Solved

sbs 2003 VPN will not connect after installing cert

Posted on 2014-04-18
9
404 Views
Last Modified: 2014-09-05
Hi,

I have installed a Godadddy certificate on an SBS 2003 system so that I can migrate to Exchange Online.
After a nightmare getting the certificate to install. I eventually succeeded (using Godaddy's instructions).
However I have discovered that VPN and Remote Web Workplace (can't connect to computers or server) no longer work.
To test I have created 2 VPN connections on the actual server to connect to its self. If I use the local IP address it works if I use the domain name or external IP address it doesn't connect.
VPN etc has been working for years.  It only appears to have stopped when I installed this certificate.
Any ideas?
0
Comment
Question by:gogsck
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40009933
When you say you used Godaddy's instructions...did this involve using the SBS Console?
0
 
LVL 61

Expert Comment

by:btan
ID: 40010023
probably quick check on the DNS setting for the remote client and are they still pointing to internal DNS or external DNS. may be good to check out event viewer for more explicit error message and logs generated by the VPN and Exchange.

Also to note if doing on public facing Exchange (or likely VPN cert), the subject name of the server certificate ending with .local (or domain not owned by your org) will not be workable for external facing, there is work to rectify. Exchange will be impacted using the invalid domain for public facing or online - pls see here for more info


Using a Name No Longer Valid Under New Rules
In this scenario a company uses an invalid namespace for their internal domain name, eg company.local, or uses short names such as webmail or even IP addresses for internal access to certain services, and wants to include those invalid names, short names, or IP addresses in their SSL certificate.

Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).

The name of the security certificate is invalid or does not match the name of the site.

The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
The Service Connection Point object for the Autodiscover service
The InternalUrl attribute of Exchange Web Service (EWS)
The InternalUrl attribute of the Offline Address Book Web service
The InternalUrl attribute of the Exchange unified messaging (UM) Web service
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 40010038
I suspect you have 2 issues, or a router issue.

The certificate should in no way affect the SBS PPTP VPN.  When you connect and it fails what error number do you receive, such as 800, 691, 741, 721...

Are you sure you have the correct public IP and that the router port forwarding has not changed?  Both of those would affect VPN and RWW.  Even RWW should still work but receive a certificate error message which you can choose to ignore.

If of some help, the following is a TechNet article regarding installing a 3rd party certificate on SBS.
http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
In my experience, as Cris mentioned, you also have to run the Configure E-mail and Internet Connection wizard and on the Web Server certificate page point it to the new GoDaddy certificate.
0
 

Author Comment

by:gogsck
ID: 40010063
I tried many ways to install the certificate including using the SBS console.
The Godaddy instructions (similar to the link from Rob Will but without creating a temporary site in IIS first) tell you to install the certificate in IIS and that  seemed to install ok .
 I tested things with the Microsoft Remote Connectivity Analyser which was all ok.
As the VPN wouldn't connect I had a look at the certificate.
The certificate showed the domainname.com rather than remote.domainname.com so I tried renewing the certificate using the method in the link above but Microsoft Remote Connectivity Analyser then fails.
The VPN used to connect using the external IP address but no longer connects. I have tried using remote.domainname.com and that doesn't connect either,
I have checked and port 1723 on the server says its listening I have checked the external port with Shields Up on the router and it is open.
I am about to start again with the certificate as it is now screwed up.
The certificate may not be the issue here but I have never used a VPN on a SBS 2003 with a SSL certificate before. They have always used the SBS self signed certificates.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Expert Comment

by:btan
ID: 40010119
Good resource if you have the error msg, see the kbs
https://msmvps.com/blogs/ivansanders/archive/2011/12/26/using-the-remote-connectivity-analyzer-when-you-cannot-use-your-microsoft-office-365-federated-credentials-to-authenticate-microsoft-outlook-to-exchange-online.aspx

also note that remote analyser is using this public ip and FW should not be blocking, likewise the left panel list the errors and useful hints
http://technet.microsoft.com/en-us/library/dd439364(v=exchg.80).aspx

for the pptp VPN, pls see the steps to setup
http://technet.microsoft.com/en-us/library/cc738114(v=ws.10).aspx

For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using either smart cards or registry-based user certificates and EAP-TLS authentication. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the creation of the VPN connection.

If you need a certificate infrastructure for PPTP-based VPN connections, you must install a computer certificate on the authenticating server (the VPN server or the RADIUS server) and either a certificate on each smart card distributed to VPN client users or a user certificate on each VPN client computer.

Also the certificate requirement
http://blogs.technet.com/b/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx

1) Install a certificate inside machine store (i.e. Local Computer certificate store) of the VPN server. The key properties that you MUST ensure are set inside the machine certificate includes:

Common name (CN): Same as the hostname OR IPv4/v6 address that is configured as VPN destination on the VPN client. i.e. if the VPN client is configured with the hostname, then set this as same hostname OR if the VPN client is configured with the IP address, then set this as same IP address.
Extended Key Usage (EKU):  Select “Server Authentication” and “IP Security IKE intermediate”.
Key Usage: Select Digital signature and Key encipherment.

maybe SSTP via https if FW is really giving the issues, however it needs Windows Server 2008 http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx
0
 

Author Comment

by:gogsck
ID: 40010179
When trying to connect via VPN I am getting a 619 error.
This may well be 2 separate issues. I am waiting on godaddy to update the certificate at the moment but still not understanding why the VPN has stopped working. It affects all VPN clients so it must be a server or firewall issue though as I said the port is open and the server says its listening.
0
 
LVL 61

Expert Comment

by:btan
ID: 40010358
Maybe good if you go through the issue 619 (vpn) list which is covering quite a fair bits in isolation. http://www.vpnserverwindows7.net/vpn-error-619/

Extracted from here
I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection.
So I suggest you explicitly set the Type of VPN property to the appropriate value (probably PPTP if no certificates are used but I suppose you already know this).
However found that turning OFF LCP extentions in PPP settings of the "options" page of the VPN adapter properties dialog has worked for me.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 40010436
Something has changed in addition to the certificate.  If it is the SBS VPN, it uses PPTP and the certificate and IIS have no involvement whatsoever.

Can you telnet from the public side using
telnet 123.123.123.123  1723
You should get a blank screen with a flashing curser.  If you get an error or time out, something is blocking the path.

Is this a single or dual NIC SBS 2003?
Is ISA installed?
Is your public DNS set up to use remote.domainname.com?  Fine if it is, it can be anything, but the default back with SBS 2003 was servername.domainname.com.  The name used in the SBS CEICW, the certificate, and the public DNS must all be exactly the same.
0
 

Author Comment

by:gogsck
ID: 40306225
It was a Router issue. had to configure the user on the router
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now