule in effect, I cannot control traffic, so I must turn it back off. But now I know my server can do its damn job, I can work backwards untill I find a rule that allows that traffic in. My main problem is the external network, I cant check it unless I go home, so I cant see what my home ip is doing in ISA logs so I can isolate RWW and create a rule allowing it. The SBS rules for RWW , OWA  dont cut the cheese, I dont know how any SBS server could receive connections with the ISA rules it creates by default.

Commented:
Perkdaddy,
The SBS rules out of the box after running the wizard work just fine.  I manage quite a few SBS servers and have never had to modify the rules except to open up a new web site folder, or to allow someone with a laptop temporary access to the Internet.  

If you run the wizard, then export the rules, I could take a look at them to see if anything looks unusual compared to the standard rules that are going on my servers.  

Also, did you say you have 2 DSL connections?  I would use one to test the external network for now and the other one for the server.

Author

Commented:
Yes 2 dsl connections that go into a VPN router that essentially creates one fast line...  For the duration of this project I have left the second one disconnected. My boss has also authorized me the purchase of static IP's, how many do you recommend besides the ONE i need for the server?

Ok, about the rules, I could send them to you, but like I said the only rule that allows RWW or VPN is the floodgate rule I created and now turned off. Is there any way I can find the port that outside clients like my house are using to access the server through ISA? The logs get quite crazy with 45 systems connected to SBS and the internet and the one hour round trip from home to work is unfeasible at best.

RWW should use port 80 because it itself is an HTTP page or request correct? So why does it not work with the default SBS rule but with the floodgate rule?? Very strange. I have an Idea to modify the RWW rule to allow alternate HTTP/HTTPS traffic, maybe that will work... I will send you the rules in 5 minutes...

Author

Commented:
Ok, I modified the inbound default SBS rule to allow HTTP and HTTPS requests, if I did something wrong let me know. Feel free to modify the attached file and send it back to me and I will try it...

please add .xml to the file name, EE wouldnt let me upload and XML file
export1

Author

Commented:
yes, it works with the HTTP rule added to the default SBS rule, and the floodgates are closed!!!!!

Author

Commented:
but I cannot connect internally with the VPN, I must try that later I guess

Author

Commented:
How do I modify the external website? I need to remove a few things for security reasons ie: connect computer....

Author

Commented:
where did you go???

Author

Commented:
Ok, we got RWW up and operational. Thats about 79% of my problem. Now lets get VPN up and operational....

Commented:
Sorry.  I'm on Pacific Time GMT +8... It gets pretty late.  You are on a good track.  The thing about VPN is that it is also set up in RRAS.  I'm hoping that you are finding luck with running the wizard.  It will do all of the configuration for you.

Author

Commented:
The wizard wont finish, some kind of "unknown" error... I will award points as VPN seems impossible for my setup. Thanks for the help and get some sleep man! I just woke up in Egypt! Its already a new day!

Author

Commented:
Please read full post for troubleshooting this issue, good steps here.

Commented:
Usually there are green checkmarks that will appear at the completion of the wizard.  If you don't get green checkmarks, there is a log file you can check to show you exactly where the wizard failed.  I don't remember off hand where the log file is, but if you do some searching, you can find it.  

Author

Commented:
I have the log, its all but really confusing,  

here it is, this is just the small portion at the end of the log...

Reading VPN Server name returned OK
Reading VPN Server name is geteg.office-on-the.net
Created temp directory CMP26E6.tmp
Copying required template files to the temp directory returned OK
Updating CMP template returned OK
Updating CMS template returned OK
Updating SED template returned OK
Creating proxy configuration file returned OK
*** Running IExpress to build the package returned ERROR 80070001
Specifying error location (in CMAK) returned OK
*** CRRASCommit::CommitCMAK returned ERROR 80070001
*** CRRASCommit::CommitEx returned ERROR 80070001

Commented:
PerkDaddy,
Ok, that is a good clue.. But I don't want to be the bearer of bad news about SBS SP1...  Anyway, this article MAY or MAY NOT help, but I thought I'd give you the link.  

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-04/msg02519.html

Hope you get that box of bits working as you need it.  I feel for you, man.  Good night.

Author

Commented:
Thanks
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.