Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 559
  • Last Modified:

vpn on sbs 2003

I have a site to site vpn using two sonicwalls tz190 and they work well. site A can communicate and share resources with site B and viceversa. Except that my DC SBS 2003 is unable to ping and be pinged by the external site. I uninstalled the ISA server and disabled antivirus. But I'm still unable to reach the server from the external site. I would appreciate your help.
0
madmxx
Asked:
madmxx
  • 17
  • 15
4 Solutions
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Is the VPN router also supplying an Internet connection?

Philip
0
 
madmxxAuthor Commented:
No, each site routers has their own internet connectivity.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
How many NICs installed in SBS and if two, is the second NIC connected to a router supplying an Internet connection besides the router supplying the VPN connection? (2 routers on the SBS LAN).

Philip
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
madmxxAuthor Commented:
I am only using one nic the other one is disable. The routers are providing dhcp and internet connectivity on their own respective sites. I only have 1 dc sbs 2003 server in site A. site B has no servers.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
SBS must have DHCP enabled and configured for routing to work properly. The same is true for the Win2K3 box that should be serving the subnet at that site. DHCP should have the dynamic DNS update settings enabled and an account set in Credentials to allow for DNS updating.

Once DHCP is resident on the servers, the gateway IP on the server's NIC should point to the router that gives Internet and VPN access. This is the case for both server sites. Static routes in RRAS are only needed if there was more than one router at the site.

From there, if routing is correct, a ping of the server's name should resolve to the correct IP address of the server at the other site. You may need to add an A record if Win2K3 is not a DC.

Philip
0
 
madmxxAuthor Commented:
I only have one sever sbs2003 in one site. the other site does not have any servers only workstations. So you are saying that I should setup dhcp on the server sbs 2003 from site A and enable dynamic dns. Now the dynamic dns is set on the server not the router? on the other side since there is no server present only the router do I need to do anything there? Also, this  change in dhcp is only intended to for the local network? because right now the router is serving and the local computer can communicate just fine with the server.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
I misread the sentence about the server in site A/B.

DHCP needs to be enabled on SBS. DNS (not dynamic DNS - that is something else) is built in, and integrated with Active Directory. DNS and DHCP are closely tied into the SBS Configure E-mail and Internet Connection Wizard (SBS Console --> To Do --> Connect to the Internet) that is used to configure SBS for the Intranet (internal) and Internet access.

That in turn is tied into the http://mysbs/connectcomputer wizard that is used to connect all workstations to the SBS 2003 domain. And so on as far as the wizards are concerned.

From there, DHCP and DNS take care of all of the needed domain name resolution and IP traffic direction. So, if DHCP and DNS are not set up properly, then it is to be expected that traffic will not travel across the VPN using a name instead of an IP.

The server's NIC IP setup should be:
 192.168.50.254 IP (whatever your SBS IP is)
 255.255.255.0 Subnet
 192.168.50.1 (router for VPN and Internet)
 192.168.50.254 DNS1 (points to SBS)

IP range at your Site B would be 192.168.60.0/24 with DHCP served by the VPN router. DNS1 would point back to the SBS server if you want internal DNS names to resolve and DNS2 would point to an ISP DNS server so that Internet requests can be pulled through the router locally.

Philip

0
 
madmxxAuthor Commented:
okay, but do I need to disable the dhcp from the router that is on the server side. Also do I need to make any changes on the either routers dns settings?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
DHCP on the router on the SBS side is disabled.

The systems on the network need to query the SBS DNS for everything. The gateway setting on the SBS NIC tells SBS where to look when it cannot find anything on the internal side of the network. So, nothing should need to be changed ... unless there are some settings that are not proper.

Philip
0
 
madmxxAuthor Commented:


Do I make any changes on the dns from the router that's on sbs side?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
DNS on the router (WAN) should point to the SBS if possible, or the ISP depending on how it needs to be configured. The unit's manual should indicate that for you.

Philip
0
 
madmxxAuthor Commented:
Thanks for your response. I followed your instructions but I am still unable to ping any computer or the other side of the vpn from the sbs 2003 server. It's very strange because I any computer from the sbs side are able to ping the computers on the other side of the Vpn. Any ideas of what else I can try would be really appreciated.
I need the server to reach the computers on the other side because the sbs runs remote web desktop and it cannot connect to those computers.
0
 
madmxxAuthor Commented:
Also, do I need to do any changes on RRAS on the sbs server? Does this have any effect on the issues at hand?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Did you set any static routes in RRAS on SBS for the VPN setup?

Please post an IPConfig /all from the SBS.

Philip
0
 
madmxxAuthor Commented:
No, I have not done any config. on rras and under sevices it shows as manual and with no service running. here is the sbs ipconfig.

Windows IP Configuration

   Host Name . . . . . . . . . . . . : server2
   Primary Dns Suffix  . . . . . . . : clcpallets.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : clcpallets.local

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-0E-0C-4E-7A-94
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.2
   DNS Servers . . . . . . . . . . . : 192.168.1.1
                                       66.80.130.23
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
What is the 66.x.x.x IP address doing in the DNS on the NIC?

Philip
0
 
madmxxAuthor Commented:
do i need to take that out. its the isp dns
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Yes!!!

The only place for the ISP's DNS servers is in the DNS forwarders. You set that during the Configure E-mail and Internet Connection Wizard (SBS Console --> To Do --> Connect to the Internet).

Having that IP bound to the NIC will cause all manner of heartache.

Philip
0
 
madmxxAuthor Commented:
okay, I made all changes you recommended but I still haven't been able to solve the issues I need. 1st is beening able to ping the server from the remote vpn clients by either name or ip and second have the server be able to ping the remote vpn clients.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Is the tunnel up? Does the VPN routers indicate the tunnel is functional and do they have some sort of internal testing abilities to make sure the tunnel is functional?

Philip
0
 
madmxxAuthor Commented:
They're  two tz190 series and it shows to be functional. I think they are working well because I am able to  reach both sides of the vpn using their lan ip's. I just think the problem should be related to the sbs 2003 server because it is the only thing that cannot communicate with the remote vpn and viceversa. Any input would be really appreciated. My client is being very patient. But, the remote site needs to be able to use their client outlooks to authenticate with exchange and also the remote web desktop for the remote site computers.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Please post an IPConfig /all for a workstation on the SBS side and a workstation on the VPN side.

Philip
0
 
madmxxAuthor Commented:
here is the local vpn site ipconfig:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : TSserver
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration #2
   Physical Address. . . . . . . . . : 00-15-17-55-53-89

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection w
ith I/O Acceleration
   Physical Address. . . . . . . . . : 00-15-17-55-53-88
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.2
   DNS Servers . . . . . . . . . . . : 192.168.1.1

remote vpn lan ip :


Windows IP Configuration

        Host Name . . . . . . . . . . . . : carlos
        Primary Dns Suffix  . . . . . . . : clcpallets.local
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : clcpallets.local

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connecti
on
        Physical Address. . . . . . . . . : 00-07-E9-52-E2-CE
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.2.178
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.2
        DHCP Server . . . . . . . . . . . : 192.168.2.2
        DNS Servers . . . . . . . . . . . : 192.168.1.1
                                            66.80.130.23
        Lease Obtained. . . . . . . . . . : Monday, May 04, 2009 9:51:22 AM
        Lease Expires . . . . . . . . . . : Tuesday, May 05, 2009 9:51:22 AM

0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
What is 192.168.2.2? Is that the remote VPN router?

Note that the workstation still has the ISP DNS IP bound to it. Check your DHCP settings to remove that IP address from the served DNS Server IPs!

Once the ISP's DNS IP has been flushed out of the system, the workstations on both sides should be able to resolve SBS and ping it.

Philip
0
 
madmxxAuthor Commented:
what happens if I do that and remove the isp DNS the remote computers loose internet access. It has to do with the sbs box. There is something wrong there.
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Q_24378578.html

A server at site 2 would resolve the routing issue as the VPN devices are probably not robust enough to do that for you.

The VPN devices need to be intelligent enough to know when packets need to get back to the SBS site. Without that, the devices will poll DNS and not get anywhere when they get a "Huh?" from the ISP's DNS servers for your SBS site.

Philip
0
 
madmxxAuthor Commented:
Well, what would you suggest trying for the routers as far as routing maybe they can handle it. these sonicwall are pretty robust? what would I need to configure on them?
0
 
madmxxAuthor Commented:
Another question can I enable rras and add a static route on the sbs server? would that help?
0
 
madmxxAuthor Commented:
Do you have any more suggestions??
0
 
madmxxAuthor Commented:
How about if I enable isa server would that be an advisable solution?
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
A static route may help. But, usually when the same router is providing VPN and Internet connectivity, having the router's IP set in Gateway on the NIC is enough. SBS would know to look to the Gateway IP for any non-local DNS requests.

Philip
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
This is pretty tough since I cannot see the entire picture.

There are a lot of factors involved in making a VPN site to site work with SBS or any Windows Server environment for that matter.

All it takes is one incorrect setting in the router for the tunnel to be unstable, or an incorrect setting in RRAS, DNS, DHCP, or the NICs to not allow packets to route between sites.

Philip
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 17
  • 15
Tackle projects and never again get stuck behind a technical roadblock.
Join Now