Solved

Accessing Windows 2008 Fileserver via VPN

Posted on 2009-06-30
13
837 Views
Last Modified: 2012-08-14
I've recently started migrating our companies file server from Novell onto Server 2008, everything's working ok apart from mapping drives via VPN.

I've created a login script to run after the VPN connection is made and the script itself works fine when I'm connected to the network. When I'm connected via VPN to the network however I get the 'network path not found' error.
We have a very strong corporate firewall (which i have i no control/management of) so I assumed additional ports needed to be opened on the firewall. After talking to the firewall guys and getting various ports opened with no result I requested they create an 'any rule' allowing any traffic from my VPN IP to the Windows File Server (for testing only)
However I'm still getting the 'network path not found' error and am unable to telnet to the server on various ports. Can't ping the server etc.
The Windows Server 2008 firewall itself is completely disabled.

When connected on the internal network I can:
Ping the server
Telnet on: 139, 445, 3389, 48778
Map drives fine via UNC path or Login Script i created.

Over VPN since the any rule was put in I can:
Resolve IP via ping but the actual request times out.
Telnet on 3389 & 48778 (Trend Micro port)
RDP into the File Server.

Can anyone think of anything i might be missing? Any more information you need?
A colleague of mine is a linux nut and he explained that while the local firewall is open the service itself might only accept connections from a certain subnet etc. ie. the file sharing service or whatever that listens on 445 may only accept connections from the same subnet as itself.
I've never heard about this in windows, is this a possibility?

I've done a netstat -a and pasted it in the code section below after removing any established connections.

The corporate firewall is apparently showing no blocked ports in logs, searching through the VPN logs we can see alot of connections trying to be made on ports 80/8080/524 and RST ACK are sent back but nothing on any file sharing ports.

wfs01 is the filesever and has a 172.19.12.6 IP. When i come in over VPN I am given 192.168.103.176, but RDP is working so the NATing is ok?
TCP    0.0.0.0:111            wfs01:0                LISTENING

 TCP    0.0.0.0:135            wfs01:0                LISTENING

 TCP    0.0.0.0:445            wfs01:0                LISTENING

 TCP    0.0.0.0:1039           wfs01:0                LISTENING

 TCP    0.0.0.0:1047           wfs01:0                LISTENING

 TCP    0.0.0.0:1048           wfs01:0                LISTENING

 TCP    0.0.0.0:1581           wfs01:0                LISTENING

 TCP    0.0.0.0:1688           wfs01:0                LISTENING

 TCP    0.0.0.0:2049           wfs01:0                LISTENING

 TCP    0.0.0.0:3389           wfs01:0                LISTENING

 TCP    0.0.0.0:5357           wfs01:0                LISTENING

 TCP    0.0.0.0:48778          wfs01:0                LISTENING

 TCP    0.0.0.0:49152          wfs01:0                LISTENING

 TCP    0.0.0.0:49153          wfs01:0                LISTENING

 TCP    0.0.0.0:49154          wfs01:0                LISTENING

 TCP    0.0.0.0:49155          wfs01:0                LISTENING

 TCP    0.0.0.0:49193          wfs01:0                LISTENING

 TCP    0.0.0.0:49208          wfs01:0                LISTENING

 TCP    0.0.0.0:51238          wfs01:0                LISTENING

Open in new window

0
Comment
Question by:andoss
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 3

Expert Comment

by:boat_anker
ID: 24752104
Hi, this may be a long shot but something similar was happening for me. First of all does the script contain a UNC path e.g. \\servername\path to create th map drive? If so the problem can be at the router if Broadcast name resolution is not enabled?

My users couldn't get to file shares in windows explorer using the address \\servername\share until Braodcast name resolution was turned on at the VPN router. Not sure if all routers have this setting however

0
 

Expert Comment

by:HeadAche1
ID: 24752900
we had a similar problem on our network and found that we had to manualy specify a WINS address on the VPN connection for the name resolution to work.
You could also try mapping via ip instead of server name.

0
 
LVL 8

Author Comment

by:andoss
ID: 24759018
Unfortunately I've tried connecting via IP also and same problem occurs. I'm quite sure DNS/Name Resolution is fine anyway as I can RDP to the server using it's host name.
0
 
LVL 8

Author Comment

by:andoss
ID: 24759454
I've been told one of our network guys did some testing from home last night, he switched off the firewall for himself via VPN and he could ping any server apart from my Windows Server 2008 fileserver. He set up a fileshare on another server and could access this fine also, so seems to be an issue with the server itself not our corporate firewall.

As i said the local firewall is completely switched off however there's still the security policy settings, is it possible these are blocking connection from unknown IP's (our VPN IP) while accepting connections from known ones (our internal IP).

For some reason it seems to still be trying to connect on port 524 which is a Netware port.
0
 
LVL 3

Expert Comment

by:boat_anker
ID: 24759783
Have you tried disabling the Anti-Virus software on the server as it may have its own firewall settings also.
0
 
LVL 5

Expert Comment

by:vguzman
ID: 24760243
try:

net use \\remote\sharefolder password /u:domain\username /persistent:yes
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 8

Author Comment

by:andoss
ID: 24760509
Yes the Anti-Virus (Trend Micro) has been disabled on the server even though it's built in firewall isn't used.

vquzman: I know how to map a drive, there is a setting or network problem preventing me from doing so hence my questions. Obviously using that syntax over VPN gives the same result of 'Network path not found'. From internally it works fine.
0
 
LVL 5

Expert Comment

by:vguzman
ID: 24764269
On the 2008 server, in the "Network and sharing center" is the "network discovery" turned on? is the " file sharing" on?
Down below in "show me all the shared network folders on this computer", what do you see when you click it ?
Can you ping you computer (on the other side of the VPN) FROM  the 2008 server ?
0
 
LVL 8

Author Comment

by:andoss
ID: 24768605
Network Discovery is on as is File Sharing.

When i click 'Show me all the files and folders I am sharing' I see nothing. However when i click 'Show me all the shared network folders on this computer' I see the 3 network shares I've setup aswell as printers.

Can't ping the VPN client computer from the 2008 server and I believe this is due to the firewall setup and maybe routing, I think the network guys only setup rules allowing the connection from the VPN > server not from server > VPN. Is this likely to be an issue?
0
 
LVL 3

Expert Comment

by:boat_anker
ID: 24769048
Is the subnet that the servers IP (172.19.12.6) is on, the same subnet that all the other servers that you can connect to on while you are on VPN?

What if you set up VPN to give you the IP address on the same subnet as the server? Also, is the subnet you are connect from the same subnet you are connecting to as this won't work?

It sounds like a bad route. Yes I know you can connect via RDP but stranger things have happened. Do you have anotehr network card to test in the server?

Just so you know. I have a standard install of Windows 2008 server and I have no problem connecting via VPN, so there is no special setting to worry about after a default install of Server 2008.

As for the Local Security Policy and the firewall, if there is anything in the local security policy, disable it also to ensure nothing is getting blocked.

0
 
LVL 8

Author Comment

by:andoss
ID: 24769138
Yes, same subnet as other servers on the network. Our old file server was Novell (172.19.12.5) and accessing this via VPN workedwithout issues.

Can't change the VPN settings to give me an internal IP Address and i know the network guys won't do this for me unfortunately.
Internally we are 255.255.252.0 via VPN it's 255.255.255.0 however i've been assured all the routing and NATing is setup correctly.

Sorry i'm not extremely knowledgable on networking side of things however how would i connect via RDP and be able to telnet on our Trend port and it still be a bad route? Can't try another network card in the server as it's a virtual machine.

I've just run-up a clean Win 2008 Server and got another any rule put into place to connect to this machine. Exactly the same issue, Can RDP to it but can't ping or connect on ports 137,138,139 or 445.

Nothing in Local Security Policy except defaults. As you said, I'm starting to believe it's unrelated to my Windows Server and more a problem on the network side of things. However I'm not having any luck convincing the network guys of this.
0
 
LVL 3

Expert Comment

by:boat_anker
ID: 24769173
Can you confirm that you can connect to other servers that are virtual machines while you are on the VPN?
0
 
LVL 8

Accepted Solution

by:
andoss earned 0 total points
ID: 24769306
Hmm well one of the network guys did some testing and he could get to a network share on a Windows 2003 server he setup, hes not in today however i just got rules opened to another Windows 2003 server and exactly the same problems as with 2008... Can RDP but can't get to network shares and can't ping. Majority of our machines are virtual servers, the clean Server 2008 box i setup for testing is physical however so fairly sure that's not the issue.

Not sure exactly what the network guy did when he was succesful but i believe he turned off one of the VPN firewalls completely so going to assume that's where it's being blocked.

Probably best not wasting your time with this question anymore until I can confirm this or not which I won't be able to do till Monday, thanks very much for your suggestions has helped the problem solving process. Whole thing has been a political nightmare.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now