Solved

Windows VPN can't access FileShare on server

Posted on 2013-11-29
29
4,000 Views
Last Modified: 2013-12-19
Hi,

I got a problem with a VPN setup on a SBS 2008 server. I can connect on the VPN, I get an IP Address, I can ping the server and router, I can access the configuration webpage of the router and I can access the OWA webpage on the server but I cannot access fileshare on the server.

Whenever I try to access the file share via "\\192.168.1.2" (Server IP) it says "The system cannot access the file"...

Here's more info on the setup:
Windows SBS 2008 (Acting as the VPN server, SBS IP: 192.168.1.2)
-The server as been running great for about 4 years now

Basic TP-Link router (Port 1723 and 500 forwarded to server, Router IP: 192.168.1.1)

I use Windows VPN configuration as PPTP
-Everything connect "smoothly" and fast

I'm NOT in the same IP range as the server network
-My IP : 10.0.0.10 and the remote server IP : 192.168.1.2

Basic configuration on the NPS to allow a certain group to connect
-I'm testing with a Domain Admin account

I did this setup many times on others server and never had trouble. It's just this one I cannot find what's blocking me.

Thanks in advance!
0
Comment
Question by:GIP
  • 13
  • 9
  • 5
  • +1
29 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Check this thread, different server and FW but good things to check like FW ports and Antivirus.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/fac821a3-f42e-4555-9682-e972d7ec89bd/file-share-access-over-vpn
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
A few thoughts:

Are there any network segments between the router and modem?  Sometimes you may have:
192.168.1.x<=client=>Internet=>Modem<=192.168.1.x=>router<=10.0.0.x=>VPN server
I appreciate you mentioned remote and local subnets are different, but all subnets in-between must be different as well.

Software firewalls have to be configured to allow remote subnets to access various services.  When you enable file and print sharing (done by default on SBS) it creates a firewall rule to allow access but usually only from the local subnet/domain.  You may have to add the remote subnet or 'any', though I have never had to do this with the SBS VPN.  If you have 3rd party firewall that may be the issue.

When you created the VPN did you use RRAS or the SBS wizard under the SBS control panel | network | connectivity.  If you did not use the SBS wizard, in the RRAS console right click on the server name, choose disable, and then run the SBS wizard.

You do not need port 500 forwarded for PPTP but you do need GRE enabled.  GRE is enabled in different ways on different routers.  Often it is an option "Allow PPTP pass-through", but it is protocol 47, not port 47, so cannot be forwarded.  If you can authenticate, this is probably not the problem.

Is "The system cannot access the file" the exact error message?  If you access from a command prompt do you get an error number such as 53.

Often with a VPN you can connect but either nothing happens or the connection is dropped when you try to access files if the MTU value is set too high on the connecting computer, for this connection.  However you don't usually get that error message.  If you suspect that might be the case the following is from an earlier post of mine:
Dropped connections can often be caused by too high an MTU (Maximum Transmission Unit) size, especially if it is a lower than normal performance connection. It is recommended you change this on the connecting/client computer and when possible, it's local router. The easiest way to change the MTU on the client is using the DrTCP tool:
http://www.dslreports.com/drtcp
As for where to set it, if not using automatic, it has to be 1430 or less for a Windows VPN which uses PPTP if using the basic client (1460 for L2TP). There are ways to test for the optimum size of the MTU such as:
http://www.dslreports.com/faq/5793
However, this is not accurate over a VPN due to additional overhead. The best bet is to set it to 1300, and if it improves the situation, gradually increase it.
A couple of related links:
http://www.dslreports.com/faq/7752
http://www.chicagotech.net/vpnissues/vpndorp1.htm
0
 
LVL 12

Expert Comment

by:ktaczala
Comment Utility
Whenever I try to access the file share via "\\192.168.1.2" (Server IP) it says "The system cannot access the file"...
You state above that you are trying to access a file share.  You can't share files, just folders.
What is the share?  You should be able to connect to a shared folder by
typing \\192.168.1.2\sharename.
If the pc you are connecting from is not part of the domain you may have to enter in username & password.
 Try \\192.168.1.2\c$ that is the administrative share pointing to the root of the C Drive.
I'm assuming that 192.168.1.2 is the server that holds the share.
0
 

Author Comment

by:GIP
Comment Utility
Thanks alot for all your answers.

Here's some info you asked :

-There is nothing between my 2 subnets : 10.0.0.0 -> Router -> WAN -> Router -> 192.168.1.0

-I didn't use SBS wizard. I have many clients on SBS and never used the wizard for this setup. Now that you mention it, it's the only client I try to setup that is on SBS 2008 (Server 2008). All the other are on SBS 2003, SBS 2011, Server 2003 and Server 2008 R2

-For the error message, I tried "Net use x: \\192.168.1.2\" and it gives me this error: System Error 1920, System can't access the file

If I try to use "Net use x: \\192.168.1.2\c$" I get : System error 64, network name not avalaible

(I'm translating the errors because my OS are in French)

The only thing I see as of now is the MTU size. This client have a poor DSL PPPoE internet connection. MTU is set to Auto but I could try to change it overnight. They are getting a better connection this month. They will change to Cable 60down\10up

I'm still reading what you guys told me and following your links.

Thanks

P.S.: It was a typo to write "Fileshare", I do want to acces a Folder share and not a File.

Edit #2: I don't think subnets are an issue here because I can access https:\\192.168.1.2\OWA without a problem and I can access http://192.168.1.1 (Routeur IP) and it works well. Only file sharing that cause a problem. So I'm pretty sure I'm missing a rule somewhere or a check mark.
0
 
LVL 12

Expert Comment

by:ktaczala
Comment Utility
-For the error message, I tried "Net use x: \\192.168.1.2\" and it gives me this error: System Error 1920, System can't access the file


That's correct you can't access server with just IP address you must use share name.

can you send a snapshot of your RRas configuration.  All tabs.
0
 

Author Comment

by:GIP
Comment Utility
There is many tab and not that many useful informations. Please ask me wich one you want.

As to access the server via IP, I always do it like this... Not sharing x: to \\192.168.1.2\ but to see the shares avalaible on the server I use \\192.168.1.2\

Also, I don't "map" drive over VPN. I usually do shortcut to them like a shortcut to \\192.168.1.2\Administration then copy paste them to other computer that need access to the share. No need to map drive for this setup. They only need to access some excel and word file from time to time. They aren't always connected via VPN, only when they need to access files.
0
 

Author Comment

by:GIP
Comment Utility
New test results:

If I try to access shares on some computers on the VPN server network it works...

If I try to access for example : \\192.168.1.113\   it works and show me what this computer is sharing..

So I'm pretty sure it's down to 1 rule on the SBS server that is blocking me.
0
 
LVL 12

Expert Comment

by:ktaczala
Comment Utility
gotcha,

for RRAS snapshots: general tab, security tab and IPV4 tab
0
 

Author Comment

by:GIP
Comment Utility
Here are your screenshot

GeneralSecurityIPv4
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Try disabling the firewall service on the SBS box and test.  If it works you know its a FW issues if it does not then you can at least for the time being rule it out.
0
 
LVL 12

Accepted Solution

by:
ktaczala earned 250 total points
Comment Utility
See Attachment.  This setting should be enabled.
ScreenCapture.jpg
0
 

Author Comment

by:GIP
Comment Utility
I tried disabling the Windows firewall this morning and it didn't make a difference.

I think you're right for the IPv4 Router. Last time I tried activating it, I lost connection with the network and I thought I didn't need it. Now, I just checked with all my other servers and they all have it activated.

I'm afraid to turn it on now and my client lose connection to is server... Will try it tonight.

If this does the trick I knew it was only a check mark somewhere!

Will let you know once I activate it.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
Comment Utility
As an SBS MVP, one of the top experts here in the SBS topic area here I can tell, as will all other SBS experts, the most important thing to learn with SBS is to use the wizards.  I would still recommend disabling in RRAS and enable using the SBS wizard.  The RRAS wizard will often enable NAT which will break some features, it will enable LAN routing for you, and set your permissions and firewall.  However it doesn't appear any of those may be the problem based on what you are able to do.

A System Error 64 is usually a NetBIOS issue which is odd as you are using the IP.  I did read how some edge devices (routers/modems) can block some forms of traffic resulting in a 64 error but you can access some PC's on the network.

I would try just  \\192.168.1.2\A_ShareName  and see what error you get
Net use X:  \\192.168.1.2  will not work
and Net use X:  \\192.168.1.2\C$  assumes the admin shares are available and working, though they should be just try a created share

MTU can be an issue, especially with PPPoE/A as they use a lower MTU, but again you can access a PC.  If changing remember it is on the connecting client you want to change it, not the server site.

I would rebuild using the SBS wizard (after disabling in RRAS) and then try connecting using the VPN from a LAN PC using the LAN IP of the server, not the public IP or DNS name.  Then test accessing the shares.  If that works you know the router, user account, shares, and permissions are correct and it is a router/modem/network issue rather than the SBS.

Just to confirm, the SBS has only one physical NIC enabled?  A second enabled, even if not connected, will cause many problems on SBS.
0
 

Author Comment

by:GIP
Comment Utility
Hi,

Thanks for the hint on the wizards. I learned from past experience to use them. But if I recall correctly, I already tried to setup this SBS for VPN last year and the wizard didn't work correctly and my client didn't needed it. I just told them I would activate it for future use.

"Net use x: \\192.168.1.2\Sharename" still give me error 64

This server has been running since 4 years now. I'm pretty sure the network\accounts\share\permissions are good. Router has been replaced this summer and it's the same I use otherwere too.

This SBS has 2 physical connection but only 1 is enabled.

I will try enabling the IPv4 routing tonight and see if it works. If not, I will retry the wizard.

Thank you
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I would thy the connection from the LAN, it will help to rule out some potential issues.

As for permissions I meant VPN access permissions such as setting policies for VPN group members.

If the SBS VPN wizard failed it may indicate there are other network issues present.
0
 

Author Comment

by:GIP
Comment Utility
So I tried enabling IPv4 routing yesterday and it hung the server on the "Finalisation" phase. Nothing that asked for a UAC prompt opened (wich is like everything in Server 2008). I was able to "Shutdown /r /f" and it took 30 minutes to reboot.

After reboot it says the IPv4 is check/enabled but I still have the same issue.

I tried the wizard and it says it cannot configure the router but the rest says it's good. But in the SBS console, it remain "Disabled".

Do you guys know any logs that could be useful when I try to access the server share via vpn?

EDIT: I tried accessing the share with "\\servername.serverdomain.local" and it asked for my credential and then same error 0x80070035
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Though LAN routing should be enabled the IPv4 routing setting shouldn't be an issue if you were able to connect to PC's.  Usually when routing is not enabled you can only access the VPN server.

There is an SBS VPN wizard log located under:  C:\Program Files\Windows Small Business Server\Logs\VPNCW.log  But it won't tell you about connections, just issues with running the wizard.

To log connections you usually first have to enable it under properties of the server in the RRAS console.  Far right tab is logging.   Set your options and it will then create a log in the default location  C:\Windows\Tracing\

In case you stumble on it, there was a better RAS logging tool in the resource tools CD for NT or maybe later.  Do not use it as it apparently breaks SBS.

Have you tried connecting from the LAN as of yet?
0
 

Author Comment

by:GIP
Comment Utility
Just checked the logs and can't find any errors. Even the Wizard logs doesn't seem to have errors in it.

I didn't try from the Lan because I RDP in the SBS. I'm a little bit far from my Customer. Will try as soon as I get a call to go over there.

I've been searching the web about this and it seems SBS2008 as some trouble with VPN access.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Never had an issue on the dozen or so SBS2008's I have set up, so I wouldn't generalize, but there are a lot of questions and problems relating to windows VPN's in general.  Far more of the problems are client/routing/modem/router issues than the server.

Do you really need a VPN?
If possible to use Outlook rpc/http, Sharepoint, and Remote Web Access it is far more secure and trouble free than a Windows VPN.  VPN's open some very serious security holes.

The LAN test is quite useful as mentioned because it isolates where the problem lies to some degree.  I appreciate it is difficult to test remotely.
0
 

Author Comment

by:GIP
Comment Utility
They already use Outlook over HTTP

I wanted to setup VPN because all they had to do is double-click the VPN icon, enter password and click connect. Then, they would be able to browse some shortcuts I would have put on their desktop.

I configured this in many other Customer server without issue. In fact it's a matter of 5 minutes to configure. So I guess this one has a problem within the server or with his ISP.

I'll try the LAN test or again when they will get their new cable connection. Whatever come first.

I think I did the most I can remotely. The rest will need to be tested on site in case I lose connection with the server.

Thanks for your help. Will keep you updated on this.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I appreciate the convenience, if willing to accept the security risks.  If you are doing so you may want to set up the VPN to connect at logon so they don't have to enter credentials after logging on and it allows group policies and logon scripts to be pushed out.  Clients like the convenience and adds some control for IT.  I have blogged about it in the following link:
http://blog.lan-tech.ca/2012/04/29/connect-to-windows-vpn-at-logon/
0
 

Author Comment

by:GIP
Comment Utility
Good blog article!

I would say 99% of my customers the are using VPN are using it from their own personnal computer or with a cheap home laptop provided for their Project Manager when they go outside of the corporate network. Most of them with a "fixed" desktop at their office will RDP right into it.

They mostly connect to VPN for some minutes to modify a file or to "upload/download" a new one. Nothing big here.

Thanks for the infos though!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"99% of my customers the are using VPN are using it from their own personal computer or with a cheap home laptop "
That is the primary concern.  A device and network over which you have no control has wide open direct access to the corporate network.  Many viruses spread using network shares and can do so over a VPN in seconds.  The other issue is the home owner has low security, their PC or network gets hacked, and the hacker has direct access to the corporate network.

Everyone says; "Nothing big here." until the data or server is wiped.

Sorry not relevant to the question, but as a big supporter of VPN's (see my profile) I always like to point out the risks.  Nowadays we have so many other options.
0
 
LVL 12

Expert Comment

by:ktaczala
Comment Utility
Have you tried the VPN connection from a different site?  Somewhere where they have a better speed? Even a Hotspot would probably be better than the DSL connection your client has.
0
 

Author Comment

by:GIP
Comment Utility
ktaczala:
The server is behind the DSL connection. I can't move it to somewhere else unfortunately. But they are getting cable connection "soon". The new ISP need to run the cable to their building.

I tried connecting to it from my office wich use a cable connection of 10down/1up and from my home connection wich use opticfiber of 50down/50up and it's the same problem.


RobWill:
Any suggestion to keep the vpn and reinforce the security? What kind of issue is there, someone guessing the password of a vpn user or is their more security breach than that?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
As mentioned the main concern is not so much guessing the password as someone easily gaining access the remote user’s network or PC.   For example they may have their router set up with defaults such that it is very easily accessed by a neighbor using the wireless connection.  If split-tunneling is enabled on the PC (VPN setting “use remote default gateway” unchecked) they may not even have to hack the PC to route packets directly to your corporate network.

Keep in mind viruses spread over VPN’s very easily.  Microsoft does offer a service NAP (Network Access Protection) which effectively allows you to quarantine a VPN client until it has been checked if it has all Windows updates, updated anti-virus, firewall enabled, and more.  However it is a major undertaking to set up and not practical for small businesses.

PPTP is also the easiest VPN encryption to crack.  In addition anyone seeing port 1723 open can create a Windows VPN client and start guessing user names and passwords.

The most important steps are to use complex passwords and enable account lockouts after 5 or 6 wrong guesses.  Hacking PPTP encryption, though relatively easy for an experience hacker, is unlikely just based on odds.  I have never seen it happen.

However a VPN appliance/router such as a Cisco can improve performance and security by moving the VPN connection to the perimeter of the network, looking after encryption/decryption, using IPSec, possibly certificates, and a VPN client which the end user cannot reconfigure (i.e. cannot enable split-tunneling).

It’s important to remember that 90% of hacking is opportunity, not an attack.  Johnny sitting in the apartment building next door sees a wireless connection, wonders if he can connect, and just keeps going as far as he can, to see what happens.    If he gains access to the home network, the VPN can be his ticket to ‘the next level’.
0
 

Author Comment

by:GIP
Comment Utility
Wonderful explanation thank you. I just hoped you wouldn't say that PPTP hacking is widespread and common.

I make sure all my clients know the risk of connecting to unprotected/shared wifi networks and the need of complex password. Also, all my clients that have exposure to the Internet have strong passwords with lockout Policy.

For my others clients that need a constant VPN connection, I don't use Windows RRAS but I use better VPN routers for it.

Thanks for caring.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sounds good.  I hope I didn't sound like I was lecturing, just pointing out the weaknesses.
0
 

Author Closing Comment

by:GIP
Comment Utility
I awarded both  RobWill and ktaczala for pointing me in the right direction.

ktaczala because it made me realize I had more troubles than simply configuring this VPN

and RobWill for lots of valuable informations on this setup.

Thank you both,

I'll update this question once I found the problem in my SBS.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now