Solved

How to install & use Cisco VPN client on Cloud Server

Posted on 2011-09-07
34
1,023 Views
Last Modified: 2012-06-27
I have been given the task to install and use a Cisco VPN client 4.8 on our Cloud Server (Rackspace, Windows 2003 Server), in order to connect to one of our customer's server.  We normally connect to our Cloud Server via Remote Desktop, but the VPN will not "allow" us to install via RDP.  Rackspace provides a Java utility for "direct" access to the Cloud Server--and using this I was able to install the VPN.

But the dilemma is this.  The Java Utility does not allow anything to go out of the Cloud Server (no network, vpn, internet, remote access--nothing).  Rackspace says this is by design (for security).  But the VPN will not work when the user is connected by Remote Desktop (for security, I assume).  So the Java utility allows the VPN to "work", but does not allow anything to go out of the server.  While Remote Desktop allows the user to go out, the VPN will not "work" via RDP.  Sigh.

Any help I can get to solve this would be greatly appreciated.  I am completely new to this sort of thing.  I need a way to install and use the Cisco VPN client on this Cloud Server, working around these restrictions.  Thanks.
0
Comment
Question by:xnish
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 17
34 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36495734
What exactly do you mean by the VPN will not "work" via RDP?
It won't start, it gives you an error, RDP disconnects?
Could you elaborate?
0
 

Author Comment

by:xnish
ID: 36495872
Sure. I can still remote in via RDP--it works fine.  But when I try to then start the VPN Client, it will not start.  When I click on "VPN Client", after about a minute or so, there is a message, "Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again."  However, the service is listed and listed as "started".
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36495930
Do you happen to have the ICS service running on that server?
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:xnish
ID: 36496240
I have checked in Network Connections/Local Connection/Properties/Advanced and the Internet Connection Sharing "Allow other network users to connect...." check box is not checked.  So I am assuming that ICS is not running on the server.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36496611
To be sure, check the services.

Furthermore, did you install the client as a local admin? And when you run it, ate you a local admin then?
0
 

Author Comment

by:xnish
ID: 36497048
I do have "Windows Firewall/Internet Connection Sharing" listed in the services.  And it has a status of "started".  And, yes, I believe that installing and attempting to run are both done as local admin.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36498423
Is the service set to 'auto'? Then try and set it to manual adn stop it. There seem to be some issue with ICS that way.
0
 

Author Comment

by:xnish
ID: 36498538
This Cloud Server is used to host at least one website to the public.  With that in mind, would setting the "Windows Firewall/ICS" service to "manual" cause any problems.

But, yes, the service is set to "automatic".
0
 

Author Comment

by:xnish
ID: 36499534
I set the service in question to manual and stopped it.  Then rebooted and tried to get the VPN to connect (connected to the Cloud Server via RDP).  But, alas, nothing had changed--the VPN would still not connect, with same error message as before.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501096
Funny, I have a machine to which I can RDP and start the client. It's no server though.

When you connect to the server, do you set up a console version? So running: mstsc /console ?
0
 

Author Comment

by:xnish
ID: 36501404
Running mstsc /console does nothing different.  But running mstsc /admin to connect to the server did allow the VPN client to connect, it seemed.  That was new.  However, once it connected, I was then kicked out of my Remote Desktop connection and could not get back in.  Was then forced to use the Rackspace utility (which I now realize is a VNC) to connect to the cloud server and disconnect the VPN that was connected via RDP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501440
/admin is with the new version, you're correct :-~

So do you have split tunneling enabled?
0
 

Author Comment

by:xnish
ID: 36501454
I don't rightly know, actually.  I installed the VPN "as is" and did nothing special.  Guess I will need to look into that.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501480
Split tunneling should be enabled on the remote firewall. Then there is also an option 'allow local LAN access' in the client.
0
 

Author Comment

by:xnish
ID: 36501558
I have checked the "Allow Local LAN Access" checkbox in the Transport tab of the VPN Client Properties.  Yet the VPN Client Statistics still says "Local LAN: Disabled".  What else am I supposed to do?

The Statistics also say "Transport Tunneling: Active on UDP port 4500".  I assume that is good.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501584
The second step is to enable split tunneling on the remote firewall, otherwise it still won't work. The rest of the settings are ok.
0
 

Author Comment

by:xnish
ID: 36501600
How do I "enable split tunneling on the remote firewall"?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501621
Do you have access to that firewall (it's the customers one)? It is a ASA/PIX I assume?
0
 

Author Comment

by:xnish
ID: 36501632
I don't have access to their firewall, no.  And I really have no information about it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501645
You might want to talk to their admin then. The thing is, without split tunneling when you set up the vpn, only traffic through the tunnel is allowed. That's why you loose the rdp session.
0
 

Author Comment

by:xnish
ID: 36501668
I will look into this.  And let you know.  In the meantime, sleep is a rare but good thing.....
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36501801
Sleep? I seem to remember I did that once :)

Good night, we'll be waiting.
0
 

Author Comment

by:xnish
ID: 36503657
I have found that our customer does not allow for split tunneling due to security reasons.  So they will not change their firewall, it appears.

So it looks like the dilemma is the only access to VPN to the customer's server is a Cloud Server that is only reachable via remote, but the VPN Client does not split tunnel to allow both RDB and VPN at the same time.  Hmmmm....
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36503716
That was a short night..........

So we have a challenge. I'm curious. What would happen if you rdp in, establish the vpn and go back in with the java utility?
This might be a long shot, but hey, who knows?
0
 

Author Comment

by:xnish
ID: 36503799
I did try that, but it didn't seem to work, last night.  

Sleep is overrated, isn't it?  Although, maybe if I had more of it, I would like it. :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36503931
It seems to be addictive, they say ;)

So what are the options.....

-talk to the customer again. You need them, they need you. So perhaps it is an option to create a separate vpn profile for you so you're the only ones with split tunneling enabled.
-see if there is another way to set this up. Are there multiple users going to use this vpn? Can't they connect from another machine (their laptops or whatever)?

Just tossing ideas.
0
 

Author Comment

by:xnish
ID: 36508021
I have been in contact with the customer to see what they can do to accomodate.  You have been a help in narrowing down the problem.  Thanks.  I will "report back" tomorrow, hopefully, with a positive update.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508534
I'll keep my fingers crossed ;)
0
 

Author Comment

by:xnish
ID: 36525478
I am able to test with my personal pc now.  Running Windows XP.  

Some details:
    Group authentication with name and password. Certificate Authentication unchecked.
    Transport Tunneling checked; IP Sec over UDP checked; Allow Local LAN Access checked.
    No certificates.

I can connect (get status: connected).  But then email cannot send/receive, internet unaccessible, rdp does not work anywhere, no new computer shows up in workgroup computers.

I have passed this info onto the customer's representative.  No word yet.

This is not really news, but I picture you getting nothing done, due to crossed fingers--at least all typing would be greatly hindered.  So I thought I needed to comment something. :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36528739
:-D
Lol
I can still use the two-finger system ;)

If you can test with your own pc, you might want to have a look at your routing table with and without the vpn connected. Perhaps with some creative routing you could get it to work.
0
 

Author Comment

by:xnish
ID: 36540655
Well, I now have proper vpn access to the customer's server.  In short, the problems were all on their side.  When I vpn to connect, all "avenues" out of my pc are disabled except the rdp to their server.  But, again, the problem was all on their side.

My problem was that I assumed the use of a cloud server was messing things up.  That along with my assumption that they had everything working fine on their end.

You have been quite helpful (and patient).  I have learned much.  And you did help me to narrow down the problem to get them to find their own error.  I am not sure what I do in respect to "accepting solutions", but I am satisfied with your help, sir.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36541270
First, great you solved it (always nice to hear :).
With regards to the accept: if you would like to give me all points, just pick my most appropriate answer as an accepted solution. If you would like to split points (because you yourself supplied the final solution), accept one of your comments as the solution and one of mine as an assisted solution (or the other way around :).
0
 

Author Closing Comment

by:xnish
ID: 36542611
For the information I gave and the problem I thought I had, the 'expert advice' was excellent.  My problem was actually a different one than what I originally thought, so a perfect solution could not be given.  But this helped me greatly to arrive at that final solution.  Many thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36542651
The pleasure was all mine :)

Thanks for the points!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Review of OCA certificate policy 1 42
windows Server 2003 in 2017 10 76
SSL-VPN Solution 8 21
Problems with VPN 4 28
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question