GIP
asked on
Windows VPN can't access FileShare on server
Hi,
I got a problem with a VPN setup on a SBS 2008 server. I can connect on the VPN, I get an IP Address, I can ping the server and router, I can access the configuration webpage of the router and I can access the OWA webpage on the server but I cannot access fileshare on the server.
Whenever I try to access the file share via "\\192.168.1.2" (Server IP) it says "The system cannot access the file"...
Here's more info on the setup:
Windows SBS 2008 (Acting as the VPN server, SBS IP: 192.168.1.2)
-The server as been running great for about 4 years now
Basic TP-Link router (Port 1723 and 500 forwarded to server, Router IP: 192.168.1.1)
I use Windows VPN configuration as PPTP
-Everything connect "smoothly" and fast
I'm NOT in the same IP range as the server network
-My IP : 10.0.0.10 and the remote server IP : 192.168.1.2
Basic configuration on the NPS to allow a certain group to connect
-I'm testing with a Domain Admin account
I did this setup many times on others server and never had trouble. It's just this one I cannot find what's blocking me.
Thanks in advance!
I got a problem with a VPN setup on a SBS 2008 server. I can connect on the VPN, I get an IP Address, I can ping the server and router, I can access the configuration webpage of the router and I can access the OWA webpage on the server but I cannot access fileshare on the server.
Whenever I try to access the file share via "\\192.168.1.2" (Server IP) it says "The system cannot access the file"...
Here's more info on the setup:
Windows SBS 2008 (Acting as the VPN server, SBS IP: 192.168.1.2)
-The server as been running great for about 4 years now
Basic TP-Link router (Port 1723 and 500 forwarded to server, Router IP: 192.168.1.1)
I use Windows VPN configuration as PPTP
-Everything connect "smoothly" and fast
I'm NOT in the same IP range as the server network
-My IP : 10.0.0.10 and the remote server IP : 192.168.1.2
Basic configuration on the NPS to allow a certain group to connect
-I'm testing with a Domain Admin account
I did this setup many times on others server and never had trouble. It's just this one I cannot find what's blocking me.
Thanks in advance!
A few thoughts:
Are there any network segments between the router and modem? Sometimes you may have:
192.168.1.x<=client=>Inter
I appreciate you mentioned remote and local subnets are different, but all subnets in-between must be different as well.
Software firewalls have to be configured to allow remote subnets to access various services. When you enable file and print sharing (done by default on SBS) it creates a firewall rule to allow access but usually only from the local subnet/domain. You may have to add the remote subnet or 'any', though I have never had to do this with the SBS VPN. If you have 3rd party firewall that may be the issue.
When you created the VPN did you use RRAS or the SBS wizard under the SBS control panel | network | connectivity. If you did not use the SBS wizard, in the RRAS console right click on the server name, choose disable, and then run the SBS wizard.
You do not need port 500 forwarded for PPTP but you do need GRE enabled. GRE is enabled in different ways on different routers. Often it is an option "Allow PPTP pass-through", but it is protocol 47, not port 47, so cannot be forwarded. If you can authenticate, this is probably not the problem.
Is "The system cannot access the file" the exact error message? If you access from a command prompt do you get an error number such as 53.
Often with a VPN you can connect but either nothing happens or the connection is dropped when you try to access files if the MTU value is set too high on the connecting computer, for this connection. However you don't usually get that error message. If you suspect that might be the case the following is from an earlier post of mine:
Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
Are there any network segments between the router and modem? Sometimes you may have:
192.168.1.x<=client=>Inter
I appreciate you mentioned remote and local subnets are different, but all subnets in-between must be different as well.
Software firewalls have to be configured to allow remote subnets to access various services. When you enable file and print sharing (done by default on SBS) it creates a firewall rule to allow access but usually only from the local subnet/domain. You may have to add the remote subnet or 'any', though I have never had to do this with the SBS VPN. If you have 3rd party firewall that may be the issue.
When you created the VPN did you use RRAS or the SBS wizard under the SBS control panel | network | connectivity. If you did not use the SBS wizard, in the RRAS console right click on the server name, choose disable, and then run the SBS wizard.
You do not need port 500 forwarded for PPTP but you do need GRE enabled. GRE is enabled in different ways on different routers. Often it is an option "Allow PPTP pass-through", but it is protocol 47, not port 47, so cannot be forwarded. If you can authenticate, this is probably not the problem.
Is "The system cannot access the file" the exact error message? If you access from a command prompt do you get an error number such as 53.
Often with a VPN you can connect but either nothing happens or the connection is dropped when you try to access files if the MTU value is set too high on the connecting computer, for this connection. However you don't usually get that error message. If you suspect that might be the case the following is from an earlier post of mine:
Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
Whenever I try to access the file share via "\\192.168.1.2" (Server IP) it says "The system cannot access the file"...
You state above that you are trying to access a file share. You can't share files, just folders.
What is the share? You should be able to connect to a shared folder by
typing \\192.168.1.2\sharename.
If the pc you are connecting from is not part of the domain you may have to enter in username & password.
Try \\192.168.1.2\c$ that is the administrative share pointing to the root of the C Drive.
I'm assuming that 192.168.1.2 is the server that holds the share.
You state above that you are trying to access a file share. You can't share files, just folders.
What is the share? You should be able to connect to a shared folder by
typing \\192.168.1.2\sharename.
If the pc you are connecting from is not part of the domain you may have to enter in username & password.
Try \\192.168.1.2\c$ that is the administrative share pointing to the root of the C Drive.
I'm assuming that 192.168.1.2 is the server that holds the share.
ASKER
Thanks alot for all your answers.
Here's some info you asked :
-There is nothing between my 2 subnets : 10.0.0.0 -> Router -> WAN -> Router -> 192.168.1.0
-I didn't use SBS wizard. I have many clients on SBS and never used the wizard for this setup. Now that you mention it, it's the only client I try to setup that is on SBS 2008 (Server 2008). All the other are on SBS 2003, SBS 2011, Server 2003 and Server 2008 R2
-For the error message, I tried "Net use x: \\192.168.1.2\" and it gives me this error: System Error 1920, System can't access the file
If I try to use "Net use x: \\192.168.1.2\c$" I get : System error 64, network name not avalaible
(I'm translating the errors because my OS are in French)
The only thing I see as of now is the MTU size. This client have a poor DSL PPPoE internet connection. MTU is set to Auto but I could try to change it overnight. They are getting a better connection this month. They will change to Cable 60down\10up
I'm still reading what you guys told me and following your links.
Thanks
P.S.: It was a typo to write "Fileshare", I do want to acces a Folder share and not a File.
Edit #2: I don't think subnets are an issue here because I can access https:\\192.168.1.2\OWA without a problem and I can access http://192.168.1.1 (Routeur IP) and it works well. Only file sharing that cause a problem. So I'm pretty sure I'm missing a rule somewhere or a check mark.
Here's some info you asked :
-There is nothing between my 2 subnets : 10.0.0.0 -> Router -> WAN -> Router -> 192.168.1.0
-I didn't use SBS wizard. I have many clients on SBS and never used the wizard for this setup. Now that you mention it, it's the only client I try to setup that is on SBS 2008 (Server 2008). All the other are on SBS 2003, SBS 2011, Server 2003 and Server 2008 R2
-For the error message, I tried "Net use x: \\192.168.1.2\" and it gives me this error: System Error 1920, System can't access the file
If I try to use "Net use x: \\192.168.1.2\c$" I get : System error 64, network name not avalaible
(I'm translating the errors because my OS are in French)
The only thing I see as of now is the MTU size. This client have a poor DSL PPPoE internet connection. MTU is set to Auto but I could try to change it overnight. They are getting a better connection this month. They will change to Cable 60down\10up
I'm still reading what you guys told me and following your links.
Thanks
P.S.: It was a typo to write "Fileshare", I do want to acces a Folder share and not a File.
Edit #2: I don't think subnets are an issue here because I can access https:\\192.168.1.2\OWA without a problem and I can access http://192.168.1.1 (Routeur IP) and it works well. Only file sharing that cause a problem. So I'm pretty sure I'm missing a rule somewhere or a check mark.
-For the error message, I tried "Net use x: \\192.168.1.2\" and it gives me this error: System Error 1920, System can't access the file
That's correct you can't access server with just IP address you must use share name.
can you send a snapshot of your RRas configuration. All tabs.
That's correct you can't access server with just IP address you must use share name.
can you send a snapshot of your RRas configuration. All tabs.
ASKER
There is many tab and not that many useful informations. Please ask me wich one you want.
As to access the server via IP, I always do it like this... Not sharing x: to \\192.168.1.2\ but to see the shares avalaible on the server I use \\192.168.1.2\
Also, I don't "map" drive over VPN. I usually do shortcut to them like a shortcut to \\192.168.1.2\Administrati
As to access the server via IP, I always do it like this... Not sharing x: to \\192.168.1.2\ but to see the shares avalaible on the server I use \\192.168.1.2\
Also, I don't "map" drive over VPN. I usually do shortcut to them like a shortcut to \\192.168.1.2\Administrati
ASKER
New test results:
If I try to access shares on some computers on the VPN server network it works...
If I try to access for example : \\192.168.1.113\ it works and show me what this computer is sharing..
So I'm pretty sure it's down to 1 rule on the SBS server that is blocking me.
If I try to access shares on some computers on the VPN server network it works...
If I try to access for example : \\192.168.1.113\ it works and show me what this computer is sharing..
So I'm pretty sure it's down to 1 rule on the SBS server that is blocking me.
gotcha,
for RRAS snapshots: general tab, security tab and IPV4 tab
for RRAS snapshots: general tab, security tab and IPV4 tab
ASKER
Here are your screenshot
Try disabling the firewall service on the SBS box and test. If it works you know its a FW issues if it does not then you can at least for the time being rule it out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried disabling the Windows firewall this morning and it didn't make a difference.
I think you're right for the IPv4 Router. Last time I tried activating it, I lost connection with the network and I thought I didn't need it. Now, I just checked with all my other servers and they all have it activated.
I'm afraid to turn it on now and my client lose connection to is server... Will try it tonight.
If this does the trick I knew it was only a check mark somewhere!
Will let you know once I activate it.
I think you're right for the IPv4 Router. Last time I tried activating it, I lost connection with the network and I thought I didn't need it. Now, I just checked with all my other servers and they all have it activated.
I'm afraid to turn it on now and my client lose connection to is server... Will try it tonight.
If this does the trick I knew it was only a check mark somewhere!
Will let you know once I activate it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Thanks for the hint on the wizards. I learned from past experience to use them. But if I recall correctly, I already tried to setup this SBS for VPN last year and the wizard didn't work correctly and my client didn't needed it. I just told them I would activate it for future use.
"Net use x: \\192.168.1.2\Sharename" still give me error 64
This server has been running since 4 years now. I'm pretty sure the network\accounts\share\per
This SBS has 2 physical connection but only 1 is enabled.
I will try enabling the IPv4 routing tonight and see if it works. If not, I will retry the wizard.
Thank you
Thanks for the hint on the wizards. I learned from past experience to use them. But if I recall correctly, I already tried to setup this SBS for VPN last year and the wizard didn't work correctly and my client didn't needed it. I just told them I would activate it for future use.
"Net use x: \\192.168.1.2\Sharename" still give me error 64
This server has been running since 4 years now. I'm pretty sure the network\accounts\share\per
This SBS has 2 physical connection but only 1 is enabled.
I will try enabling the IPv4 routing tonight and see if it works. If not, I will retry the wizard.
Thank you
I would thy the connection from the LAN, it will help to rule out some potential issues.
As for permissions I meant VPN access permissions such as setting policies for VPN group members.
If the SBS VPN wizard failed it may indicate there are other network issues present.
As for permissions I meant VPN access permissions such as setting policies for VPN group members.
If the SBS VPN wizard failed it may indicate there are other network issues present.
ASKER
So I tried enabling IPv4 routing yesterday and it hung the server on the "Finalisation" phase. Nothing that asked for a UAC prompt opened (wich is like everything in Server 2008). I was able to "Shutdown /r /f" and it took 30 minutes to reboot.
After reboot it says the IPv4 is check/enabled but I still have the same issue.
I tried the wizard and it says it cannot configure the router but the rest says it's good. But in the SBS console, it remain "Disabled".
Do you guys know any logs that could be useful when I try to access the server share via vpn?
EDIT: I tried accessing the share with "\\servername.serverdomain
After reboot it says the IPv4 is check/enabled but I still have the same issue.
I tried the wizard and it says it cannot configure the router but the rest says it's good. But in the SBS console, it remain "Disabled".
Do you guys know any logs that could be useful when I try to access the server share via vpn?
EDIT: I tried accessing the share with "\\servername.serverdomain
Though LAN routing should be enabled the IPv4 routing setting shouldn't be an issue if you were able to connect to PC's. Usually when routing is not enabled you can only access the VPN server.
There is an SBS VPN wizard log located under: C:\Program Files\Windows Small Business Server\Logs\VPNCW.log But it won't tell you about connections, just issues with running the wizard.
To log connections you usually first have to enable it under properties of the server in the RRAS console. Far right tab is logging. Set your options and it will then create a log in the default location C:\Windows\Tracing\
In case you stumble on it, there was a better RAS logging tool in the resource tools CD for NT or maybe later. Do not use it as it apparently breaks SBS.
Have you tried connecting from the LAN as of yet?
There is an SBS VPN wizard log located under: C:\Program Files\Windows Small Business Server\Logs\VPNCW.log But it won't tell you about connections, just issues with running the wizard.
To log connections you usually first have to enable it under properties of the server in the RRAS console. Far right tab is logging. Set your options and it will then create a log in the default location C:\Windows\Tracing\
In case you stumble on it, there was a better RAS logging tool in the resource tools CD for NT or maybe later. Do not use it as it apparently breaks SBS.
Have you tried connecting from the LAN as of yet?
ASKER
Just checked the logs and can't find any errors. Even the Wizard logs doesn't seem to have errors in it.
I didn't try from the Lan because I RDP in the SBS. I'm a little bit far from my Customer. Will try as soon as I get a call to go over there.
I've been searching the web about this and it seems SBS2008 as some trouble with VPN access.
I didn't try from the Lan because I RDP in the SBS. I'm a little bit far from my Customer. Will try as soon as I get a call to go over there.
I've been searching the web about this and it seems SBS2008 as some trouble with VPN access.
Never had an issue on the dozen or so SBS2008's I have set up, so I wouldn't generalize, but there are a lot of questions and problems relating to windows VPN's in general. Far more of the problems are client/routing/modem/route
Do you really need a VPN?
If possible to use Outlook rpc/http, Sharepoint, and Remote Web Access it is far more secure and trouble free than a Windows VPN. VPN's open some very serious security holes.
The LAN test is quite useful as mentioned because it isolates where the problem lies to some degree. I appreciate it is difficult to test remotely.
Do you really need a VPN?
If possible to use Outlook rpc/http, Sharepoint, and Remote Web Access it is far more secure and trouble free than a Windows VPN. VPN's open some very serious security holes.
The LAN test is quite useful as mentioned because it isolates where the problem lies to some degree. I appreciate it is difficult to test remotely.
ASKER
They already use Outlook over HTTP
I wanted to setup VPN because all they had to do is double-click the VPN icon, enter password and click connect. Then, they would be able to browse some shortcuts I would have put on their desktop.
I configured this in many other Customer server without issue. In fact it's a matter of 5 minutes to configure. So I guess this one has a problem within the server or with his ISP.
I'll try the LAN test or again when they will get their new cable connection. Whatever come first.
I think I did the most I can remotely. The rest will need to be tested on site in case I lose connection with the server.
Thanks for your help. Will keep you updated on this.
I wanted to setup VPN because all they had to do is double-click the VPN icon, enter password and click connect. Then, they would be able to browse some shortcuts I would have put on their desktop.
I configured this in many other Customer server without issue. In fact it's a matter of 5 minutes to configure. So I guess this one has a problem within the server or with his ISP.
I'll try the LAN test or again when they will get their new cable connection. Whatever come first.
I think I did the most I can remotely. The rest will need to be tested on site in case I lose connection with the server.
Thanks for your help. Will keep you updated on this.
I appreciate the convenience, if willing to accept the security risks. If you are doing so you may want to set up the VPN to connect at logon so they don't have to enter credentials after logging on and it allows group policies and logon scripts to be pushed out. Clients like the convenience and adds some control for IT. I have blogged about it in the following link:
http://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
http://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
ASKER
Good blog article!
I would say 99% of my customers the are using VPN are using it from their own personnal computer or with a cheap home laptop provided for their Project Manager when they go outside of the corporate network. Most of them with a "fixed" desktop at their office will RDP right into it.
They mostly connect to VPN for some minutes to modify a file or to "upload/download" a new one. Nothing big here.
Thanks for the infos though!
I would say 99% of my customers the are using VPN are using it from their own personnal computer or with a cheap home laptop provided for their Project Manager when they go outside of the corporate network. Most of them with a "fixed" desktop at their office will RDP right into it.
They mostly connect to VPN for some minutes to modify a file or to "upload/download" a new one. Nothing big here.
Thanks for the infos though!
>>"99% of my customers the are using VPN are using it from their own personal computer or with a cheap home laptop "
That is the primary concern. A device and network over which you have no control has wide open direct access to the corporate network. Many viruses spread using network shares and can do so over a VPN in seconds. The other issue is the home owner has low security, their PC or network gets hacked, and the hacker has direct access to the corporate network.
Everyone says; "Nothing big here." until the data or server is wiped.
Sorry not relevant to the question, but as a big supporter of VPN's (see my profile) I always like to point out the risks. Nowadays we have so many other options.
That is the primary concern. A device and network over which you have no control has wide open direct access to the corporate network. Many viruses spread using network shares and can do so over a VPN in seconds. The other issue is the home owner has low security, their PC or network gets hacked, and the hacker has direct access to the corporate network.
Everyone says; "Nothing big here." until the data or server is wiped.
Sorry not relevant to the question, but as a big supporter of VPN's (see my profile) I always like to point out the risks. Nowadays we have so many other options.
Have you tried the VPN connection from a different site? Somewhere where they have a better speed? Even a Hotspot would probably be better than the DSL connection your client has.
ASKER
ktaczala:
The server is behind the DSL connection. I can't move it to somewhere else unfortunately. But they are getting cable connection "soon". The new ISP need to run the cable to their building.
I tried connecting to it from my office wich use a cable connection of 10down/1up and from my home connection wich use opticfiber of 50down/50up and it's the same problem.
RobWill:
Any suggestion to keep the vpn and reinforce the security? What kind of issue is there, someone guessing the password of a vpn user or is their more security breach than that?
The server is behind the DSL connection. I can't move it to somewhere else unfortunately. But they are getting cable connection "soon". The new ISP need to run the cable to their building.
I tried connecting to it from my office wich use a cable connection of 10down/1up and from my home connection wich use opticfiber of 50down/50up and it's the same problem.
RobWill:
Any suggestion to keep the vpn and reinforce the security? What kind of issue is there, someone guessing the password of a vpn user or is their more security breach than that?
As mentioned the main concern is not so much guessing the password as someone easily gaining access the remote user’s network or PC. For example they may have their router set up with defaults such that it is very easily accessed by a neighbor using the wireless connection. If split-tunneling is enabled on the PC (VPN setting “use remote default gateway” unchecked) they may not even have to hack the PC to route packets directly to your corporate network.
Keep in mind viruses spread over VPN’s very easily. Microsoft does offer a service NAP (Network Access Protection) which effectively allows you to quarantine a VPN client until it has been checked if it has all Windows updates, updated anti-virus, firewall enabled, and more. However it is a major undertaking to set up and not practical for small businesses.
PPTP is also the easiest VPN encryption to crack. In addition anyone seeing port 1723 open can create a Windows VPN client and start guessing user names and passwords.
The most important steps are to use complex passwords and enable account lockouts after 5 or 6 wrong guesses. Hacking PPTP encryption, though relatively easy for an experience hacker, is unlikely just based on odds. I have never seen it happen.
However a VPN appliance/router such as a Cisco can improve performance and security by moving the VPN connection to the perimeter of the network, looking after encryption/decryption, using IPSec, possibly certificates, and a VPN client which the end user cannot reconfigure (i.e. cannot enable split-tunneling).
It’s important to remember that 90% of hacking is opportunity, not an attack. Johnny sitting in the apartment building next door sees a wireless connection, wonders if he can connect, and just keeps going as far as he can, to see what happens. If he gains access to the home network, the VPN can be his ticket to ‘the next level’.
Keep in mind viruses spread over VPN’s very easily. Microsoft does offer a service NAP (Network Access Protection) which effectively allows you to quarantine a VPN client until it has been checked if it has all Windows updates, updated anti-virus, firewall enabled, and more. However it is a major undertaking to set up and not practical for small businesses.
PPTP is also the easiest VPN encryption to crack. In addition anyone seeing port 1723 open can create a Windows VPN client and start guessing user names and passwords.
The most important steps are to use complex passwords and enable account lockouts after 5 or 6 wrong guesses. Hacking PPTP encryption, though relatively easy for an experience hacker, is unlikely just based on odds. I have never seen it happen.
However a VPN appliance/router such as a Cisco can improve performance and security by moving the VPN connection to the perimeter of the network, looking after encryption/decryption, using IPSec, possibly certificates, and a VPN client which the end user cannot reconfigure (i.e. cannot enable split-tunneling).
It’s important to remember that 90% of hacking is opportunity, not an attack. Johnny sitting in the apartment building next door sees a wireless connection, wonders if he can connect, and just keeps going as far as he can, to see what happens. If he gains access to the home network, the VPN can be his ticket to ‘the next level’.
ASKER
Wonderful explanation thank you. I just hoped you wouldn't say that PPTP hacking is widespread and common.
I make sure all my clients know the risk of connecting to unprotected/shared wifi networks and the need of complex password. Also, all my clients that have exposure to the Internet have strong passwords with lockout Policy.
For my others clients that need a constant VPN connection, I don't use Windows RRAS but I use better VPN routers for it.
Thanks for caring.
I make sure all my clients know the risk of connecting to unprotected/shared wifi networks and the need of complex password. Also, all my clients that have exposure to the Internet have strong passwords with lockout Policy.
For my others clients that need a constant VPN connection, I don't use Windows RRAS but I use better VPN routers for it.
Thanks for caring.
Sounds good. I hope I didn't sound like I was lecturing, just pointing out the weaknesses.
ASKER
I awarded both RobWill and ktaczala for pointing me in the right direction.
ktaczala because it made me realize I had more troubles than simply configuring this VPN
and RobWill for lots of valuable informations on this setup.
Thank you both,
I'll update this question once I found the problem in my SBS.
ktaczala because it made me realize I had more troubles than simply configuring this VPN
and RobWill for lots of valuable informations on this setup.
Thank you both,
I'll update this question once I found the problem in my SBS.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac821a3-f42e-4555-9682-e972d7ec89bd/file-share-access-over-vpn