Solved

VPN on 2003 SBS Premium Server not working AFTER Swing Migration

Posted on 2010-09-20
23
342 Views
Last Modified: 2012-05-10
Hello Experts,

I just completed a "Swing Migration" of a 2003 SBS Premium Server. Everything went relatively smooth except I can't get VPN to work now. The new server name is the SAME as well as the IP address of the previous server, so the Fortigate Firewall programming should be right. VPN worked to the previous server fine.

I went through the wizards CEICW and "Configure Remote Access" and they went through without a hitch. The server has only 1 NIC (just as the prior server did).

When I try to connect, the client gets "Error 800" stating that it can't find the server.

I CAN VPN internally to the server, however, externally it doesn't work.
Keep in mind that the NEW server has the SAME IP address and the SAME DNS Name so the Fortigate Firewall should be configured correctly.

I know it sounds like the firewall is blocking, however, it is configured correctly.
We are NOT running ISA on the server.

Any help would be GREATLY appreciated!
0
Comment
Question by:Docomon
  • 13
  • 10
23 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33716023
An 800 error indicates there is not even any initial handshaking. Connection to the SBS is blocked somewhere or the VPN is not configured.
I would recommend a couple of initial tests.
-From the LAN try to connect to SBS using the VPN, but use the SBS LAN IP not your public IP. If this works it would indicate the VPN is properly configured
-Next from the SBS go to  www.canyouseeme.org and test for port 1723 to see if it sees the port as open. If it fails it is the Fortigate or the SBS firewall blocking the connection.

For the record you need to test connecting to the external IP from outside the LAN as most routers will not allow 'hair-pinning'
0
 

Author Comment

by:Docomon
ID: 33716164
Thank you for your response. I totally forgot about "canyouseeme.org"

canyouseeme.org CAN see me on port 1723 from the server. I CAN connect to the server internally via the VPN using the internal IP.

So, it seems like since 1723 is open to the internet, and the VPN works internally to the server, it seems like the server is blocking connections from OUTSIDE the network, even though the VPN client is getting a local address.

Any ideas?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33716208
Did you 'swing' to 2003 or 2008?
0
 

Author Comment

by:Docomon
ID: 33716221
From 2003 Premium TO 2003 Premium. Different media, same exact platform.
0
 

Author Comment

by:Docomon
ID: 33716345
I just VPN'd from internal LAN again to check IP address the VPN got. It was 10.0.0.12 (My LAN address is 10.0.0.13).

I am currently connected via VPN (internally only) and it works as expected.

Any other ideas?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33716391
That is correct. The VPN assigns a block of 10 IP's as soon as the first connection is made. The first one is assigned to the server, the second to the first VPN client.
That is not a problem.

2003 means the Windows firewall is disabled so that is not a problem.

Very bizarre. The fortigate is not also set up as a PPTP VPN server/Host is it? If so it could be capturing the traffic and keeping it local.
Also just for peace of mind, go to http://www.whatismyip.com and conform the public IP.
0
 

Author Comment

by:Docomon
ID: 33716474
The programming on the Fortigate hasn't changed at all. It is functioning as it has for 3 or so years.

The public IP is correct. I already checked that yesterday when I figured out that VPN wasn't working.
0
 

Author Comment

by:Docomon
ID: 33716541
Another tidbit of information I just discovered (by comparing the old server to the new server. The old server is connected to an isolated hub, NOT to this network)

I go into RRAS MMC and under "Remote Access Policies", VPN Access isn't listed on the new server, but it IS on the old server.

Is there a way to put it there? I went through the wizards several times, but it doesn't change it at all.

It DOES appear on the old server.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 33716666
You shouldn't need a VPN policy in the "remote Access Policies". Generally you would create one to add restrictions, or if you had ISA installed on the old server it would have created one. It is also possible the old server had RADIUS configured for Active Directory authentication by the Fortigate which would also add a policy to the RRAS console.
What policies are in place now in RRAS?

Though I always recommend using the wizards you could try disabling RRAS by right clicking on the server name in the RRAS console and then manually recreate using instructions from my site:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33716700
The default policies would be:
Small Business Remote Access Policy (only if wizard used)
Connections to Microsoft Routing and Remote Access Server
Connections to other access servers
0
 

Author Comment

by:Docomon
ID: 33716980
Those are the policies that are on the new server.

Seems strange that port 1723 is open from the internet straight to the server and VPN works internally to the server, but externally it won't.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 77

Expert Comment

by:Rob Williams
ID: 33717029
A long shot would be to reboot the Fortigate to refresh the connection.
0
 

Author Comment

by:Docomon
ID: 33717064
Thanks for your reply.

Did that yesterday with no effect. I hate Fornicate routers, but it's what the client already had.

Still researching and trying...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33717233
I am stumped everything looks perfect. As mentioned you could try manually creating the VPN, but I am very doubtful that will make a difference.

Also as pointed out you are trying to connect from off site are you? Connecting from the SBS LAN to the public IP will very seldom work.

I also assume there are no third party software firewalls like McAfee security suite, Windows OneCare, or others? They often allow LAN connections but block all other connections untill added a "safe networks".
0
 

Author Comment

by:Docomon
ID: 33717368
I am connecting through a Verizon Wireless Hotspot. This has worked countless times in the past with this laptop.

I am attempting to connect to the public IP when using the hotspot.
I am connecting internally with a 10.0.0.x address to the server using the server's LAN address of 10.0.0.230

My address is 10.0.0.6 when connecting internally.

This is driving me NUTS!
0
 

Author Comment

by:Docomon
ID: 33717496
Obviously, the VPN is working on the LAN.

I can telnet to the public IP using port 1723 from the outside and it works.  It appears like the server isn't giving an IP address if the connection is coming from a public ip connection.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33717725
Even so I would think you would get beyond an 800 error.
Perhaps open RRAS, right click on the server name and choose properties, IP tab, at the bottom Make sure it says to use the LAN adapter rather than allow RRAS to select.

Again in RRAS under ports, make sure there is more than 1 PPTP port. Default with SBS is 5 but it can be up to 128.

I assume the account you are using is approved for VPN (then again that would be a 691 error)

Maybe try the manual configuration, you can always re-run the wizard later.

I am grasping at straws :-)

0
 

Author Comment

by:Docomon
ID: 33717821
Is is configured to use the server's LAN connection already.
I am trying to connect using the Administrator's account. It works internally fine, so the account is approved. Externally, well..... here we are.

I REALLY DO appreciate your help on this. Thanks!
0
 

Author Comment

by:Docomon
ID: 33718710
Any other ideas??? This is PARAMOUNT that I get this working ASAP...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33720654
Sorry I got pulled a way for a service call. Glad to help but sorry I haven't succeeded in providing much in the way of ideas so far.

It's odd because getting the initial connection is quite straight forward. Issues such as losing connections, authentication and such are more common.

The default configuration of SBS uses the SBS DHCP service. I know this works from the LAN but again grasping at straws, is the SBS your DHCP server or do you use a router. It should be the SBS.
0
 

Author Comment

by:Docomon
ID: 33756668
Actually, the problem ended up being with the Fortigate needing the server to act as a Radius server to authenticate users for VPN, however since RobWill helped me a lot, I awarded the points to him.

Thanks for your help!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 33758757
That is odd. There should be no need for the Fortigate to require a RADIUS server unless it was the VPN endpoint/server. That is why I asked earlier; "The fortigate is not also set up as a PPTP VPN server/Host is it? If so it could be capturing the traffic and keeping it local."  
I suspect the Fortigate is your VPN server and it uses active directory for authentication. When you did the migration you would lose IAS/RADIUS and thus broke the VPN. I am willing to bet you can disable the VPN on the SBS within RRAS and everything will still work.

Regardless, glad to hear you have it working and thank you for the points, though I don't see where they were awarded.
Cheers!
--Rob
0
 

Author Closing Comment

by:Docomon
ID: 34071279
Actually, this wasn't the solution at all. He was the only one that helped me so I have him the points.

The solution turned out to be a radius server needed to be set up on the server to take requests from the firewall to authenticate users.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now