Solved

How to install & use Cisco VPN client on Cloud Server

Posted on 2011-09-07
34
995 Views
Last Modified: 2012-06-27
I have been given the task to install and use a Cisco VPN client 4.8 on our Cloud Server (Rackspace, Windows 2003 Server), in order to connect to one of our customer's server.  We normally connect to our Cloud Server via Remote Desktop, but the VPN will not "allow" us to install via RDP.  Rackspace provides a Java utility for "direct" access to the Cloud Server--and using this I was able to install the VPN.

But the dilemma is this.  The Java Utility does not allow anything to go out of the Cloud Server (no network, vpn, internet, remote access--nothing).  Rackspace says this is by design (for security).  But the VPN will not work when the user is connected by Remote Desktop (for security, I assume).  So the Java utility allows the VPN to "work", but does not allow anything to go out of the server.  While Remote Desktop allows the user to go out, the VPN will not "work" via RDP.  Sigh.

Any help I can get to solve this would be greatly appreciated.  I am completely new to this sort of thing.  I need a way to install and use the Cisco VPN client on this Cloud Server, working around these restrictions.  Thanks.
0
Comment
Question by:xnish
  • 17
  • 17
34 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
What exactly do you mean by the VPN will not "work" via RDP?
It won't start, it gives you an error, RDP disconnects?
Could you elaborate?
0
 

Author Comment

by:xnish
Comment Utility
Sure. I can still remote in via RDP--it works fine.  But when I try to then start the VPN Client, it will not start.  When I click on "VPN Client", after about a minute or so, there is a message, "Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again."  However, the service is listed and listed as "started".
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Do you happen to have the ICS service running on that server?
0
 

Author Comment

by:xnish
Comment Utility
I have checked in Network Connections/Local Connection/Properties/Advanced and the Internet Connection Sharing "Allow other network users to connect...." check box is not checked.  So I am assuming that ICS is not running on the server.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
To be sure, check the services.

Furthermore, did you install the client as a local admin? And when you run it, ate you a local admin then?
0
 

Author Comment

by:xnish
Comment Utility
I do have "Windows Firewall/Internet Connection Sharing" listed in the services.  And it has a status of "started".  And, yes, I believe that installing and attempting to run are both done as local admin.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Is the service set to 'auto'? Then try and set it to manual adn stop it. There seem to be some issue with ICS that way.
0
 

Author Comment

by:xnish
Comment Utility
This Cloud Server is used to host at least one website to the public.  With that in mind, would setting the "Windows Firewall/ICS" service to "manual" cause any problems.

But, yes, the service is set to "automatic".
0
 

Author Comment

by:xnish
Comment Utility
I set the service in question to manual and stopped it.  Then rebooted and tried to get the VPN to connect (connected to the Cloud Server via RDP).  But, alas, nothing had changed--the VPN would still not connect, with same error message as before.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Funny, I have a machine to which I can RDP and start the client. It's no server though.

When you connect to the server, do you set up a console version? So running: mstsc /console ?
0
 

Author Comment

by:xnish
Comment Utility
Running mstsc /console does nothing different.  But running mstsc /admin to connect to the server did allow the VPN client to connect, it seemed.  That was new.  However, once it connected, I was then kicked out of my Remote Desktop connection and could not get back in.  Was then forced to use the Rackspace utility (which I now realize is a VNC) to connect to the cloud server and disconnect the VPN that was connected via RDP.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
/admin is with the new version, you're correct :-~

So do you have split tunneling enabled?
0
 

Author Comment

by:xnish
Comment Utility
I don't rightly know, actually.  I installed the VPN "as is" and did nothing special.  Guess I will need to look into that.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Split tunneling should be enabled on the remote firewall. Then there is also an option 'allow local LAN access' in the client.
0
 

Author Comment

by:xnish
Comment Utility
I have checked the "Allow Local LAN Access" checkbox in the Transport tab of the VPN Client Properties.  Yet the VPN Client Statistics still says "Local LAN: Disabled".  What else am I supposed to do?

The Statistics also say "Transport Tunneling: Active on UDP port 4500".  I assume that is good.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The second step is to enable split tunneling on the remote firewall, otherwise it still won't work. The rest of the settings are ok.
0
 

Author Comment

by:xnish
Comment Utility
How do I "enable split tunneling on the remote firewall"?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Do you have access to that firewall (it's the customers one)? It is a ASA/PIX I assume?
0
 

Author Comment

by:xnish
Comment Utility
I don't have access to their firewall, no.  And I really have no information about it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You might want to talk to their admin then. The thing is, without split tunneling when you set up the vpn, only traffic through the tunnel is allowed. That's why you loose the rdp session.
0
 

Author Comment

by:xnish
Comment Utility
I will look into this.  And let you know.  In the meantime, sleep is a rare but good thing.....
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Sleep? I seem to remember I did that once :)

Good night, we'll be waiting.
0
 

Author Comment

by:xnish
Comment Utility
I have found that our customer does not allow for split tunneling due to security reasons.  So they will not change their firewall, it appears.

So it looks like the dilemma is the only access to VPN to the customer's server is a Cloud Server that is only reachable via remote, but the VPN Client does not split tunnel to allow both RDB and VPN at the same time.  Hmmmm....
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
That was a short night..........

So we have a challenge. I'm curious. What would happen if you rdp in, establish the vpn and go back in with the java utility?
This might be a long shot, but hey, who knows?
0
 

Author Comment

by:xnish
Comment Utility
I did try that, but it didn't seem to work, last night.  

Sleep is overrated, isn't it?  Although, maybe if I had more of it, I would like it. :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
It seems to be addictive, they say ;)

So what are the options.....

-talk to the customer again. You need them, they need you. So perhaps it is an option to create a separate vpn profile for you so you're the only ones with split tunneling enabled.
-see if there is another way to set this up. Are there multiple users going to use this vpn? Can't they connect from another machine (their laptops or whatever)?

Just tossing ideas.
0
 

Author Comment

by:xnish
Comment Utility
I have been in contact with the customer to see what they can do to accomodate.  You have been a help in narrowing down the problem.  Thanks.  I will "report back" tomorrow, hopefully, with a positive update.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I'll keep my fingers crossed ;)
0
 

Author Comment

by:xnish
Comment Utility
I am able to test with my personal pc now.  Running Windows XP.  

Some details:
    Group authentication with name and password. Certificate Authentication unchecked.
    Transport Tunneling checked; IP Sec over UDP checked; Allow Local LAN Access checked.
    No certificates.

I can connect (get status: connected).  But then email cannot send/receive, internet unaccessible, rdp does not work anywhere, no new computer shows up in workgroup computers.

I have passed this info onto the customer's representative.  No word yet.

This is not really news, but I picture you getting nothing done, due to crossed fingers--at least all typing would be greatly hindered.  So I thought I needed to comment something. :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
:-D
Lol
I can still use the two-finger system ;)

If you can test with your own pc, you might want to have a look at your routing table with and without the vpn connected. Perhaps with some creative routing you could get it to work.
0
 

Author Comment

by:xnish
Comment Utility
Well, I now have proper vpn access to the customer's server.  In short, the problems were all on their side.  When I vpn to connect, all "avenues" out of my pc are disabled except the rdp to their server.  But, again, the problem was all on their side.

My problem was that I assumed the use of a cloud server was messing things up.  That along with my assumption that they had everything working fine on their end.

You have been quite helpful (and patient).  I have learned much.  And you did help me to narrow down the problem to get them to find their own error.  I am not sure what I do in respect to "accepting solutions", but I am satisfied with your help, sir.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
First, great you solved it (always nice to hear :).
With regards to the accept: if you would like to give me all points, just pick my most appropriate answer as an accepted solution. If you would like to split points (because you yourself supplied the final solution), accept one of your comments as the solution and one of mine as an assisted solution (or the other way around :).
0
 

Author Closing Comment

by:xnish
Comment Utility
For the information I gave and the problem I thought I had, the 'expert advice' was excellent.  My problem was actually a different one than what I originally thought, so a perfect solution could not be given.  But this helped me greatly to arrive at that final solution.  Many thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The pleasure was all mine :)

Thanks for the points!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Steve Terp was featured in a video created by CRN about how "Channel Is Crucial To Market Disruption". Click on View source to see the video and article
This Micro Tutorial will explain how to export DynamoDB tables in Amazon Web Services.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now