[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 548
  • Last Modified:

Setting up a VPN on Windows Server 2008 / Vista

I am running Windows Server 2008 and I have installed the Routing and Remote Access Role.  I have a Custom Configuration for the VPN as I only have one NIC on the server.

I would ultimately like to be able to switch on a laptop and log straight on my domain through Active Directory remotely/through the internet.

I am a little unsure how to do this.

Firstly, what DNS records do I need to set for my external domain (e.g. domain.com).  For info, the VPN server is also acting as my domain controller and I have a local domain running.

Secondly, what do I need to do on my router/firewall? It's a Netgear ProSafe router and I have enabled VPN passthrough and opened up the PPTP port and forwarded this port to the server behind the router.

Thirdly, what do I need to do on the laptop or other remote computers? I have attempted to set up a VPN connection, but when I try to connect, it asks for a username/password/domain, then displays "Registering computer on the network" before failing to connect.  I have no idea if the laptop has found the server/VPN or not.

Thanks in advance!
0
pipelineconsulting
Asked:
pipelineconsulting
  • 3
  • 3
  • 2
2 Solutions
 
Rob WilliamsCommented:
When the connection fails what error number is reported such as 721, 691, 800?
Very possible the failure is GRE is not allowed. On Most Netgears you do not forward port 1723 to the server but rather forward the PPTP service. This forwards port 1723 and also enables GRE/PPTP pass-through.

In order for clients to logon directly to your domain they need to be joined to the domain. If they are in the logon box of the client machine there will be a check box for "use dial-up connection". If they select this the VPN will then be provided as an option. Selecting the VPN allows the user to authenticate to your domain, and have group policy and logon scripts applied.

As for configuring the client they need to have the VPN adapter configured with your server as the DNS server, and add the domain suffix under advanced DNS, but this is done automatically when joined to the domain. If doing so manually see:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 
Libis_aka_DuskCommented:
1) no need to set dns to external you can use IP. If you want use something like vpn.domain.com just simply add this as an A record to the DNS server
2) VPN passtrough is required primarily for clients for receiving UDP VPN response payload back. On server side router, just 1723 port forwarding is required.
3) did you set up the security group for VPN? allowed it to connect inside Routing and Remote access? Maybe if you use NAP server the rules are there instead of RRAS
4) how about IP address allocation for the clients? there is something called DHCP relay so in will basically forward configuration from LANs DHCP to client. Also it is possible to set special manually assigned network, best for use totally different segnent.
Dont forget to have routing turned on in case you want to reach anything behind RRAS PPTP server.
0
 
Libis_aka_DuskCommented:
2)GRE 47 has to be enabled so leave passtrough on the server side.
I found nice howto also:
Once you've installed the NP&AS role and then subsequently RRAS as a role service, you will get an icon appear in Administrative Tools called Routing and Remote Access.

On opening this MMC applet, you will see the server object in the tree view. You will need to right-click this and choose the option to "Configure and enable RRAS". As you step through the wizard, you will have to answer a series of questions as to what you want the server to perform. At this stage, you would be best choosing the option "Remote Access (dial-up or VPN)". If the wizards asks for further information, this should be specific to your network.

Finally, once RRAS is enabled and started, you should see some PPTP ports under the "Ports" section of the RRAS console. If you see them, you have PPTP VPNs up and running. The last step is to open the ports through your firewall to the server. You will need to pass TCP port 1723 to the internal IP of the Server 2008 machine, and you will also have to enable a feature known as PPTP Passthrough. This feature creates a port called GRE 47 - this is not TCP port 47, so a firewall rule cannot be created in the usual way. It's either enabling the passthrough option or using your router/firewall's built-in rules to add in the ports for PPTP.

Don't forget that users who are dialling in will need the "Allow" flag setting on the Dial-in tab of their user properties.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
pipelineconsultingAuthor Commented:
Followed all of your suggestions but still having a few problems.  The router has been set to allow the PPTP service through (not sure if i need to allow any others through?)

Viewed through Event Viewer, the error I am getting is:

This computer was not able to set up a secure session with a domain controller in domain PIPELINE due to the following:
There are currently no logon servers available to service the logon request.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.



The error is being thrown by NETLOGON and has an event ID of 5719.

Do I need to configure anything else on the client laptop? Can  I assume that the VPN request is getting through the firewall?
0
 
Rob WilliamsCommented:
When the connection fails what error number is reported such as 721, 691, 800?
This is not in the event log but rather pops up on the client when the connection fails.
You cannot test the VPN using the external address of the server from the LAN, you must be off site.
You can test at least the VPN configuration by connecting from the LAN to the Server's LAN IP.
0
 
pipelineconsultingAuthor Commented:
I am using the built-in Vista VPN client which is added through Network and Sharing Centre.
I get a pop up which asks simply whether to Diagnose the Problem (nothing useful revealed here) or to Try Again - there are no error codes shown.

I have tried connecting through a 3G mobile dongle but with no success.
0
 
Rob WilliamsCommented:
Have you tried from off site using a wired connection?
Very often 3G connections will not work because of blocked GRE or multiple NAT configurations.
It sounds like the initial connection is made, handshaking starts, but authentication fails. This can be due to bad credentials, dissimilar authentication protocols, and often due to blocked GRE.
0
 
pipelineconsultingAuthor Commented:
I've tried an offsite wireless connection, which also didn't work.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now