Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 422
  • Last Modified:

sbs 2003 VPN will not connect after installing cert

Hi,

I have installed a Godadddy certificate on an SBS 2003 system so that I can migrate to Exchange Online.
After a nightmare getting the certificate to install. I eventually succeeded (using Godaddy's instructions).
However I have discovered that VPN and Remote Web Workplace (can't connect to computers or server) no longer work.
To test I have created 2 VPN connections on the actual server to connect to its self. If I use the local IP address it works if I use the domain name or external IP address it doesn't connect.
VPN etc has been working for years.  It only appears to have stopped when I installed this certificate.
Any ideas?
0
gogsck
Asked:
gogsck
  • 3
  • 3
  • 2
  • +1
1 Solution
 
Cris HannaCommented:
When you say you used Godaddy's instructions...did this involve using the SBS Console?
0
 
btanExec ConsultantCommented:
probably quick check on the DNS setting for the remote client and are they still pointing to internal DNS or external DNS. may be good to check out event viewer for more explicit error message and logs generated by the VPN and Exchange.

Also to note if doing on public facing Exchange (or likely VPN cert), the subject name of the server certificate ending with .local (or domain not owned by your org) will not be workable for external facing, there is work to rectify. Exchange will be impacted using the invalid domain for public facing or online - pls see here for more info


Using a Name No Longer Valid Under New Rules
In this scenario a company uses an invalid namespace for their internal domain name, eg company.local, or uses short names such as webmail or even IP addresses for internal access to certain services, and wants to include those invalid names, short names, or IP addresses in their SSL certificate.

Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).

The name of the security certificate is invalid or does not match the name of the site.

The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
The Service Connection Point object for the Autodiscover service
The InternalUrl attribute of Exchange Web Service (EWS)
The InternalUrl attribute of the Offline Address Book Web service
The InternalUrl attribute of the Exchange unified messaging (UM) Web service
0
 
Rob WilliamsCommented:
I suspect you have 2 issues, or a router issue.

The certificate should in no way affect the SBS PPTP VPN.  When you connect and it fails what error number do you receive, such as 800, 691, 741, 721...

Are you sure you have the correct public IP and that the router port forwarding has not changed?  Both of those would affect VPN and RWW.  Even RWW should still work but receive a certificate error message which you can choose to ignore.

If of some help, the following is a TechNet article regarding installing a 3rd party certificate on SBS.
http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
In my experience, as Cris mentioned, you also have to run the Configure E-mail and Internet Connection wizard and on the Web Server certificate page point it to the new GoDaddy certificate.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
gogsckAuthor Commented:
I tried many ways to install the certificate including using the SBS console.
The Godaddy instructions (similar to the link from Rob Will but without creating a temporary site in IIS first) tell you to install the certificate in IIS and that  seemed to install ok .
 I tested things with the Microsoft Remote Connectivity Analyser which was all ok.
As the VPN wouldn't connect I had a look at the certificate.
The certificate showed the domainname.com rather than remote.domainname.com so I tried renewing the certificate using the method in the link above but Microsoft Remote Connectivity Analyser then fails.
The VPN used to connect using the external IP address but no longer connects. I have tried using remote.domainname.com and that doesn't connect either,
I have checked and port 1723 on the server says its listening I have checked the external port with Shields Up on the router and it is open.
I am about to start again with the certificate as it is now screwed up.
The certificate may not be the issue here but I have never used a VPN on a SBS 2003 with a SSL certificate before. They have always used the SBS self signed certificates.
0
 
btanExec ConsultantCommented:
Good resource if you have the error msg, see the kbs
https://msmvps.com/blogs/ivansanders/archive/2011/12/26/using-the-remote-connectivity-analyzer-when-you-cannot-use-your-microsoft-office-365-federated-credentials-to-authenticate-microsoft-outlook-to-exchange-online.aspx

also note that remote analyser is using this public ip and FW should not be blocking, likewise the left panel list the errors and useful hints
http://technet.microsoft.com/en-us/library/dd439364(v=exchg.80).aspx

for the pptp VPN, pls see the steps to setup
http://technet.microsoft.com/en-us/library/cc738114(v=ws.10).aspx

For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using either smart cards or registry-based user certificates and EAP-TLS authentication. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the creation of the VPN connection.

If you need a certificate infrastructure for PPTP-based VPN connections, you must install a computer certificate on the authenticating server (the VPN server or the RADIUS server) and either a certificate on each smart card distributed to VPN client users or a user certificate on each VPN client computer.

Also the certificate requirement
http://blogs.technet.com/b/rrasblog/archive/2009/06/10/what-type-of-certificate-to-install-on-the-vpn-server.aspx

1) Install a certificate inside machine store (i.e. Local Computer certificate store) of the VPN server. The key properties that you MUST ensure are set inside the machine certificate includes:

Common name (CN): Same as the hostname OR IPv4/v6 address that is configured as VPN destination on the VPN client. i.e. if the VPN client is configured with the hostname, then set this as same hostname OR if the VPN client is configured with the IP address, then set this as same IP address.
Extended Key Usage (EKU):  Select “Server Authentication” and “IP Security IKE intermediate”.
Key Usage: Select Digital signature and Key encipherment.

maybe SSTP via https if FW is really giving the issues, however it needs Windows Server 2008 http://technet.microsoft.com/en-us/library/cc731352(v=ws.10).aspx
0
 
gogsckAuthor Commented:
When trying to connect via VPN I am getting a 619 error.
This may well be 2 separate issues. I am waiting on godaddy to update the certificate at the moment but still not understanding why the VPN has stopped working. It affects all VPN clients so it must be a server or firewall issue though as I said the port is open and the server says its listening.
0
 
btanExec ConsultantCommented:
Maybe good if you go through the issue 619 (vpn) list which is covering quite a fair bits in isolation. http://www.vpnserverwindows7.net/vpn-error-619/

Extracted from here
I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection.
So I suggest you explicitly set the Type of VPN property to the appropriate value (probably PPTP if no certificates are used but I suppose you already know this).
However found that turning OFF LCP extentions in PPP settings of the "options" page of the VPN adapter properties dialog has worked for me.
0
 
Rob WilliamsCommented:
Something has changed in addition to the certificate.  If it is the SBS VPN, it uses PPTP and the certificate and IIS have no involvement whatsoever.

Can you telnet from the public side using
telnet 123.123.123.123  1723
You should get a blank screen with a flashing curser.  If you get an error or time out, something is blocking the path.

Is this a single or dual NIC SBS 2003?
Is ISA installed?
Is your public DNS set up to use remote.domainname.com?  Fine if it is, it can be anything, but the default back with SBS 2003 was servername.domainname.com.  The name used in the SBS CEICW, the certificate, and the public DNS must all be exactly the same.
0
 
gogsckAuthor Commented:
It was a Router issue. had to configure the user on the router
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now