Solved

VPN Issues SBS 2008

Posted on 2010-09-15
21
1,157 Views
Last Modified: 2012-05-10
Hi,

I am administering a SBS 2008 environment and am struggling to establish a VPN session from one of my clinents remotely. I have checked that port 1723 is open and that seems to be ok, but when I try to connect via VPN on the client it acknowledges the ip address but then waits for 60 secs at the verifying username and password, then times out...  when I click on more info SBS is saying the ports might not be open on the router..  Also when I try and use the wizard in Windows Console SBS, if seems to configure the server but then issues errors with the router not having port 1723 open..  

Any help would be grately appriated...
0
Comment
Question by:dazzzor
21 Comments
 
LVL 4

Expert Comment

by:andy_maskell
ID: 33684593
The router may not have VPN Passthrough built in. If it does then enable it for PPTP. If not you will need to allow GRE 47 through as well as as 1723. Some routers will show GRE (which is not TCP or UDP) but others will show it in the list as PPTP Protocol 0.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33685472
Agreeing with Andy, it sounds like GRE is blocked. Can you provide the make and model of the router and we may be able to provide specific instructions. To enable GRE, some router have "enable PPTP pass-through", some you forward PPTP traffic rather than port 1723 (which does both port 1723 & GRE), and some require specific commands.

As for the SBS router error, that just indicates UPnP is not enabled on the router so the SBS cannot set it for you. That is good, as enabling UPnP can be a security risk.
0
 

Author Comment

by:dazzzor
ID: 33685555
Hi Guys,
Thanks for your prompt response..  the router in question is a Belkin N+ Wireless Router (F5D82354) which I have checked the spec and this router has got PPTP (VPN Pass through) I have gone into the Virtual server config and opened port 47...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33685596
GRE is protocol 47, not port 47. You cannot "forward' GRE as such. Is there an option, likely in the firewall section, to enable PPTP pass-through?
0
 

Author Comment

by:dazzzor
ID: 33685644
no i  have checked and there is no section for tp enable PPTP pass-through...  certainly not with in firewall
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33685679
When the connection fails what error number is displayed? If GRE is the issue, 90% of the time you will have a 721 error, although on occasion it reports 691 or even less so 812 (mostly on Vista machines).

Have you verified it is not a server issue? To do so try connecting from the LAN using the LAN IP of the SBS. If that works it is an issue with the router and enabling GRE (most common), or the modem or ISP do not support GRE, or the client's router does not support GRE.

You must test connecting to the SBS's public IP from off site (not the LAN), and there can only be one NAT device (router or combined router/modem) between the Internet and the SBS. If the modem functions both as a modem and router you need to put it in Bridge mode. To confirm, the WAN configuration of the Belkin must have a public IP.
0
 

Author Comment

by:dazzzor
ID: 33685711
I have just tried to connect once again and the error was a 721
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33685733
I don't see any mention in the manual as to how to configure.
It is possible it does not support incoming VPN connections. Though product specs and manual say it supports PPTP pass through, the exact quote is;
"Support for VPN Pass-Through
If you connect to your office network from home using a VPN connection, your Router will allow your VPN-equipped computer to pass through the Router and to your office network."
This is an outgoing connection, not incoming. Not all routers support incoming VPN connections.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33685734
721 is definately a GRE issue.
0
 

Author Comment

by:dazzzor
ID: 33685748
so is this issue down to a router that will not allow incoming VPN sessions.. ???
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:dazzzor
ID: 33685794
i must admit that I am also having issues with connecting to the server remotely via this router to install a SSL cert, tests have said the following ports are open 25,80,443,987 and this is the result of the internet address wizard in SBS 2008....  and clearly these ports are open....
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 33685822
No Need for 80 on SBS.

Forwarding is probably enabled as the initial handshaking with the VPN, which is done using just port 1723, is taking place, it is the secondary authentication process that requires GRE and fails.

It could be the router doesn't support it, but as mentioned some modems, some ISP's (Comcast residential accounts in some areas for example), and some client end routers do not support it as well. I cannot confirm if that router works or not. There have been problems with VPN's and some older Belkins for sure.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 33686129
Slight tangent, what is the client OS?
0
 

Author Comment

by:dazzzor
ID: 33686190
I have just swapped the router to a Dlink and allowed the ports required and that has solved the problem..  I can create a VPN session no problem......  
0
 

Author Comment

by:dazzzor
ID: 33686228
but even thought the VPN is working I have just run the Windows SBS console wizard again and it failed, i am puzzled...  ??????
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33686424
Do you mean failed in that it will not allow the SBS to configure the router?
If so that is common. In order to eliminate that error you have to enable UPnP on the router. This then allows the SBS to configure the router automatically. Even that fails a lot of the time, but I don't recommend enabling UPnP, there are serious security concerns with doing so. Most folk just live with the error. It is not a critical error, just an informational one.
http://www.grc.com/unpnp/unpnp.htm
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33686432
For the record, I don't mean to be insulting in anyway, but Belkin routers I find to be quite problematic and not a business class router at all.
0
 

Author Closing Comment

by:dazzzor
ID: 33689912
thank you
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33690111
Thanks dazzzor.
Cheers!
--Rob
0
 

Expert Comment

by:KoCoS_Messtechnik
ID: 33867371
Hi,

Just read this post and I have exactly the same problem with my VPN Error 721 but all Required ports are open and VPN Passthrough is enabled?

I am using a CISCO Linksys N Router.

ANy further thoughts?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33867382
KoCoS_Messtechnik, you will need to start a new question of your own.
--Rob
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now