SBS 2011 - VPN, can't access other devices on internal network

SBS 2011 - single NIC

I can make a VPN connection in from the outside world.  I can browse to \\sbs2008 by name and IP.  I can ping other devices on the internal network by name and IP.

I cannot browse to those devices.  I cannot RDP to any other server but the SBS 2011 server.

I don't see anything in NPS that would be restricting access to other devices.  When I am logged on, the NPS log says "NPS granted full access to a user because the host met the defined health policy".

What am I missing?  HELP!!!
snowdog_2112Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
When you try to rdp, are using using https://remote.externaldomain.com/remote and have you given yourself permission to the computers you want to rdp to in the SBS console?
0
Cris HannaSr IT Support EngineerCommented:
0
Rob WilliamsCommented:
By default when many services are enabled, such as RDP, they allow access from the local LAN but not other remote subnets. Ping is allowed by default. You will either need to edit the firewall on each PC, or a more practical solution is to edit the firewall via group policy. Pete Long has very nicely outlined this in his blog:
http://www.petenetlive.com/KB/Article/0000193.htm
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

snowdog_2112Author Commented:
- I am getting access to the internal network, and can ping the hosts to which I am unable to RDP.

- I have checked the RDP settings on the hosts giving me problems - and allowed * for the remote subnets.  I wireshark'ed on a host I cannot rdp to, and i see pings from the vpn client, but no rdp packets.  It seems the SBS11 server is preventing the traffic.

Is there anything on the SBS 2011 server that would prevent any type of access (other than icmp) for VPN clients?
0
Rob WilliamsCommented:
SBS 2008/2011 has no effect on network traffic other that the group policies that it applies to the various PC's and member servers. The only default policy that would apply to RDP is the Windows firewall which as mentioned blocks RDP from remote subnet, but does not block ICMP (pings). 3rd part firewalls, if any, usualy have the same restiction and have to be editied.
0
snowdog_2112Author Commented:
Let me ask this:  *should* I be able to VPN in to the SBS11 server and RDP (or browse UNC paths) to other hosts on the internal network?

As mentioned, I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. i've changed the RDP rule to allow RDP from all IP's - but a VPN connection should be coming from the local subnet anyways.  I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing.

If it was something on the host that I can't reach, woulnd't wireshark show me the incoming packets?  Or does the Windows firewall (which it shouldn't be doing in the first place since I have allowed RDP from anywhere) block the packets before wireshark would see them?

Any other thoughts?  
0
Rob WilliamsCommented:
>>"Let me ask this:  *should* I be able to VPN in to the SBS11 server and RDP (or browse UNC paths) to other hosts on the internal network?"
Yes.

>>"I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. "
Not necessarily. When remote access is enabled on a PC, a firewall exception is automatically created. However that exception only allows connections from the local subnet or domain (Win 7). As mentioned, remote clients, especially when assigned an IP in a different subnet cannot access until the firewall is disabled or modified. The advanced firewall in Win 7 and Vista are limited by domain access. Two methods of modifying are:
http://www.lan-2-wan.com/RD-FW.htm
http://www.petenetlive.com/KB/Article/0000193.htm 

>>"I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing."
File and print are 'usually' blocked like RDP, but there are several rules to edit.

There are 3 primary things to check which you have done:
1) Can you RDP from the server? Yes, this indicates RDP is enabled.
2) Can you ping the PC to which you are trying to connect? Yes, this indicates it is not a routing/network issue. ICMP (pings) are allowed from any location in the default firewall rules. If you cannot ping there several things to check, but you mentioned you can.
3) Can you access the PC's using other protocols? No, something is blocking access. In a 2008/2011 SBS environment the only way the server can be blocking that is indirectly through group Policy. It must be something on the PC's blocking access, which is almost always the Windows or a 3rd party firewall. Is it possible to completely disable these as a test?
0
snowdog_2112Author Commented:
Thanks for the follow up.

Disabled the windows firewall on a server 2003 and XP workstation - still can't RDP or browse UNC path.

sbs11 and other internal hosts can rdp/unc to the 2003 server and xp machine.

The IP's assigned to VPN clients are on the same subnet as the hosts I can't access (RRAS using the same DHCP pool).  I can ping by name and IP.  RWA through the SBS11 server also works (I haven't wiresharked that to see if the packets are sourced thru SBS11).

The GPO's applied to the 2003 server and XP machine would be the default SBS11 policies, so unless there is something by default preventing vpn hosts from accessing internal resources...I don't see how the server 2003/xp hosts could tell whether a connection is from a host locally or over the vpn since they are all the same subnet.

Also, I had looked at the NPS policy - nothing I could see in there either.
0
snowdog_2112Author Commented:
anyone...?  anyone...?
0
Rob WilliamsCommented:
>>"I can make a VPN connection in from the outside world.........I can ping other devices on the internal network by name and IP.  I cannot browse to those devices.  I cannot RDP to any other server but the SBS 2011 server"

This pretty well has to be a firewall issue whether the Windows firewall or third party security software.   Since you can ping, it verifies the VPN, RRAS, and routing are properly cionfigured.  By default ICMP requests (pings) are allowed but most other traffic is not, by the firewall/s.
0
snowdog_2112Author Commented:
RobWill - Can you give me any sort of direction in which I can look for this.  I am not so sure it's firewall, as other devices on the internal network can RDP to these hosts.  The VPN clients are getting an IP in the same subnet as the other (working) hosts.  To the host "not allowing" the connection, it should appear to be no different than from any other local hsot.
0
Rob WilliamsCommented:
Very sorry, I somehow missed your response until now

As mentioned the fact that you can ping verifies that routing is properly configured and working so it is not a connection issue.  By default pings are allowed from any subnet, even the Internet by the Windows firewall, and some 3rd party firewalls (software based).  However when you enable some services such as RDP and files & print sharing they create a firewall exception, but usually only for access from the local subnet/domain.  How this is determined I am not certain, but remote clients, even with an IP in the same subnet are often blocked from these services. To resolve it is common to need to edit the scope exceptions (XP/2003), or the advanced firewall inbound rules (Vista/Win7/2008/2008 R2), to allow all.

I would try that first as your symptoms are very typical.  Also if there are any 3rd party security services installed such as Symantec, AVG, you will need to edit their firewall exceptions as well.
Or, as a test disable all software firewalls on a PC to which you are trying to connect.
0
snowdog_2112Author Commented:
The VPN clients get an IP on the local subnet, so any firewall rules should not apply.

Also, the Server2003 that I cannot RDP to does not have firewall enabled at all.  What I don't know is whether this is typical behavior - I don't have a similar network I can test it on.
0
Rob WilliamsCommented:
You might try connecting to the SBS from the same LAN on which it is located, but point the VPN client to the SBS LAN IP not the public IP or name.  If that works it may help to rule out a couple of possible issues.

VPN's allow all traffic, there is no filtering unless you manualy create rules to block it in the RRAS server, so it has to be something else dis-allowing the traffic.

A common issue is the local subnet from which the client is connecting, uses the same subnet as the SBS server which will not allow routing, but you say pings work, so I assume that is not the case.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
snowdog_2112Author Commented:
Local subnet on the VPN client side is not the same as on the SBS LAN side.

I am using Remote Web Workplace as a workaround.  I hate to give up not knowing why it won't work, but I cannot invest more time (mine or customer's) to figure it out.

Thanks for all the suggestions.
0
Rob WilliamsCommented:
Sorry we were not able to find a solution.
Thanks snowdog_2112.
Cheers!
--Rob
0
snowdog_2112Author Commented:
THe accepted answer did not actually fix the problem, but RobWill made several suggestions to eliminate possible causes.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.