SBS 2011 - VPN, can't access other devices on internal network
SBS 2011 - single NIC
I can make a VPN connection in from the outside world. I can browse to \\sbs2008 by name and IP. I can ping other devices on the internal network by name and IP.
I cannot browse to those devices. I cannot RDP to any other server but the SBS 2011 server.
I don't see anything in NPS that would be restricting access to other devices. When I am logged on, the NPS log says "NPS granted full access to a user because the host met the defined health policy".
What am I missing? HELP!!!
I can make a VPN connection in from the outside world. I can browse to \\sbs2008 by name and IP. I can ping other devices on the internal network by name and IP.
I cannot browse to those devices. I cannot RDP to any other server but the SBS 2011 server.
I don't see anything in NPS that would be restricting access to other devices. When I am logged on, the NPS log says "NPS granted full access to a user because the host met the defined health policy".
What am I missing? HELP!!!
Alan Hardisty
When you try to rdp, are using using https://remote.externaldomain.com/remote and have you given yourself permission to the computers you want to rdp to in the SBS console?
You may find this article to be helpful...
http://nicholas.piasecki.name/blog/2009/06/getting-wins-like-computer-name-resolution-over-vpn-in-sbs-2008/
http://nicholas.piasecki.name/blog/2009/06/getting-wins-like-computer-name-resolution-over-vpn-in-sbs-2008/
By default when many services are enabled, such as RDP, they allow access from the local LAN but not other remote subnets. Ping is allowed by default. You will either need to edit the firewall on each PC, or a more practical solution is to edit the firewall via group policy. Pete Long has very nicely outlined this in his blog:
http://www.petenetlive.com/KB/Article/0000193.htm
http://www.petenetlive.com/KB/Article/0000193.htm
ASKER
- I am getting access to the internal network, and can ping the hosts to which I am unable to RDP.
- I have checked the RDP settings on the hosts giving me problems - and allowed * for the remote subnets. I wireshark'ed on a host I cannot rdp to, and i see pings from the vpn client, but no rdp packets. It seems the SBS11 server is preventing the traffic.
Is there anything on the SBS 2011 server that would prevent any type of access (other than icmp) for VPN clients?
- I have checked the RDP settings on the hosts giving me problems - and allowed * for the remote subnets. I wireshark'ed on a host I cannot rdp to, and i see pings from the vpn client, but no rdp packets. It seems the SBS11 server is preventing the traffic.
Is there anything on the SBS 2011 server that would prevent any type of access (other than icmp) for VPN clients?
SBS 2008/2011 has no effect on network traffic other that the group policies that it applies to the various PC's and member servers. The only default policy that would apply to RDP is the Windows firewall which as mentioned blocks RDP from remote subnet, but does not block ICMP (pings). 3rd part firewalls, if any, usualy have the same restiction and have to be editied.
ASKER
Let me ask this: *should* I be able to VPN in to the SBS11 server and RDP (or browse UNC paths) to other hosts on the internal network?
As mentioned, I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. i've changed the RDP rule to allow RDP from all IP's - but a VPN connection should be coming from the local subnet anyways. I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing.
If it was something on the host that I can't reach, woulnd't wireshark show me the incoming packets? Or does the Windows firewall (which it shouldn't be doing in the first place since I have allowed RDP from anywhere) block the packets before wireshark would see them?
Any other thoughts?
As mentioned, I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. i've changed the RDP rule to allow RDP from all IP's - but a VPN connection should be coming from the local subnet anyways. I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing.
If it was something on the host that I can't reach, woulnd't wireshark show me the incoming packets? Or does the Windows firewall (which it shouldn't be doing in the first place since I have allowed RDP from anywhere) block the packets before wireshark would see them?
Any other thoughts?
>>"Let me ask this: *should* I be able to VPN in to the SBS11 server and RDP (or browse UNC paths) to other hosts on the internal network?"
Yes.
>>"I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. "
Not necessarily. When remote access is enabled on a PC, a firewall exception is automatically created. However that exception only allows connections from the local subnet or domain (Win 7). As mentioned, remote clients, especially when assigned an IP in a different subnet cannot access until the firewall is disabled or modified. The advanced firewall in Win 7 and Vista are limited by domain access. Two methods of modifying are:
http://www.lan-2-wan.com/RD-FW.htm
http://www.petenetlive.com/KB/Article/0000193.htm
>>"I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing."
File and print are 'usually' blocked like RDP, but there are several rules to edit.
There are 3 primary things to check which you have done:
1) Can you RDP from the server? Yes, this indicates RDP is enabled.
2) Can you ping the PC to which you are trying to connect? Yes, this indicates it is not a routing/network issue. ICMP (pings) are allowed from any location in the default firewall rules. If you cannot ping there several things to check, but you mentioned you can.
3) Can you access the PC's using other protocols? No, something is blocking access. In a 2008/2011 SBS environment the only way the server can be blocking that is indirectly through group Policy. It must be something on the PC's blocking access, which is almost always the Windows or a 3rd party firewall. Is it possible to completely disable these as a test?
Yes.
>>"I can RDP to those machines from the SBS11 server, so it's not the local firewall on the those hosts. "
Not necessarily. When remote access is enabled on a PC, a firewall exception is automatically created. However that exception only allows connections from the local subnet or domain (Win 7). As mentioned, remote clients, especially when assigned an IP in a different subnet cannot access until the firewall is disabled or modified. The advanced firewall in Win 7 and Vista are limited by domain access. Two methods of modifying are:
http://www.lan-2-wan.com/RD-FW.htm
http://www.petenetlive.com/KB/Article/0000193.htm
>>"I am also unable to browse to the C$ share from the VPN connections, so it's not an RDP-only thing."
File and print are 'usually' blocked like RDP, but there are several rules to edit.
There are 3 primary things to check which you have done:
1) Can you RDP from the server? Yes, this indicates RDP is enabled.
2) Can you ping the PC to which you are trying to connect? Yes, this indicates it is not a routing/network issue. ICMP (pings) are allowed from any location in the default firewall rules. If you cannot ping there several things to check, but you mentioned you can.
3) Can you access the PC's using other protocols? No, something is blocking access. In a 2008/2011 SBS environment the only way the server can be blocking that is indirectly through group Policy. It must be something on the PC's blocking access, which is almost always the Windows or a 3rd party firewall. Is it possible to completely disable these as a test?
ASKER
Thanks for the follow up.
Disabled the windows firewall on a server 2003 and XP workstation - still can't RDP or browse UNC path.
sbs11 and other internal hosts can rdp/unc to the 2003 server and xp machine.
The IP's assigned to VPN clients are on the same subnet as the hosts I can't access (RRAS using the same DHCP pool). I can ping by name and IP. RWA through the SBS11 server also works (I haven't wiresharked that to see if the packets are sourced thru SBS11).
The GPO's applied to the 2003 server and XP machine would be the default SBS11 policies, so unless there is something by default preventing vpn hosts from accessing internal resources...I don't see how the server 2003/xp hosts could tell whether a connection is from a host locally or over the vpn since they are all the same subnet.
Also, I had looked at the NPS policy - nothing I could see in there either.
Disabled the windows firewall on a server 2003 and XP workstation - still can't RDP or browse UNC path.
sbs11 and other internal hosts can rdp/unc to the 2003 server and xp machine.
The IP's assigned to VPN clients are on the same subnet as the hosts I can't access (RRAS using the same DHCP pool). I can ping by name and IP. RWA through the SBS11 server also works (I haven't wiresharked that to see if the packets are sourced thru SBS11).
The GPO's applied to the 2003 server and XP machine would be the default SBS11 policies, so unless there is something by default preventing vpn hosts from accessing internal resources...I don't see how the server 2003/xp hosts could tell whether a connection is from a host locally or over the vpn since they are all the same subnet.
Also, I had looked at the NPS policy - nothing I could see in there either.
ASKER
anyone...? anyone...?
>>"I can make a VPN connection in from the outside world.........I can ping other devices on the internal network by name and IP. I cannot browse to those devices. I cannot RDP to any other server but the SBS 2011 server"
This pretty well has to be a firewall issue whether the Windows firewall or third party security software. Since you can ping, it verifies the VPN, RRAS, and routing are properly cionfigured. By default ICMP requests (pings) are allowed but most other traffic is not, by the firewall/s.
This pretty well has to be a firewall issue whether the Windows firewall or third party security software. Since you can ping, it verifies the VPN, RRAS, and routing are properly cionfigured. By default ICMP requests (pings) are allowed but most other traffic is not, by the firewall/s.
ASKER
RobWill - Can you give me any sort of direction in which I can look for this. I am not so sure it's firewall, as other devices on the internal network can RDP to these hosts. The VPN clients are getting an IP in the same subnet as the other (working) hosts. To the host "not allowing" the connection, it should appear to be no different than from any other local hsot.
Very sorry, I somehow missed your response until now
As mentioned the fact that you can ping verifies that routing is properly configured and working so it is not a connection issue. By default pings are allowed from any subnet, even the Internet by the Windows firewall, and some 3rd party firewalls (software based). However when you enable some services such as RDP and files & print sharing they create a firewall exception, but usually only for access from the local subnet/domain. How this is determined I am not certain, but remote clients, even with an IP in the same subnet are often blocked from these services. To resolve it is common to need to edit the scope exceptions (XP/2003), or the advanced firewall inbound rules (Vista/Win7/2008/2008 R2), to allow all.
I would try that first as your symptoms are very typical. Also if there are any 3rd party security services installed such as Symantec, AVG, you will need to edit their firewall exceptions as well.
Or, as a test disable all software firewalls on a PC to which you are trying to connect.
As mentioned the fact that you can ping verifies that routing is properly configured and working so it is not a connection issue. By default pings are allowed from any subnet, even the Internet by the Windows firewall, and some 3rd party firewalls (software based). However when you enable some services such as RDP and files & print sharing they create a firewall exception, but usually only for access from the local subnet/domain. How this is determined I am not certain, but remote clients, even with an IP in the same subnet are often blocked from these services. To resolve it is common to need to edit the scope exceptions (XP/2003), or the advanced firewall inbound rules (Vista/Win7/2008/2008 R2), to allow all.
I would try that first as your symptoms are very typical. Also if there are any 3rd party security services installed such as Symantec, AVG, you will need to edit their firewall exceptions as well.
Or, as a test disable all software firewalls on a PC to which you are trying to connect.
ASKER
The VPN clients get an IP on the local subnet, so any firewall rules should not apply.
Also, the Server2003 that I cannot RDP to does not have firewall enabled at all. What I don't know is whether this is typical behavior - I don't have a similar network I can test it on.
Also, the Server2003 that I cannot RDP to does not have firewall enabled at all. What I don't know is whether this is typical behavior - I don't have a similar network I can test it on.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry we were not able to find a solution.
Thanks snowdog_2112.
Cheers!
--Rob
Thanks snowdog_2112.
Cheers!
--Rob
ASKER
THe accepted answer did not actually fix the problem, but RobWill made several suggestions to eliminate possible causes.