gogsck
asked on
sbs 2003 VPN will not connect after installing cert
Hi,
I have installed a Godadddy certificate on an SBS 2003 system so that I can migrate to Exchange Online.
After a nightmare getting the certificate to install. I eventually succeeded (using Godaddy's instructions).
However I have discovered that VPN and Remote Web Workplace (can't connect to computers or server) no longer work.
To test I have created 2 VPN connections on the actual server to connect to its self. If I use the local IP address it works if I use the domain name or external IP address it doesn't connect.
VPN etc has been working for years. It only appears to have stopped when I installed this certificate.
Any ideas?
I have installed a Godadddy certificate on an SBS 2003 system so that I can migrate to Exchange Online.
After a nightmare getting the certificate to install. I eventually succeeded (using Godaddy's instructions).
However I have discovered that VPN and Remote Web Workplace (can't connect to computers or server) no longer work.
To test I have created 2 VPN connections on the actual server to connect to its self. If I use the local IP address it works if I use the domain name or external IP address it doesn't connect.
VPN etc has been working for years. It only appears to have stopped when I installed this certificate.
Any ideas?
Cris Hanna
When you say you used Godaddy's instructions...did this involve using the SBS Console?
probably quick check on the DNS setting for the remote client and are they still pointing to internal DNS or external DNS. may be good to check out event viewer for more explicit error message and logs generated by the VPN and Exchange.
Also to note if doing on public facing Exchange (or likely VPN cert), the subject name of the server certificate ending with .local (or domain not owned by your org) will not be workable for external facing, there is work to rectify. Exchange will be impacted using the invalid domain for public facing or online - pls see here for more info
Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).
The name of the security certificate is invalid or does not match the name of the site.
Also to note if doing on public facing Exchange (or likely VPN cert), the subject name of the server certificate ending with .local (or domain not owned by your org) will not be workable for external facing, there is work to rectify. Exchange will be impacted using the invalid domain for public facing or online - pls see here for more info
Using a Name No Longer Valid Under New Rules
In this scenario a company uses an invalid namespace for their internal domain name, eg company.local, or uses short names such as webmail or even IP addresses for internal access to certain services, and wants to include those invalid names, short names, or IP addresses in their SSL certificate.
Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).
The name of the security certificate is invalid or does not match the name of the site.
The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
The Service Connection Point object for the Autodiscover service
The InternalUrl attribute of Exchange Web Service (EWS)
The InternalUrl attribute of the Offline Address Book Web service
The InternalUrl attribute of the Exchange unified messaging (UM) Web service
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried many ways to install the certificate including using the SBS console.
The Godaddy instructions (similar to the link from Rob Will but without creating a temporary site in IIS first) tell you to install the certificate in IIS and that seemed to install ok .
I tested things with the Microsoft Remote Connectivity Analyser which was all ok.
As the VPN wouldn't connect I had a look at the certificate.
The certificate showed the domainname.com rather than remote.domainname.com so I tried renewing the certificate using the method in the link above but Microsoft Remote Connectivity Analyser then fails.
The VPN used to connect using the external IP address but no longer connects. I have tried using remote.domainname.com and that doesn't connect either,
I have checked and port 1723 on the server says its listening I have checked the external port with Shields Up on the router and it is open.
I am about to start again with the certificate as it is now screwed up.
The certificate may not be the issue here but I have never used a VPN on a SBS 2003 with a SSL certificate before. They have always used the SBS self signed certificates.
The Godaddy instructions (similar to the link from Rob Will but without creating a temporary site in IIS first) tell you to install the certificate in IIS and that seemed to install ok .
I tested things with the Microsoft Remote Connectivity Analyser which was all ok.
As the VPN wouldn't connect I had a look at the certificate.
The certificate showed the domainname.com rather than remote.domainname.com so I tried renewing the certificate using the method in the link above but Microsoft Remote Connectivity Analyser then fails.
The VPN used to connect using the external IP address but no longer connects. I have tried using remote.domainname.com and that doesn't connect either,
I have checked and port 1723 on the server says its listening I have checked the external port with Shields Up on the router and it is open.
I am about to start again with the certificate as it is now screwed up.
The certificate may not be the issue here but I have never used a VPN on a SBS 2003 with a SSL certificate before. They have always used the SBS self signed certificates.
Good resource if you have the error msg, see the kbs
https://msmvps.com/blogs/ivansanders/archive/2011/12/26/using-the-remote-connectivity-analyzer-when-you-cannot-use-your-microsoft-office-365-federated-credentials-to-authenticate-microsoft-outlook-to-exchange-online.aspx
also note that remote analyser is using this public ip and FW should not be blocking, likewise the left panel list the errors and useful hints
http://technet.microsoft.com/en-us/library/dd439364(v=exchg.80).aspx
for the pptp VPN, pls see the steps to setup
http://technet.microsoft.com/en-us/library/cc738114(v=ws.10).aspx
Also the certificate requirement
http://blogs.technet.com/b/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx
maybe SSTP via https if FW is really giving the issues, however it needs Windows Server 2008 http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx
https://msmvps.com/blogs/ivansanders/archive/2011/12/26/using-the-remote-connectivity-analyzer-when-you-cannot-use-your-microsoft-office-365-federated-credentials-to-authenticate-microsoft-outlook-to-exchange-online.aspx
also note that remote analyser is using this public ip and FW should not be blocking, likewise the left panel list the errors and useful hints
http://technet.microsoft.com/en-us/library/dd439364(v=exchg.80).aspx
for the pptp VPN, pls see the steps to setup
http://technet.microsoft.com/en-us/library/cc738114(v=ws.10).aspx
For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using either smart cards or registry-based user certificates and EAP-TLS authentication. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the creation of the VPN connection.
If you need a certificate infrastructure for PPTP-based VPN connections, you must install a computer certificate on the authenticating server (the VPN server or the RADIUS server) and either a certificate on each smart card distributed to VPN client users or a user certificate on each VPN client computer.
Also the certificate requirement
http://blogs.technet.com/b/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx
1) Install a certificate inside machine store (i.e. Local Computer certificate store) of the VPN server. The key properties that you MUST ensure are set inside the machine certificate includes:
Common name (CN): Same as the hostname OR IPv4/v6 address that is configured as VPN destination on the VPN client. i.e. if the VPN client is configured with the hostname, then set this as same hostname OR if the VPN client is configured with the IP address, then set this as same IP address.
Extended Key Usage (EKU): Select “Server Authentication” and “IP Security IKE intermediate”.
Key Usage: Select Digital signature and Key encipherment.
maybe SSTP via https if FW is really giving the issues, however it needs Windows Server 2008 http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx
ASKER
When trying to connect via VPN I am getting a 619 error.
This may well be 2 separate issues. I am waiting on godaddy to update the certificate at the moment but still not understanding why the VPN has stopped working. It affects all VPN clients so it must be a server or firewall issue though as I said the port is open and the server says its listening.
This may well be 2 separate issues. I am waiting on godaddy to update the certificate at the moment but still not understanding why the VPN has stopped working. It affects all VPN clients so it must be a server or firewall issue though as I said the port is open and the server says its listening.
Maybe good if you go through the issue 619 (vpn) list which is covering quite a fair bits in isolation. http://www.vpnserverwindows7.net/vpn-error-619/
Extracted from here
Extracted from here
I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection.
So I suggest you explicitly set the Type of VPN property to the appropriate value (probably PPTP if no certificates are used but I suppose you already know this).
However found that turning OFF LCP extentions in PPP settings of the "options" page of the VPN adapter properties dialog has worked for me.
Something has changed in addition to the certificate. If it is the SBS VPN, it uses PPTP and the certificate and IIS have no involvement whatsoever.
Can you telnet from the public side using
telnet 123.123.123.123 1723
You should get a blank screen with a flashing curser. If you get an error or time out, something is blocking the path.
Is this a single or dual NIC SBS 2003?
Is ISA installed?
Is your public DNS set up to use remote.domainname.com? Fine if it is, it can be anything, but the default back with SBS 2003 was servername.domainname.com.
Can you telnet from the public side using
telnet 123.123.123.123 1723
You should get a blank screen with a flashing curser. If you get an error or time out, something is blocking the path.
Is this a single or dual NIC SBS 2003?
Is ISA installed?
Is your public DNS set up to use remote.domainname.com? Fine if it is, it can be anything, but the default back with SBS 2003 was servername.domainname.com.
ASKER
It was a Router issue. had to configure the user on the router