Perkdaddy
asked on
VPN, RWW, OWA Just a remote NIGHTMARE!
I'm finally just minutes away from losing my mind.
Here is my config
I have SBS 2003 premium running a VM with WinServ2003
I have ISA 2004 Installed on SBS 2003
I have a dual NIC, 1 for internal traffic, and 1for external (internet) traffic)
My SBS server runs everything SBS premium should, DCHP, ISA 2004, SQl 2005 etc.
I have a DYN DNS name to point to my servers DYNAMIC IP because static IP's in the country I work in are almost impossible to get.
My router is a duel ASDL VPN (linksys Rv042) router, I have 2-2mb ASDL lines from separate companies because:
A. the net is crappy at best
B. One company is always down
C. My company requires 100% uptime
(I say this for reference)
Also ALL ports are forwarded from the gateway to the servers IP
Company web works internally NOT externally
I have currently tried almost everything to get this resolved by searching other posts.
I'm a webdesigner and java-linux man, I was put into the position of managing over 45 systems, 2 servers and 1 VM (almost all installed myself) when our old IT manager was , ahem, released... I'm a super fast learner, and set up the SBS server and VM also. I have a good Idea about the technologies etc.
Ok here is the problem.
I cannot access my RWW from outside my network. I have ran all the wizards to allow remote access, CEICW, etc.
ISA 2004 seems to be stopping me somewhere. I'm sure I have problems with my certificate and local domain name (i just made it up), and I dont have a SSL certificate from an outside source because I don't know what domain name I should get the certificate name in my DynDns? (geteg.office-on-the.net)
Or my local (publishing.geteg.local)
Or should I just keep my self signed certificate? Or this doesnt matter?
Another thing is, I'm not really sure why or how no traffic is being let in to my SBS box outside from the default rules in ISA that SBS creates.
I also cannot set up the VPN in ISA to allow a remote support team to access my server to fix one of there products. Thats another post that can be found here https://www.experts-exchange.com/questions/24125298/Trouble-setting-up-ISA-2004-VPN-on-SBS-server-2003.html (just adding it here because maybe someone will stumble along and help me.
the point of all this is I absolutely need to get remote access up and running yesterday, if you know what I mean. I dont know how to test the VPN or my companyweb from an external source to see if any config is working ( i must go home and try), and currently it isn't.
I'm just at my wits end, Someone please help me to configure this all correctly, because somewhere I took the wrong path. I cannot re-install this production server, the delays would be enormous. I need to have someone work with me to troubleshoot the issues I'm facing...
Here is my config
I have SBS 2003 premium running a VM with WinServ2003
I have ISA 2004 Installed on SBS 2003
I have a dual NIC, 1 for internal traffic, and 1for external (internet) traffic)
My SBS server runs everything SBS premium should, DCHP, ISA 2004, SQl 2005 etc.
I have a DYN DNS name to point to my servers DYNAMIC IP because static IP's in the country I work in are almost impossible to get.
My router is a duel ASDL VPN (linksys Rv042) router, I have 2-2mb ASDL lines from separate companies because:
A. the net is crappy at best
B. One company is always down
C. My company requires 100% uptime
(I say this for reference)
Also ALL ports are forwarded from the gateway to the servers IP
Company web works internally NOT externally
I have currently tried almost everything to get this resolved by searching other posts.
I'm a webdesigner and java-linux man, I was put into the position of managing over 45 systems, 2 servers and 1 VM (almost all installed myself) when our old IT manager was , ahem, released... I'm a super fast learner, and set up the SBS server and VM also. I have a good Idea about the technologies etc.
Ok here is the problem.
I cannot access my RWW from outside my network. I have ran all the wizards to allow remote access, CEICW, etc.
ISA 2004 seems to be stopping me somewhere. I'm sure I have problems with my certificate and local domain name (i just made it up), and I dont have a SSL certificate from an outside source because I don't know what domain name I should get the certificate name in my DynDns? (geteg.office-on-the.net)
Or my local (publishing.geteg.local)
Or should I just keep my self signed certificate? Or this doesnt matter?
Another thing is, I'm not really sure why or how no traffic is being let in to my SBS box outside from the default rules in ISA that SBS creates.
I also cannot set up the VPN in ISA to allow a remote support team to access my server to fix one of there products. Thats another post that can be found here https://www.experts-exchange.com/questions/24125298/Trouble-setting-up-ISA-2004-VPN-on-SBS-server-2003.html (just adding it here because maybe someone will stumble along and help me.
the point of all this is I absolutely need to get remote access up and running yesterday, if you know what I mean. I dont know how to test the VPN or my companyweb from an external source to see if any config is working ( i must go home and try), and currently it isn't.
I'm just at my wits end, Someone please help me to configure this all correctly, because somewhere I took the wrong path. I cannot re-install this production server, the delays would be enormous. I need to have someone work with me to troubleshoot the issues I'm facing...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The 2 Ip address are handled by the router, I just added all the proper DNS entries for the lines into SBS and configured the gateway to the IP of my router. the net works great.
Should I remove line 2, and just deal with a slower net for now? Or keep it and keep going?
Should I remove line 2, and just deal with a slower net for now? Or keep it and keep going?
ASKER
Ok, I did what you said. I went to the router and configured it to only use one line.
The ip from DYNDNS is exactly the current Dynamic ip assigned to my router from the ISP
The ip from DYNDNS is exactly the current Dynamic ip assigned to my router from the ISP
I'm suggesting working with only 1 line simply to get it working properly. Then you can add the other line once you get it working properly.
Is the problem that you get that certificate error when you go to your https://[yourdyndns]/remote? If that's the problem, then skip it and connect anyway. Or do you get something else?
Remember that the ISA server pretty much blocks out any requests that don't match the list of IP addresses or host headers that you set up for it.
What is the error message you get when you try to connect via RWW?
Is the problem that you get that certificate error when you go to your https://[yourdyndns]/remote? If that's the problem, then skip it and connect anyway. Or do you get something else?
Remember that the ISA server pretty much blocks out any requests that don't match the list of IP addresses or host headers that you set up for it.
What is the error message you get when you try to connect via RWW?
ASKER
The certificate error isnt a problem, I just wanted to know how or what name I should purchase a SSL certificate in and to rule out if the certificate is causing problem.
Internally I accept the certificate and can connect to RWW and OWA with the DYNDNS name
Externally, I will get back to you in a minute, I will change my ip and connect to the router direct and skip the sbs box for now... I'm pretty sure the error is page not found...
Internally I accept the certificate and can connect to RWW and OWA with the DYNDNS name
Externally, I will get back to you in a minute, I will change my ip and connect to the router direct and skip the sbs box for now... I'm pretty sure the error is page not found...
The certificate won't cause a connection problem other than you will be warned in the browser if it doesn't match the name of the server you are connected to. The name of the certificate should be the DYNDNS name you have, however, it might not be allowed because you don't own the root domain of dyndns. You should probably stick with your self-signed certificate.
ASKER
ok.
Can you try geteg.office-on-the.net? tell me what happens?
Can you try geteg.office-on-the.net? tell me what happens?
I get nothing. My ISA server says that the server did not respond in a timely manner.
Open up your RWW Publishing rule on ISA.
Look at the Public Name tab. Tell me what you have for the public names and IP addresses there.
Open up your RWW Publishing rule on ISA.
Look at the Public Name tab. Tell me what you have for the public names and IP addresses there.
You should not have the geteg.office-on-the.net address in the Public Name tab because you are behind a Router. If you had SBS serving as your router, then you would want that, but instead you should simply have the IP address of the external ethernet port in the Public Names tab. Unless your DSL router does host header forwarding, which I am not sure that it does, you are going to be receiving requests with the IP address assigned to that ethernet connection - so probably a private IP address.
ASKER
ok, I'm doing now, your right geteg.BLAH was there.. I will change to the ip of the internet Nic
ASKER
ok, can you check again?
ASKER
at least we are getting somewhere, can I send you a check???
No connection still - make sure the Public Names tab has the PRIVATE IP address that it was given BEHIND the DSL router. For example
--> Public Dynamic IP (41.236.175.129) --> [DSL ROUTER] --> Private IP (192.X.X.X) -> [SBS Server]
Don't use the 41.236.175.129 address. Use the address BEHIND the DSL router.
--> Public Dynamic IP (41.236.175.129) --> [DSL ROUTER] --> Private IP (192.X.X.X) -> [SBS Server]
Don't use the 41.236.175.129 address. Use the address BEHIND the DSL router.
ASKER
I did, the private IP of the internet nic
192.168.xxx.101
I'm going to try the server IP
192.168.xxx.101
I'm going to try the server IP
Ok, so this is how it looks?
[DSL Modem] -> (41.236.175.129) -> [DSL Router] -> (192.168.xxx.101) -> External Network Interface [SBS Server] Internal Network Interface-> (xxx.xxx.xxx.xxx)
I'm hoping that we've been on the same page with the concept of the DSL Modem and Router.
[DSL Modem] -> (41.236.175.129) -> [DSL Router] -> (192.168.xxx.101) -> External Network Interface [SBS Server] Internal Network Interface-> (xxx.xxx.xxx.xxx)
I'm hoping that we've been on the same page with the concept of the DSL Modem and Router.
ASKER
yes, I understand
Dsl Modem 41.236.175.129
DSL Router 192.168.XXX.20
External Nic 192.168.XXX.101
Internal Nic or Server ip 192.168.XXX.2
you think maybe its too much equipment here? I have all ports forwarded to the server ip on the router, the modem is in bridge mode and has basically every feature disabled...
Tracert looks like it stopping at my router, because it is the one assigned the 41.blah IP because it has the modem in bridge mode...
Dsl Modem 41.236.175.129
DSL Router 192.168.XXX.20
External Nic 192.168.XXX.101
Internal Nic or Server ip 192.168.XXX.2
you think maybe its too much equipment here? I have all ports forwarded to the server ip on the router, the modem is in bridge mode and has basically every feature disabled...
Tracert looks like it stopping at my router, because it is the one assigned the 41.blah IP because it has the modem in bridge mode...
ASKER
It must be something in the rules, it has to be... I'm going to open the floodgates and see what happens..
Yes, you can do that. My suggestion at this point would be to minimize the situation down to just your DSL modem and SBS server. Let the DSL Modem provide the SBS server's External NIC with the public facing IP address, set up the TCP/IP properties of that nic to receive the address via DHCP, then run the Internet and Email connection wizard inside of the Server Management application with the new information.
I have 4 SBS servers running this configuration and they are on autopilot with all features operational. Granted, they also have static IP addresses, but if you are using DYNDNS, then I don't know why it wouldn't be any different.
Well, I'll check up on this tomorrow. Right now I have to get some sleep. Sorry I couldn't help tonight.
I have 4 SBS servers running this configuration and they are on autopilot with all features operational. Granted, they also have static IP addresses, but if you are using DYNDNS, then I don't know why it wouldn't be any different.
Well, I'll check up on this tomorrow. Right now I have to get some sleep. Sorry I couldn't help tonight.
ASKER
Yeah, I just tracert the domain again, with the floodgates open and still the same error (or it stalls out at the router)
It seems the DSL modem and server, I'm going to reset that sucker back to factory fresh and see what happens.
It seems the DSL modem and server, I'm going to reset that sucker back to factory fresh and see what happens.
ASKER
Have a nice night... I will let you know if anything comes up tonight...
ASKER
shall we continue?
ASKER
ok here is the status. I opened the flood gates, and RWW and OWA started working on my dyndns name... STRANGE. And Viola, VPN access! So now I just need to narrow the rule down to allow RWW and VPN only and stop all the other crazy crap trying to ping my server on odd ports, and everyone not aloud to have the Internet to stop wasting my bosses time by surfing all day... Does anybody have a clue why it works with ISA flood gates open, and why it doesnt when the gates are closed? I have all the rules I need to have in ISA as SBS installs default rules for RWW,OWA and VPN...
PerkDaddy.. I notice that something has changed because the last time you opened the floodgates, nothing was working. How did the network configuration change?
Now that everything is working, I would run the Internet and Email connection wizard FROM WITHIN Server Management. I would go through the wizard not clicking on any of the "Keep existing settings". This would force the wizard to reconfigure everything.
ASKER
I have no clue, I opened the flood gates the first time and It didnt work. I kept it open and restarted the server and sometime in those 2 days it started working. But the problem is now, with that rule in effect, I cannot control traffic, so I must turn it back off. But now I know my server can do its damn job, I can work backwards untill I find a rule that allows that traffic in. My main problem is the external network, I cant check it unless I go home, so I cant see what my home ip is doing in ISA logs so I can isolate RWW and create a rule allowing it. The SBS rules for RWW , OWA dont cut the cheese, I dont know how any SBS server could receive connections with the ISA rules it creates by default.
Perkdaddy,
The SBS rules out of the box after running the wizard work just fine. I manage quite a few SBS servers and have never had to modify the rules except to open up a new web site folder, or to allow someone with a laptop temporary access to the Internet.
If you run the wizard, then export the rules, I could take a look at them to see if anything looks unusual compared to the standard rules that are going on my servers.
Also, did you say you have 2 DSL connections? I would use one to test the external network for now and the other one for the server.
The SBS rules out of the box after running the wizard work just fine. I manage quite a few SBS servers and have never had to modify the rules except to open up a new web site folder, or to allow someone with a laptop temporary access to the Internet.
If you run the wizard, then export the rules, I could take a look at them to see if anything looks unusual compared to the standard rules that are going on my servers.
Also, did you say you have 2 DSL connections? I would use one to test the external network for now and the other one for the server.
ASKER
Yes 2 dsl connections that go into a VPN router that essentially creates one fast line... For the duration of this project I have left the second one disconnected. My boss has also authorized me the purchase of static IP's, how many do you recommend besides the ONE i need for the server?
Ok, about the rules, I could send them to you, but like I said the only rule that allows RWW or VPN is the floodgate rule I created and now turned off. Is there any way I can find the port that outside clients like my house are using to access the server through ISA? The logs get quite crazy with 45 systems connected to SBS and the internet and the one hour round trip from home to work is unfeasible at best.
RWW should use port 80 because it itself is an HTTP page or request correct? So why does it not work with the default SBS rule but with the floodgate rule?? Very strange. I have an Idea to modify the RWW rule to allow alternate HTTP/HTTPS traffic, maybe that will work... I will send you the rules in 5 minutes...
Ok, about the rules, I could send them to you, but like I said the only rule that allows RWW or VPN is the floodgate rule I created and now turned off. Is there any way I can find the port that outside clients like my house are using to access the server through ISA? The logs get quite crazy with 45 systems connected to SBS and the internet and the one hour round trip from home to work is unfeasible at best.
RWW should use port 80 because it itself is an HTTP page or request correct? So why does it not work with the default SBS rule but with the floodgate rule?? Very strange. I have an Idea to modify the RWW rule to allow alternate HTTP/HTTPS traffic, maybe that will work... I will send you the rules in 5 minutes...
ASKER
Ok, I modified the inbound default SBS rule to allow HTTP and HTTPS requests, if I did something wrong let me know. Feel free to modify the attached file and send it back to me and I will try it...
please add .xml to the file name, EE wouldnt let me upload and XML file
export1
please add .xml to the file name, EE wouldnt let me upload and XML file
export1
ASKER
yes, it works with the HTTP rule added to the default SBS rule, and the floodgates are closed!!!!!
ASKER
but I cannot connect internally with the VPN, I must try that later I guess
ASKER
How do I modify the external website? I need to remove a few things for security reasons ie: connect computer....
ASKER
where did you go???
ASKER
Ok, we got RWW up and operational. Thats about 79% of my problem. Now lets get VPN up and operational....
Sorry. I'm on Pacific Time GMT +8... It gets pretty late. You are on a good track. The thing about VPN is that it is also set up in RRAS. I'm hoping that you are finding luck with running the wizard. It will do all of the configuration for you.
ASKER
The wizard wont finish, some kind of "unknown" error... I will award points as VPN seems impossible for my setup. Thanks for the help and get some sleep man! I just woke up in Egypt! Its already a new day!
ASKER
Please read full post for troubleshooting this issue, good steps here.
Usually there are green checkmarks that will appear at the completion of the wizard. If you don't get green checkmarks, there is a log file you can check to show you exactly where the wizard failed. I don't remember off hand where the log file is, but if you do some searching, you can find it.
ASKER
I have the log, its all but really confusing,
here it is, this is just the small portion at the end of the log...
Reading VPN Server name returned OK
Reading VPN Server name is geteg.office-on-the.net
Created temp directory CMP26E6.tmp
Copying required template files to the temp directory returned OK
Updating CMP template returned OK
Updating CMS template returned OK
Updating SED template returned OK
Creating proxy configuration file returned OK
*** Running IExpress to build the package returned ERROR 80070001
Specifying error location (in CMAK) returned OK
*** CRRASCommit::CommitCMAK returned ERROR 80070001
*** CRRASCommit::CommitEx returned ERROR 80070001
here it is, this is just the small portion at the end of the log...
Reading VPN Server name returned OK
Reading VPN Server name is geteg.office-on-the.net
Created temp directory CMP26E6.tmp
Copying required template files to the temp directory returned OK
Updating CMP template returned OK
Updating CMS template returned OK
Updating SED template returned OK
Creating proxy configuration file returned OK
*** Running IExpress to build the package returned ERROR 80070001
Specifying error location (in CMAK) returned OK
*** CRRASCommit::CommitCMAK returned ERROR 80070001
*** CRRASCommit::CommitEx returned ERROR 80070001
PerkDaddy,
Ok, that is a good clue.. But I don't want to be the bearer of bad news about SBS SP1... Anyway, this article MAY or MAY NOT help, but I thought I'd give you the link.
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-04/msg02519.html
Hope you get that box of bits working as you need it. I feel for you, man. Good night.
Ok, that is a good clue.. But I don't want to be the bearer of bad news about SBS SP1... Anyway, this article MAY or MAY NOT help, but I thought I'd give you the link.
http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-04/msg02519.html
Hope you get that box of bits working as you need it. I feel for you, man. Good night.
ASKER
Thanks
ASKER