[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

WIN 2003 VPNS

Posted on 2009-04-25
10
Medium Priority
?
194 Views
Last Modified: 2013-11-11
1. although Im not trying to connect remotely to another destination, is there anyway I can simulate VPN to ensure I know what to do and then FOR REAL would know what to do if I did have to access a network remotely?

Im getting a static ip from my ISP so that I can test send & receive email externally.  Ive got no one I can connect to company wise!  although I suppose I could connect to someones pc who has a normal ISP connection, presumably I would have to get that person to make some changes, Im not sure, any suggestions?
0
Comment
Question by:mikey250
  • 6
  • 4
10 Comments
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 24232088
You can set up a VPN internally and connect to that. This would allow you to learn to configure the VPN server and client, however if using a connection over the Internet you also have to configure port forwarding on the router. It is usually not possible to connect to your external/public IP from the LAN, as it requires your router to send the connection from the LAN to the Internet, and then without "losing" it, return it back through the same router.
If you want to test the entire scenario I would recommend setting up the VPN server at your site with the static IP, and then connect to it from anywhere using the windows VPN client. You could do the latter with a laptop, or an easy set up of the VPN client on someone else's PC.

If you are not familiar with setting up VPN's the following may be of some help. You can use a true server for the VPN server or a PC operating system.

The basic server and client configurations can be found at the following sites with good detail:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Using XP as a VPN server:
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.
0
 

Author Comment

by:mikey250
ID: 24232112
i have a basic dlink 604 router in place and currently on set allow for port 25 once ive confirmed i can send & receive email externally, with obviously all my settings already in place.

i can add an entry in my router firewall, so presumably it would be something like:

allow
name: vpn connection
sourece: *.* - set for any
destn: LAN *.* 192.168.0.98 - Port ?

the ip address belongs to my primary dc, if I had another pc I could a separate pc for vpns, but for the time being i will do it on the primary dc above: 192.168.0.98

i will read through the scenarios and test out sometime next week!!
0
 

Author Comment

by:mikey250
ID: 24232155
ok I can see on the descriptions about what port to use.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 2000 total points
ID: 24232159
As mentioned above, your router will need port 1723 forwarded to the VPN server (192.168.0.98) and also the router needs to have GRE enabled. This is protocol 47 and not port 47. It is enabled on different devices in different ways the D-link would either be an option to "enable PPTP pass-through", or when doing the port forwarding there may be an option to forward the PPTP service rather than using a port. If the latter exists as an option it will forward port 1723 as well as enable GRE.

If you wish to connect to different PC's that is fine. Just set up the VPN as instructed on the server, and RRAS will handle routing to both the server and through to the other PC's. You may have to connect to the PC's using the IP though, rather than their names. (i.e. remote desktop to 192.168.0.x, or when connecting to shares use \\192.168.0.x\ShareName)

Note: One of the requirements for routing to take place is the subnet used at either end of the tunnel MUST be different. Therefore at the server site is is best to use a less common subnet such as 192.168.123.x
In your scenario you will not be able to use the VPN from any remote site that also uses 192.168.0.x which can be a problem as it is a common default.
0
 

Author Comment

by:mikey250
ID: 24232236
1. why must the subnet mask be different at either end of the tunnel?

2. so instead of using 192.168.0.x  use something like: 192.168.123.x, as long as the 3rd octet is not zero 0?

3.  What cant i use option 2 above for a VPN?
0
 

Author Comment

by:mikey250
ID: 24232241
ive just noticed above:

-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x


I suppose one could look at this example as a router connecting to another router.  one routers last octet would be .1 & the other would be .2!
0
 

Author Comment

by:mikey250
ID: 24232250
-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. why not?
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 2000 total points
ID: 24232295
>>"why must the subnet mask be different at either end of the tunnel?"
Packets are routed based on the subnet (actually network ID) to which they belong. If you want to send a packet to a PC at the other end of the tunnel, for example 192.168.0.200, and the local subnet uses 192.168.0.x then the router assumes it is a local device and does not forward the packet to the remote subnet, and it is lost. Every hop between client and server must be a different network segment (different subnet) that is how routing works. 192.168.x.x. is only used on private LAN's so there is no chance of a conflict with any Internet hops.

>>"You will not be able to browse the network unless you have a WINS server installed. why not?"
Browsing a network requires using NetBIOS naming. On a LAN this is primarily done using broadcasted packets. Broadcast packets are not routable, and therefore cannot be forwarded over the VPN. The workaround for this is to use WINS, but it requires a WINS server at both sites which are 'sync'd'. The latter is generally not practical at a client site. Browsing is seldom important as you are connecting to known resources such as Shares at a specific IP.

On the other hand name resolution (not browsing) can be 'fixed' if not working over the VPN. See my blog:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 

Author Comment

by:mikey250
ID: 24232302
Ok thanks for this, I will look into into it.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 24374800
Thanks mikey250.
Cheers!
--Rob
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question