[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VPN, RWW, OWA Just a remote NIGHTMARE!

Posted on 2009-02-17
41
Medium Priority
?
488 Views
Last Modified: 2013-11-21
I'm finally just minutes away from losing my mind.

Here is my config


I have SBS 2003 premium running a VM with WinServ2003
I have ISA 2004 Installed on SBS 2003
I have a dual NIC, 1 for internal traffic, and 1for external (internet) traffic)
My SBS server runs everything SBS premium should, DCHP, ISA 2004, SQl 2005 etc.
I have a DYN DNS name to point to my servers DYNAMIC IP because static IP's in the country I work in are almost impossible to get.
My router is a duel ASDL VPN (linksys Rv042) router, I have 2-2mb ASDL lines from separate companies because:
A. the net is crappy at best
B. One company is always down
C. My company requires 100% uptime
(I say this for reference)

Also ALL ports are forwarded from the gateway to the servers IP

Company web works internally NOT externally
I have currently tried almost everything to get this resolved by searching other posts.

I'm a webdesigner and java-linux man, I was  put into the position of managing over 45 systems, 2 servers and 1 VM (almost all installed myself) when our old IT manager was , ahem, released... I'm a super fast learner, and set up the SBS server and VM also. I have a good Idea about the technologies etc.


Ok here is the problem.
I cannot access my RWW from outside my network. I have ran all the wizards to allow remote access, CEICW, etc.

ISA 2004 seems to be stopping me somewhere. I'm sure I have problems with my certificate and local domain name (i just made it up), and I dont have a SSL certificate from an outside source because I don't know what domain name I should get the certificate name in my DynDns? (geteg.office-on-the.net)
Or my local (publishing.geteg.local)
Or should I just keep my self signed certificate? Or this doesnt matter?

Another thing is, I'm not really sure why or how no traffic is being let in to my SBS box outside from the default rules in ISA that SBS creates.

I also cannot set up the VPN in ISA to allow a remote support team to access my server to fix one of there products. Thats another post that can be found here http://www.experts-exchange.com/Microsoft/Windows_Security/Q_24125298.html (just adding it here because maybe someone will stumble along and help me.

the point of all this is I absolutely need to get remote access up and running yesterday, if you know what I mean. I dont know how to test the VPN or my companyweb from an external source to see if any config is working ( i must go home and try), and currently it isn't.

I'm just at my wits end, Someone please help me to configure this all correctly, because somewhere I took the wrong path. I cannot re-install this production server, the delays would be enormous. I need to have someone work with me to troubleshoot the issues I'm facing...
0
Comment
Question by:Perkdaddy
  • 27
  • 14
41 Comments
 
LVL 9

Accepted Solution

by:
Ken Fayal earned 2000 total points
ID: 23657837
Just to start.. I would just go with the self-signed certificate.  The only problem is when you connect to RWW, you will get that "bad certificate" error.  I just ignore it and connect anyway.  

Company web is designed to only work internally by default.

Is your DynDns pointing at both IP addresses?  You mentioned you have 2 DSL lines. ISA needs to be configured properly to work with 2 ip addresses which is what is coming out of the back of your router.  

My first order of business would be just to get it working with one of the DSL lines directly coming out of the back of one of the DSL modems.  Then have it go directly to the SBS server on your external interface.  Let SBS do it's own routing.  If you run the Connect to the Internet wizard in the Server Management tool, it will whip it up rather quickly for you.  Then you could move on to the second DSL line.
0
 

Author Comment

by:Perkdaddy
ID: 23657858
the primary ASDL line is the one that the DYNDNS ip is configured for. The DYNDNS domain resolves internally and externally (from a few tools I found on the net) to the correct IP.
0
 

Author Comment

by:Perkdaddy
ID: 23657883
The 2 Ip address are handled by the router, I just added all the proper DNS entries for the lines into SBS and configured the gateway to the IP of my router. the net works great.

Should I remove line 2, and just deal with a slower net for now? Or keep it and keep going?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Perkdaddy
ID: 23657911
Ok, I did what you said. I went to the router and configured it to only use one line.

The ip from DYNDNS is exactly the current Dynamic ip assigned to my router from the ISP
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23657922
I'm suggesting working with only 1 line simply to get it working properly.  Then you can add the other line once you get it working properly.

Is the problem that you get that certificate error when you go to your https://[yourdyndns]/remote?  If that's the problem, then skip it and connect anyway.  Or do you get something else?

Remember that the ISA server pretty much blocks out any requests that don't match the list of IP addresses or host headers that you set up for it.

What is the error message you get when you try to connect via RWW?
0
 

Author Comment

by:Perkdaddy
ID: 23657944
The certificate error isnt a problem, I just wanted to know how or what name I should purchase a SSL certificate in and to rule out if the certificate is causing problem.

Internally I accept the certificate and can connect to RWW and OWA with the DYNDNS name

Externally, I will get back to you in a minute, I will change my ip and connect to the router direct and skip the sbs box for now...   I'm pretty sure the error is page not found...

0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23658095
The certificate won't cause a connection problem other than you will be warned in the browser if it doesn't match the name of the server you are connected to.  The name of the certificate should be the DYNDNS name you have, however, it might not be allowed because you don't own the root domain of dyndns.  You should probably stick with your self-signed certificate.
0
 

Author Comment

by:Perkdaddy
ID: 23658261
ok.

Can you try geteg.office-on-the.net? tell me what happens?
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23658360
I get nothing.  My ISA server says that the server did not respond in a timely manner.

Open up your RWW Publishing rule on ISA.

Look at the Public Name tab.  Tell me what you have for the public names and IP addresses there.
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23658412
You should not have the geteg.office-on-the.net address in the Public Name tab because you are behind a Router.  If you had SBS serving as your router, then you would want that, but instead you should simply have the IP address of the external ethernet port in the Public Names tab.  Unless your DSL router does host header forwarding, which I am not sure that it does, you are going to be receiving requests with the IP address assigned to that ethernet connection - so probably a private IP address.
0
 

Author Comment

by:Perkdaddy
ID: 23658720
ok, I'm doing now, your right geteg.BLAH was there.. I will change to the ip of the internet Nic
0
 

Author Comment

by:Perkdaddy
ID: 23658734
ok, can you check again?
0
 

Author Comment

by:Perkdaddy
ID: 23658844
at least we are getting somewhere, can I send you a check???
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23658847
No connection still - make sure the Public Names tab has the PRIVATE IP address that it was given BEHIND the DSL router.   For example

--> Public Dynamic IP (41.236.175.129) -->  [DSL ROUTER] --> Private IP (192.X.X.X) -> [SBS Server]

Don't use the 41.236.175.129 address.  Use the address BEHIND the DSL router.
0
 

Author Comment

by:Perkdaddy
ID: 23658911
I did, the private IP of the internet nic
192.168.xxx.101

I'm going to try the server IP
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23658952
Ok, so this is how it looks?

[DSL Modem] -> (41.236.175.129) -> [DSL Router] -> (192.168.xxx.101) -> External Network Interface [SBS Server] Internal Network Interface-> (xxx.xxx.xxx.xxx)

I'm hoping that we've been on the same page with the concept of the DSL Modem and Router.
0
 

Author Comment

by:Perkdaddy
ID: 23659066
yes, I understand

Dsl Modem 41.236.175.129
DSL Router 192.168.XXX.20
External Nic  192.168.XXX.101
Internal  Nic or Server ip 192.168.XXX.2

you think maybe its too much equipment here? I have all ports forwarded to the server ip on the router, the modem is in bridge mode and has basically every feature disabled...

Tracert looks like it stopping at my router, because it is the one assigned the 41.blah IP because it has the modem in bridge mode...
0
 

Author Comment

by:Perkdaddy
ID: 23659277
It must be something in the rules, it has to be... I'm going to open the floodgates and see what happens..
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23659353
Yes, you can do that.  My suggestion at this point would be to minimize the situation down to  just your DSL modem and SBS server.  Let the DSL Modem provide the SBS server's External NIC with the public facing IP address, set up the TCP/IP properties of that nic to receive the address via DHCP, then run the Internet and Email connection wizard inside of the Server Management application with the new information.  

I have 4 SBS servers running this configuration and they are on autopilot with all features operational.  Granted, they also have static IP addresses, but if you are using DYNDNS, then I don't know why it wouldn't be any different.

Well, I'll check up on this tomorrow.  Right now I have to get some sleep.  Sorry I couldn't help tonight.
0
 

Author Comment

by:Perkdaddy
ID: 23659530
Yeah, I just tracert the domain again, with the floodgates open and still the same error (or it stalls out at the router)

It seems the DSL modem and server, I'm going to reset that sucker back to factory fresh and see what happens.
0
 

Author Comment

by:Perkdaddy
ID: 23661053
Have a nice night... I will let you know if anything comes up tonight...
0
 

Author Comment

by:Perkdaddy
ID: 23669621
shall we continue?
0
 

Author Comment

by:Perkdaddy
ID: 23719132
ok here is the status. I opened the flood gates, and RWW and OWA started working on my dyndns name... STRANGE. And Viola, VPN access! So now I just need to narrow the rule down to allow RWW and VPN only and stop all the other crazy crap trying to ping my server on odd ports, and everyone not aloud to have the Internet to stop wasting my bosses time by surfing all day... Does anybody have a clue why it works with ISA flood gates open, and why it doesnt when the gates are closed? I have all the rules I need to have in ISA as SBS installs default rules for RWW,OWA and VPN...
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23719259
PerkDaddy.. I notice that something has changed because the last time you opened the floodgates, nothing was working.  How did the network configuration change?
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23719274
Now that everything is working, I would run the Internet and Email connection wizard FROM WITHIN Server Management.  I would go through the wizard not clicking on any of the "Keep existing settings".  This would force the wizard to reconfigure everything.
0
 

Author Comment

by:Perkdaddy
ID: 23719303
I have no clue, I opened the flood gates the first time and It didnt work. I kept it open and restarted the server and sometime in those 2 days it started working. But the problem is now, with that rule in effect, I cannot control traffic, so I must turn it back off. But now I know my server can do its damn job, I can work backwards untill I find a rule that allows that traffic in. My main problem is the external network, I cant check it unless I go home, so I cant see what my home ip is doing in ISA logs so I can isolate RWW and create a rule allowing it. The SBS rules for RWW , OWA  dont cut the cheese, I dont know how any SBS server could receive connections with the ISA rules it creates by default.
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23719505
Perkdaddy,
The SBS rules out of the box after running the wizard work just fine.  I manage quite a few SBS servers and have never had to modify the rules except to open up a new web site folder, or to allow someone with a laptop temporary access to the Internet.  

If you run the wizard, then export the rules, I could take a look at them to see if anything looks unusual compared to the standard rules that are going on my servers.  

Also, did you say you have 2 DSL connections?  I would use one to test the external network for now and the other one for the server.
0
 

Author Comment

by:Perkdaddy
ID: 23719748
Yes 2 dsl connections that go into a VPN router that essentially creates one fast line...  For the duration of this project I have left the second one disconnected. My boss has also authorized me the purchase of static IP's, how many do you recommend besides the ONE i need for the server?

Ok, about the rules, I could send them to you, but like I said the only rule that allows RWW or VPN is the floodgate rule I created and now turned off. Is there any way I can find the port that outside clients like my house are using to access the server through ISA? The logs get quite crazy with 45 systems connected to SBS and the internet and the one hour round trip from home to work is unfeasible at best.

RWW should use port 80 because it itself is an HTTP page or request correct? So why does it not work with the default SBS rule but with the floodgate rule?? Very strange. I have an Idea to modify the RWW rule to allow alternate HTTP/HTTPS traffic, maybe that will work... I will send you the rules in 5 minutes...
0
 

Author Comment

by:Perkdaddy
ID: 23719807
Ok, I modified the inbound default SBS rule to allow HTTP and HTTPS requests, if I did something wrong let me know. Feel free to modify the attached file and send it back to me and I will try it...

please add .xml to the file name, EE wouldnt let me upload and XML file
export1
0
 

Author Comment

by:Perkdaddy
ID: 23719825
yes, it works with the HTTP rule added to the default SBS rule, and the floodgates are closed!!!!!
0
 

Author Comment

by:Perkdaddy
ID: 23719833
but I cannot connect internally with the VPN, I must try that later I guess
0
 

Author Comment

by:Perkdaddy
ID: 23719865
How do I modify the external website? I need to remove a few things for security reasons ie: connect computer....
0
 

Author Comment

by:Perkdaddy
ID: 23720923
where did you go???
0
 

Author Comment

by:Perkdaddy
ID: 23731567
Ok, we got RWW up and operational. Thats about 79% of my problem. Now lets get VPN up and operational....
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23731598
Sorry.  I'm on Pacific Time GMT +8... It gets pretty late.  You are on a good track.  The thing about VPN is that it is also set up in RRAS.  I'm hoping that you are finding luck with running the wizard.  It will do all of the configuration for you.
0
 

Author Comment

by:Perkdaddy
ID: 23731624
The wizard wont finish, some kind of "unknown" error... I will award points as VPN seems impossible for my setup. Thanks for the help and get some sleep man! I just woke up in Egypt! Its already a new day!
0
 

Author Closing Comment

by:Perkdaddy
ID: 31547688
Please read full post for troubleshooting this issue, good steps here.
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23731667
Usually there are green checkmarks that will appear at the completion of the wizard.  If you don't get green checkmarks, there is a log file you can check to show you exactly where the wizard failed.  I don't remember off hand where the log file is, but if you do some searching, you can find it.  
0
 

Author Comment

by:Perkdaddy
ID: 23731710
I have the log, its all but really confusing,  

here it is, this is just the small portion at the end of the log...

Reading VPN Server name returned OK
Reading VPN Server name is geteg.office-on-the.net
Created temp directory CMP26E6.tmp
Copying required template files to the temp directory returned OK
Updating CMP template returned OK
Updating CMS template returned OK
Updating SED template returned OK
Creating proxy configuration file returned OK
*** Running IExpress to build the package returned ERROR 80070001
Specifying error location (in CMAK) returned OK
*** CRRASCommit::CommitCMAK returned ERROR 80070001
*** CRRASCommit::CommitEx returned ERROR 80070001
0
 
LVL 9

Expert Comment

by:Ken Fayal
ID: 23731737
PerkDaddy,
Ok, that is a good clue.. But I don't want to be the bearer of bad news about SBS SP1...  Anyway, this article MAY or MAY NOT help, but I thought I'd give you the link.  

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-04/msg02519.html

Hope you get that box of bits working as you need it.  I feel for you, man.  Good night.
0
 

Author Comment

by:Perkdaddy
ID: 23731743
Thanks
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question