VPN on 2003 SBS Premium Server not working AFTER Swing Migration

Hello Experts,

I just completed a "Swing Migration" of a 2003 SBS Premium Server. Everything went relatively smooth except I can't get VPN to work now. The new server name is the SAME as well as the IP address of the previous server, so the Fortigate Firewall programming should be right. VPN worked to the previous server fine.

I went through the wizards CEICW and "Configure Remote Access" and they went through without a hitch. The server has only 1 NIC (just as the prior server did).

When I try to connect, the client gets "Error 800" stating that it can't find the server.

I CAN VPN internally to the server, however, externally it doesn't work.
Keep in mind that the NEW server has the SAME IP address and the SAME DNS Name so the Fortigate Firewall should be configured correctly.

I know it sounds like the firewall is blocking, however, it is configured correctly.
We are NOT running ISA on the server.

Any help would be GREATLY appreciated!
DocomonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
An 800 error indicates there is not even any initial handshaking. Connection to the SBS is blocked somewhere or the VPN is not configured.
I would recommend a couple of initial tests.
-From the LAN try to connect to SBS using the VPN, but use the SBS LAN IP not your public IP. If this works it would indicate the VPN is properly configured
-Next from the SBS go to  www.canyouseeme.org and test for port 1723 to see if it sees the port as open. If it fails it is the Fortigate or the SBS firewall blocking the connection.

For the record you need to test connecting to the external IP from outside the LAN as most routers will not allow 'hair-pinning'
0
DocomonAuthor Commented:
Thank you for your response. I totally forgot about "canyouseeme.org"

canyouseeme.org CAN see me on port 1723 from the server. I CAN connect to the server internally via the VPN using the internal IP.

So, it seems like since 1723 is open to the internet, and the VPN works internally to the server, it seems like the server is blocking connections from OUTSIDE the network, even though the VPN client is getting a local address.

Any ideas?
0
Rob WilliamsCommented:
Did you 'swing' to 2003 or 2008?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

DocomonAuthor Commented:
From 2003 Premium TO 2003 Premium. Different media, same exact platform.
0
DocomonAuthor Commented:
I just VPN'd from internal LAN again to check IP address the VPN got. It was 10.0.0.12 (My LAN address is 10.0.0.13).

I am currently connected via VPN (internally only) and it works as expected.

Any other ideas?
0
Rob WilliamsCommented:
That is correct. The VPN assigns a block of 10 IP's as soon as the first connection is made. The first one is assigned to the server, the second to the first VPN client.
That is not a problem.

2003 means the Windows firewall is disabled so that is not a problem.

Very bizarre. The fortigate is not also set up as a PPTP VPN server/Host is it? If so it could be capturing the traffic and keeping it local.
Also just for peace of mind, go to http://www.whatismyip.com and conform the public IP.
0
DocomonAuthor Commented:
The programming on the Fortigate hasn't changed at all. It is functioning as it has for 3 or so years.

The public IP is correct. I already checked that yesterday when I figured out that VPN wasn't working.
0
DocomonAuthor Commented:
Another tidbit of information I just discovered (by comparing the old server to the new server. The old server is connected to an isolated hub, NOT to this network)

I go into RRAS MMC and under "Remote Access Policies", VPN Access isn't listed on the new server, but it IS on the old server.

Is there a way to put it there? I went through the wizards several times, but it doesn't change it at all.

It DOES appear on the old server.
0
Rob WilliamsCommented:
You shouldn't need a VPN policy in the "remote Access Policies". Generally you would create one to add restrictions, or if you had ISA installed on the old server it would have created one. It is also possible the old server had RADIUS configured for Active Directory authentication by the Fortigate which would also add a policy to the RRAS console.
What policies are in place now in RRAS?

Though I always recommend using the wizards you could try disabling RRAS by right clicking on the server name in the RRAS console and then manually recreate using instructions from my site:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
The default policies would be:
Small Business Remote Access Policy (only if wizard used)
Connections to Microsoft Routing and Remote Access Server
Connections to other access servers
0
DocomonAuthor Commented:
Those are the policies that are on the new server.

Seems strange that port 1723 is open from the internet straight to the server and VPN works internally to the server, but externally it won't.
0
Rob WilliamsCommented:
A long shot would be to reboot the Fortigate to refresh the connection.
0
DocomonAuthor Commented:
Thanks for your reply.

Did that yesterday with no effect. I hate Fornicate routers, but it's what the client already had.

Still researching and trying...
0
Rob WilliamsCommented:
I am stumped everything looks perfect. As mentioned you could try manually creating the VPN, but I am very doubtful that will make a difference.

Also as pointed out you are trying to connect from off site are you? Connecting from the SBS LAN to the public IP will very seldom work.

I also assume there are no third party software firewalls like McAfee security suite, Windows OneCare, or others? They often allow LAN connections but block all other connections untill added a "safe networks".
0
DocomonAuthor Commented:
I am connecting through a Verizon Wireless Hotspot. This has worked countless times in the past with this laptop.

I am attempting to connect to the public IP when using the hotspot.
I am connecting internally with a 10.0.0.x address to the server using the server's LAN address of 10.0.0.230

My address is 10.0.0.6 when connecting internally.

This is driving me NUTS!
0
DocomonAuthor Commented:
Obviously, the VPN is working on the LAN.

I can telnet to the public IP using port 1723 from the outside and it works.  It appears like the server isn't giving an IP address if the connection is coming from a public ip connection.

0
Rob WilliamsCommented:
Even so I would think you would get beyond an 800 error.
Perhaps open RRAS, right click on the server name and choose properties, IP tab, at the bottom Make sure it says to use the LAN adapter rather than allow RRAS to select.

Again in RRAS under ports, make sure there is more than 1 PPTP port. Default with SBS is 5 but it can be up to 128.

I assume the account you are using is approved for VPN (then again that would be a 691 error)

Maybe try the manual configuration, you can always re-run the wizard later.

I am grasping at straws :-)

0
DocomonAuthor Commented:
Is is configured to use the server's LAN connection already.
I am trying to connect using the Administrator's account. It works internally fine, so the account is approved. Externally, well..... here we are.

I REALLY DO appreciate your help on this. Thanks!
0
DocomonAuthor Commented:
Any other ideas??? This is PARAMOUNT that I get this working ASAP...
0
Rob WilliamsCommented:
Sorry I got pulled a way for a service call. Glad to help but sorry I haven't succeeded in providing much in the way of ideas so far.

It's odd because getting the initial connection is quite straight forward. Issues such as losing connections, authentication and such are more common.

The default configuration of SBS uses the SBS DHCP service. I know this works from the LAN but again grasping at straws, is the SBS your DHCP server or do you use a router. It should be the SBS.
0
DocomonAuthor Commented:
Actually, the problem ended up being with the Fortigate needing the server to act as a Radius server to authenticate users for VPN, however since RobWill helped me a lot, I awarded the points to him.

Thanks for your help!
0
Rob WilliamsCommented:
That is odd. There should be no need for the Fortigate to require a RADIUS server unless it was the VPN endpoint/server. That is why I asked earlier; "The fortigate is not also set up as a PPTP VPN server/Host is it? If so it could be capturing the traffic and keeping it local."  
I suspect the Fortigate is your VPN server and it uses active directory for authentication. When you did the migration you would lose IAS/RADIUS and thus broke the VPN. I am willing to bet you can disable the VPN on the SBS within RRAS and everything will still work.

Regardless, glad to hear you have it working and thank you for the points, though I don't see where they were awarded.
Cheers!
--Rob
0
DocomonAuthor Commented:
Actually, this wasn't the solution at all. He was the only one that helped me so I have him the points.

The solution turned out to be a radius server needed to be set up on the server to take requests from the firewall to authenticate users.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.