Expanding SBS subnet to accomodate open VPN clients

Asif Bacchus
Asif Bacchus used Ask the Experts™
on
I am currently using a PFsense firewall to connect via open vpn to an SBS 2003 network.  Everything works well and I can access files, etc.  I would like group policy to apply to my VPN clients however since I use the VPN to test changes at a remote location before deploying them on the "real" network.

The network has one SBS 2003 SP2 server and several clients all in the 10.0.0.x/24 range.  The open vpn clients connect on subnet 10.0.1.x/24 and have a static route over to 10.0.0.x.  They are successfully getting the SBS 2003 server (at 10.0.0.1) as their DNS and WINS server.

I am assuming that for this to work the way I'd like it to I would have to expand the SBS server's scope to include both 10.0.0.x and 10.0.1.x, is that correct?  If so, how would I do this?  Do I need to use the change IP wizard?  

Any help appreciated!  And please let me know if you need any additional details -- this is my first post so I'm not sure if I provided enough info.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Asif BacchusI.T. Consultant

Author

Commented:
After a google search this seems to be a more complicated question than I originally thought -- I've increased the point value.
Hi

As long as your server is aware of the 2nd range (via your default gateway) - i cant see why you should have any problems. You will not need to change the IP address of the server.

If you can access the servers DNS/WINS server. You must already have route set up and working?
I'm not sure what you are trying to gain? Or what the problem is?
Asif BacchusI.T. Consultant

Author

Commented:
Thanks for the quick reply.  The problem is that (computer) group policies are not being applied to the system connected via the VPN.  I am getting error 1054 in the application log and error 5719 (no DC available) in the system log.  This seems to be due to a connection delay in the VPN service starting since user group policies (ie. login scripts) process just fine.

Is there a way to delay (computer) group policy processing for a few seconds until the VPN service has started?  Or perhaps there is a better solution?

Thanks for your help, it is very much appreciated.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Top Expert 2013

Commented:
If you have SBS, why would you not use the built-in VPN service with SBS. This will look after routing, VPN client connections, security, and name resolution.
http://www.lan-2-wan.com/SBS-VPN-instr.htm
Asif BacchusI.T. Consultant

Author

Commented:
RobWill: I initially tried to use the built-in VPN service with SBS but it kept creating an "MSHOME" domain that really started to slow down DNS lookups for local clients.  I tried re-running CIECW to resolve the issue but eventually the downtime to the local clients while I was troubleshooting became too extensive.  In addition, the problem would seem to crop up randomly -- perhaps it has been fixed with recent updates but for now that is why I am looking at other options such as running the VPN through pfSense.

If you have any experience resolving the MSHOME issue I would be very interested since it would seem to be a cleaner solution to my current problem.  Perhaps that is a topic best suited for a separate question?  Thanks for the suggestion though.
Top Expert 2013

Commented:
Very interesting. I have never heard of an MSHome domain being created in DNS by any server version of Microsoft, and also adding the VPN connection should not make any DNS entries at all. Once the first user connects it will create a virtual adapter and assign it an IP. It will then assign a host record in DNS, but not a zone, or domain.
The only possibility I could see, that might even cause that is a home operating system (likely XPhome) connecting to the server and on that PC's NIC configuration "register this connection in DNS is checked. However I can't see even that creating a zone.

How did you create the SBS VPN? Did you use the "Configure remote access" wizard located under server management | Internet and e-mail?
http://www.lan-2-wan.com/SBS-VPN-instr.htm

I assume you are not referring to seeing in network places both your domain and a workgroup named MSHome? If so that is very normal. Network places will show all domains and workgroups connected to that network segment. MSHome is the default workgroup for XPhome, and will have no bearing at all on your network.
Asif BacchusI.T. Consultant

Author

Commented:
RobWill:  Thanks for sticking with this.  What's happening is the the Configure Remote Access wizard will enable RRAS which then creates its own mini-DHCP server that is causing multiple domain entries in my DNS -- in essence it is changing the Domain to MSHome.net but more annoyingly it will change the server IP address and my local clients will try looking in the VPN subnet.  

Before I go ahead and test this again, quick question:  Can I configure the workstation to connect to the SBS VPN as a service at startup so that GroupPolicy (ie. push install of applications, HKLM settings, etc.) will apply?  How would I go about this?  If I can't do this then I'd have to stay with something like the openVPN solution I'm currently using.
Top Expert 2013

Commented:
Very bizarre. I'll look into the MSHome.net issue later when I have a little more time.

As for the second part above. If using the Windows/SBS client, the best bet is to join the remote PC to the domain. Once done there is an option at logon to connect using a dial-up connection check box. Selecting this will allow the user to choose the VPN connection. This connects the VPN before logon completes and allows group policy and logon scripts to be applied.
If you want to join a remote PC to the domain using a VPN connection, see the following:
http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/83/Connecting-a-remote-workstation-to-a-domain.aspx

If you are using another VPN solution you may be able to use Microsoft's Srvany and Instsrv, which are designed to allow you to run an application as a service. Others claim to have been able to make this work, though I have never tried, with a VPN.
http://support.microsoft.com/kb/q137890/
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q152460
http://www.tacktech.com/display.cfm?ttid=197

Run batch file as a service
http://www.mike-tech.com/article.php?gif=win2k&article=135



Top Expert 2013

Commented:
Asif BacchusI.T. Consultant

Author

Commented:
RobWill:  Thanks for all the help!  I was able to get the VPN services working in SBS 2003 and I can connect my client.

However, the main problem still exists.  Computer Group Policies are still not being executed and the Event Log confirms this since the VPN connection is not made until the USER logs into the system (yes, I am using the connect using a dial-up connection option).  For reference, I need this functionality so that assigned applications are pushed to the VPN client.

Is there any way to have a VPN connection started before computer Group Policies are executed or a way to delay processing until a VPN is connected?

Thanks everyone for sticking with this one.
Top Expert 2013

Commented:
Though the purpose of the "use dial up connection" option is to allow policies to be applied, you sometimes have to "tinker" with the following policies to get it to work. They address the fact that you are working over a slower connection. Keep in mind they will not help until you have managed to get them to apply. You would be best to use    gpupdate /force   and then verify with   gpresult.

Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
(as per: http://support.microsoft.com/kb/227260)
Computer Configuration | Administrative Templates | System | Logon  | Always wait for the network at computer startup and login
Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
This may be of help as well:
http://support.microsoft.com/kb/227369
Asif BacchusI.T. Consultant

Author

Commented:
Thanks for those suggestions -- I totally forgot about gpresult!  I have made the changes suggested but am still having problems with GP applying even after several reboots.  I have disabled the local firewall for testing purposes to rule it out as a problem.

I have attached the GPresult output and its shows that everything is being processed.  However, my EventLog is full of ErrorID 1054 and other references to not being able to find the network path or DC.  Also, while I can map network drives and ping from the client > server, i get the infamous error 53 or "network path not found" from the server > client.  I can ping OK in both direction and tracert works fine.

Any other ideas or is this project doomed to failure :)
GPResult.txt
Top Expert 2013

Commented:
A 1054 error is often related to DNS. Does the VPN client point only to the server for DNS (do not add a secondary such as an ISP), and has the domain suffix been added to the advanced DNS configuration of the network adapter. See my blog for details:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx

Did you run gpupdate /force  while the VPN was connected?
Asif BacchusI.T. Consultant

Author

Commented:
Yup, ran gpupdate /force while connected.  Tried adding the domain suffix and still no luck -- still getting 1054 errors and associated GP failures.  I've attached an IPConfig for reference in case it helps.
ipconfig.txt
Top Expert 2013

Commented:
Does the remote server use 10.0.0.x for its LAN or is that a subnet just for the VPN.
Asif BacchusI.T. Consultant

Author

Commented:
The 10.0.0.x address range is used for my LAN.  Right now the server (via DHCP) assigns 10.0.0.100-200 for clients and RRAS is using a static range of 10.0.0.50-75 for VPN clients.  I avoided allowing RRAS to assign addresses via DHCP to avoid the multiple DHCP server issue (MSHome.net).  My server is at 10.0.0.1 and my router is at 10.0.0.10.  My network is configured as follows:

Clients + Server (all on a switch) --> Router (linux box) --> DSL Modem

Hope this helps... thanks again for sticking with this.
Top Expert 2013

Commented:
That all looks fine, except the DNS suffix  "phub.net.cable.rogers.com" could cause problems, though it shouldn't where the proper suffix is tied to the PPP adapter.

I would try running netdiag on the remote PC, though I have never looked at the results when using a VPN client. It often points out connection and DNS errors:
http://www.lan-2-wan.com/Diag-FAQ.htm#q1
Asif BacchusI.T. Consultant

Author

Commented:
I have attached the output from netdiag but didn't really see anything that helped me... maybe something will stand out to someone here?

After doing some additional research, it seems like what I'm trying to do cannot be done unless I use a hardware VPN so that Computer Configuration policies can be applied.  Apparently software VPNs only connect in time for User Configuration policies -- is this information accurate?  If so, I'm going to go the hardware route (which is no problem).
netdiag.txt
Top Expert 2013
Commented:
That result looks good. Only issue I see is:
Default gateway test . . . : Failed
            Pinging gateway 10.0.0.52 - not reachable
            No gateway reachable for this adapter.
However all DNS and trusts look good so that shouldn't be a problem.
You might want to change the binding order, on the connecting PC. To do so go to network connections | on the menu bar choose advanced | advanced settings | adapters and bindings | move the RRAS adapter to the top of the list.

>>"it seems like what I'm trying to do cannot be done'
If using the Windows VPN, and the "connect using dial-up connection" option it should definitely work. As for computer config policies, I was under the impression they would be applied as well, but possibly not until reboot. Are there any computer policies that have to be applied at each connection?

No question a site-to-site hardware VPN solution is the better option in many ways, if you can justify it.
Asif BacchusI.T. Consultant

Author

Commented:
Binding order didn't help -- probably because the local adapter has to connect first anyways before the RRAS can connect to anything (otherwise where's the internet connectivity coming from to access the VPN?)

After more research, a hardware VPN seems like the way I have to go.  The computer policies need to be applied at each boot because they involve assigned applications and some batch files that reset user preferences for private-label applications so access to the server during this time is important and reboots are not an option.

RobWill:  Thanks for going through all of this with me -- if nothing else, I learned a lot about troubleshooting VPN connections and what they can and can't accomplish.  Points for getting my SBS VPN working at least and letting me get away from openVPN.
Asif BacchusI.T. Consultant

Author

Commented:
Seems I was asking for something that just cannot be done at this time -- but thanks for all the information and help in getting everything else working.
Top Expert 2013

Commented:
Personally I prefer a site to site hardware based VPN, but I know it is not always feasible. They work better in a domain environment, there is slightly better performance, they are more secure, and more dependable.
Thanks asifbacchus.
Cheers!
--Rob

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial