sbs 2003 VPN will not connect after installing cert

Posted on 2014-04-18
Last Modified: 2014-09-05

I have installed a Godadddy certificate on an SBS 2003 system so that I can migrate to Exchange Online.
After a nightmare getting the certificate to install. I eventually succeeded (using Godaddy's instructions).
However I have discovered that VPN and Remote Web Workplace (can't connect to computers or server) no longer work.
To test I have created 2 VPN connections on the actual server to connect to its self. If I use the local IP address it works if I use the domain name or external IP address it doesn't connect.
VPN etc has been working for years.  It only appears to have stopped when I installed this certificate.
Any ideas?
Question by:gogsck
  • 3
  • 3
  • 2
  • +1
LVL 35

Expert Comment

by:Cris Hanna
ID: 40009933
When you say you used Godaddy's instructions...did this involve using the SBS Console?
LVL 63

Expert Comment

ID: 40010023
probably quick check on the DNS setting for the remote client and are they still pointing to internal DNS or external DNS. may be good to check out event viewer for more explicit error message and logs generated by the VPN and Exchange.

Also to note if doing on public facing Exchange (or likely VPN cert), the subject name of the server certificate ending with .local (or domain not owned by your org) will not be workable for external facing, there is work to rectify. Exchange will be impacted using the invalid domain for public facing or online - pls see here for more info

Using a Name No Longer Valid Under New Rules
In this scenario a company uses an invalid namespace for their internal domain name, eg company.local, or uses short names such as webmail or even IP addresses for internal access to certain services, and wants to include those invalid names, short names, or IP addresses in their SSL certificate.

Domain validated certificates may therefore no longer be issued on an invalid Fully-Qualified Domain Name (eg .local).

The name of the security certificate is invalid or does not match the name of the site.

The common name on the replacement certificate does not match the fully qualified domain name (FQDN) of the URL that is stored in the following objects:
The Service Connection Point object for the Autodiscover service
The InternalUrl attribute of Exchange Web Service (EWS)
The InternalUrl attribute of the Offline Address Book Web service
The InternalUrl attribute of the Exchange unified messaging (UM) Web service
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 40010038
I suspect you have 2 issues, or a router issue.

The certificate should in no way affect the SBS PPTP VPN.  When you connect and it fails what error number do you receive, such as 800, 691, 741, 721...

Are you sure you have the correct public IP and that the router port forwarding has not changed?  Both of those would affect VPN and RWW.  Even RWW should still work but receive a certificate error message which you can choose to ignore.

If of some help, the following is a TechNet article regarding installing a 3rd party certificate on SBS.
In my experience, as Cris mentioned, you also have to run the Configure E-mail and Internet Connection wizard and on the Web Server certificate page point it to the new GoDaddy certificate.
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.


Author Comment

ID: 40010063
I tried many ways to install the certificate including using the SBS console.
The Godaddy instructions (similar to the link from Rob Will but without creating a temporary site in IIS first) tell you to install the certificate in IIS and that  seemed to install ok .
 I tested things with the Microsoft Remote Connectivity Analyser which was all ok.
As the VPN wouldn't connect I had a look at the certificate.
The certificate showed the rather than so I tried renewing the certificate using the method in the link above but Microsoft Remote Connectivity Analyser then fails.
The VPN used to connect using the external IP address but no longer connects. I have tried using and that doesn't connect either,
I have checked and port 1723 on the server says its listening I have checked the external port with Shields Up on the router and it is open.
I am about to start again with the certificate as it is now screwed up.
The certificate may not be the issue here but I have never used a VPN on a SBS 2003 with a SSL certificate before. They have always used the SBS self signed certificates.
LVL 63

Expert Comment

ID: 40010119
Good resource if you have the error msg, see the kbs

also note that remote analyser is using this public ip and FW should not be blocking, likewise the left panel list the errors and useful hints

for the pptp VPN, pls see the steps to setup

For PPTP-based VPN connections, a certificate infrastructure is needed only when you are using either smart cards or registry-based user certificates and EAP-TLS authentication. If you are only using a password-based authentication protocol such as MS-CHAP v2, a certificate infrastructure is not required and is not used for the creation of the VPN connection.

If you need a certificate infrastructure for PPTP-based VPN connections, you must install a computer certificate on the authenticating server (the VPN server or the RADIUS server) and either a certificate on each smart card distributed to VPN client users or a user certificate on each VPN client computer.

Also the certificate requirement

1) Install a certificate inside machine store (i.e. Local Computer certificate store) of the VPN server. The key properties that you MUST ensure are set inside the machine certificate includes:

Common name (CN): Same as the hostname OR IPv4/v6 address that is configured as VPN destination on the VPN client. i.e. if the VPN client is configured with the hostname, then set this as same hostname OR if the VPN client is configured with the IP address, then set this as same IP address.
Extended Key Usage (EKU):  Select “Server Authentication” and “IP Security IKE intermediate”.
Key Usage: Select Digital signature and Key encipherment.

maybe SSTP via https if FW is really giving the issues, however it needs Windows Server 2008

Author Comment

ID: 40010179
When trying to connect via VPN I am getting a 619 error.
This may well be 2 separate issues. I am waiting on godaddy to update the certificate at the moment but still not understanding why the VPN has stopped working. It affects all VPN clients so it must be a server or firewall issue though as I said the port is open and the server says its listening.
LVL 63

Expert Comment

ID: 40010358
Maybe good if you go through the issue 619 (vpn) list which is covering quite a fair bits in isolation.

Extracted from here
I have resolved it by explicitly setting the Type of VPN property on Security tab to Point to Point Tunneling Protocol (PPTP). It seems that when this property is set to Automatic the WAN Miniport defaults to IKEv2 (and gets stuck if this is not the VPN type used). You can both observe and change this for any VPN connection by going to Control Panel > Network and Internet > Network Connection.
So I suggest you explicitly set the Type of VPN property to the appropriate value (probably PPTP if no certificates are used but I suppose you already know this).
However found that turning OFF LCP extentions in PPP settings of the "options" page of the VPN adapter properties dialog has worked for me.
LVL 77

Expert Comment

by:Rob Williams
ID: 40010436
Something has changed in addition to the certificate.  If it is the SBS VPN, it uses PPTP and the certificate and IIS have no involvement whatsoever.

Can you telnet from the public side using
telnet  1723
You should get a blank screen with a flashing curser.  If you get an error or time out, something is blocking the path.

Is this a single or dual NIC SBS 2003?
Is ISA installed?
Is your public DNS set up to use  Fine if it is, it can be anything, but the default back with SBS 2003 was  The name used in the SBS CEICW, the certificate, and the public DNS must all be exactly the same.

Author Comment

ID: 40306225
It was a Router issue. had to configure the user on the router

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco VPN client v5 migration to Anyconnect VPN? 8 61
Admin Certificates in my browser 2 40
aes256 Ransomware on SBS 2011 13 50
SSL VPN to Fortigate 100D 2 18
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question