Tomorrow, Monday, I have to go into the office and configure our
Windows 2000 Server (SP3) (running Exchange Server 2000 too) to permit
the boss to connect to it via the internet using VPN from his Win2000
home computer. He wants access to his Exchange client, files stored
on his user-name only directory and to print to the in-office
printers. I need a How-To in a hurry. Can you help? |
Clarification of Question by
networkwannabe-ga
on
01 Sep 2002 21:05 PDT
I know I have to install a dedicated network card and will begin
there. The server is running Active Directory and has RAS setup...not
sure if it is configured properly.
|
Request for Question Clarification by
alienintelligence-ga
on
01 Sep 2002 23:25 PDT
Hi net...
Would you mind telling us in detail what
your current setup is. Let us know about
things that may seem trivial (corporate
firewalls, etc)
Tell us of any black boxes where all
the wires go, maybe hidden in the basement.
Tell us about searches you have already done.
Things you are already familiar with...
Are these computers "fresh installs"?
If not, what kind of user software has
been installed that might stymie our
ability to network?
What is the state of the network currently?
What is the speed of all internet connections?
Anything else connected to this ambiguous Win2k
SP3 server with Exchange?
Have you already tried to do the setup? (are
we going to have to fight a bad install?)
Might as well tell us what type (brand, speed,
processor, memory, accessories) each of the
computers are. Sometimes some 'namebrand' I
won't mention WHICH brand... computers are
rather, ornery to work with due to proprietary
parts.
What time tomorrow (Monday) ?
thanks,
-AI
|
Clarification of Question by
networkwannabe-ga
on
02 Sep 2002 07:32 PDT
Hey AI, thanks for the response. Perhaps there's hope for this yet
:-)!
FYI, I have some familiarity with this network. Up until July 02, it
was 15 Windows 2000 users running MS Exchange 5.0 from a single Acer
PII-400Mhz Nt4 server. After much urging on my part, a new setup was
purchased from Dell. New Precision workstations were purchased; all
with Win2000 o/s and Office XP. A new Dell Poweredge 1400C server was
purchased. It's got twin 20 Gb SCSI drives and 512 Mb RAM. A single
NIC that I believe I have to add a second to to make this work. It
runs Windows 2000 Server and Exchange Server 2000. Other software
includes Veritas Backup that I installed (that still does not work
properly for some reason).
So this new Dell box is the Primary domain controller. There is
another server that shares it's 3 printers and therefore is called the
print server...but sharing printers does not a printer server make.
This box is in the same domain forest as the Dell. It's a clone
P3-866Mhz with a Gb of RAM and a 40 Mb HD. It too is running win2000
Server. Nothing else installed.
Active directory remains a mystery to me as before, when I set
up/deleted users with NT4, it was quite simple. Now, I have to use
the Active Directory user management function. For example, the
printers that are shared on the other server do not appear in the
'directory' area of the network neighborhood. They still appear as
shared printers off of the server. The directory is empty, actually
and I think this is perhaps not the way Active directory is supposed
to work.
The network setup is as follows: From the internet, there's a 3-com
ADSL modem hooked up to a 1500 kbps connection. The ISP provides
reasonable speed as tested at dslreports.com with results consistently
between 1100 and 1350 kbps. The next box is a Netopia N9100 8 port
router that hooks up to the modem. It provides our WAN router
firewall and is set as the DHCP server. The Dell and the Clone server
are plugged directly into this Netopia box. There are two 16 port
Paradyne hubs that connect to two of the other ports on the Netopia.
(I am working on getting the funds freed up to convert these to Cysco
or someone's full duplex switches as I beleive it will speed things
up dramatically on the LAN).
With regard to my prior attempts to complete this project, the only
thing I've done is to use the wizard to enable the Routing and Remote
Access service. I followed the steps up to the point that it wanted
to know which connection would be used for the service. There was
only the one NIC installed and i selected it but the wizard said that
it could not use the 'last' connection available. I took that to be
Microsoft-speak for gotta add another NIC for this service.
I can't think of much else to tell regarding your requested info but
am literally monitoring my laptop for your response. And as far as
what time Monday? How about now. I look forward to your reponse.
|
Hi net...
Circumstances can exist that make a network
setup go as smooth as cobblestones. I've seen it all.
I will post an answer that I hope is well-rounded
enough to allow you get things set up. I know you
need it today (Monday) but I hope you allowed
at least an entire day for troubleshooting, etc.
I also hope you allowed some time for reading.
You did ask for a detailed "how to". I couldn't
paste more of the info from the links here, we
cannot duplicate documents in their entirety.
There are several links that are chock full of
possible new terms and concepts. I have tried to
provide additional links to clarify them.
This answer will presume you have a working network
connection to the internet at both the office
and your boss' home. It sounds like the rest of
the hardware, such as computers are up to the task.
!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!-!
The best documents I found regarding VPN and
Windows 2000, come from Microsoft themselves.
[ http://www.microsoft.com/windows2000/technologies/communications/vpn/default.asp
]
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
Here is a VPN FAQ from Microsoft:
[ http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/vpnfaq.asp
]
With interesting parts such as:
Q. Where can I find information on deploying Windows
2000 remote access VPNs?
A. See the Windows 2000 white paper, "Virtual Private
Networking with Windows 2000: Deploying Remote Access
VPNs" and the Windows 2000 Resource Kit Deployment Lab
Scenarios: "Connecting Remote Users Across the Internet
Using PPTP", "Connecting Remote Users Across the Internet
Using L2TP".
-and-
Q. How do I configure my firewalls to allow Microsoft
VPN traffic?
A. PPTP traffic uses TCP port 1723 to create and maintain
the connection and IP protocol 47 to send data. L2TP/IPSec
traffic uses UDP port 500 to create and maintain the connection
and IP protocol 50 to send data. Configure your firewall to allow
these types of traffic to and from your VPN server.
-and-
Q. Why do my VPN connections work from some locations
and not others?
A. The Internet service provider (ISP) that you are
using at the time of the connection may be blocking
specific types of TCP/IP traffic that are preventing
VPN connectivity. For example, PPTP traffic uses TCP
port 1723 to create the connection and IP protocol 47
to send data. L2TP/IPSec traffic uses UDP port 500
to create the connection and IP protocol 50 to send
data.
Your VPN traffic may also be blocked by a NAT. For
PPTP connections, ensure that the NAT has a PPTP
editor that can properly map PPTP data traffic.
For L2TP/IPSec connections, ensure that the NAT
supports a single IPSec connection.
Connecting Remote Users Across the Internet Using PPTP
[ http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/ras03_connectremoteusersacrossinternetusingpptp.asp
]
Caution
The procedures that we used to configure the
computers and devices in our scenario are
presented here as an example; the actual steps
required to configure similar computers and
devices in your own network will be different.
Also, this scenario shows only the procedures
necessary for the scenario to work. It does not
cover other procedures that are required in a
production network.
This scenario shows how you can connect remote access users to a
corporate intranet across the Internet, by using the Point-to-Point
Tunneling Protocol (PPTP).
In this scenario, the objectives are as follows:
-To provide a way for employees to connect to the
corporate intranet from roving or fixed locations over
the Internet.
-To provide automated address and name resolution
configuration during the connection process.
-To provide efficient installation of client software
with single-click remote client access to the network.
-To ensure a high level of security while maintaining
compatibility with non-Windows 2000 client computers.
-To create centralized authentication, authorization, and
accounting.
-To provide custom phone books with multiple points of
presence (POPs) and automatic updates.
Setup Instructions
To create a PPTP-based remote access VPN connection from
the portable computer over the Internet to the Reskit.com
intranet, we completed the following tasks:
-Configuration of the domain controller
-Configuration of the Internet Authentication Service
server
-Configuration of the remote access server as a VPN
server
-Configuration of the Connection Point Services server
-Creation of the phone book
-Posting of the phone book
-Creation of the Connection Manager service profile
-Installation of the Connection Manager service profile
on the portable computer
-Initiation of the VPN connection
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
Internet Authentication Service
[ http://www.microsoft.com/windows2000/technologies/communications/ias/default.asp
]
The Microsoft Windows 2000 Server family includes the
Internet Authentication Service (IAS), the Microsoft
implementation of a Remote Authentication Dial-In User
Service (RADIUS) server.
IAS Whitepaper - lots of reading
[ http://www.microsoft.com/windows2000/docs/IAS.doc ]
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
You will have to configure the Routing and
Remote Access for the VPN connection if not
already done.
Description of Remote Access Wizards
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q256644& ]
Setting up a PPTP VPN Server in Windows 2000
[ http://www.i386.com/Default.asp?page=docs/comms-vpnw2k.htm&category=comms&id=970
]
Open the MMC and add the snap-in Routing and Remote
Server. Next add server to install and configure RRAS
(as shown).
First thing is configure the ports, decide whether
to use PPTP or L2TP. In this example L2TP is disabled
(as shown)
It recommended for only to use MS-CHAP v2 method of
authentication other methods are far to weak to use
as Internet VPN solution.
HOW TO: Set Up Remote Access for an Intranet in Windows 2000
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;q301193& ]
[ http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc110900/wcblurb110900.asp
]
Configuring the Routing and Remote Access Service in Windows 2000
[ http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0601.asp
]
Configuring remote access, virtual private network, or
routing settings can be a difficult task. Fortunately, you
can use the Routing and Remote Access Server Setup Wizard
in Windows 2000 Server to simplify configuration of the
Routing and Remote Access service based on a
pre-determined role. The Routing and Remote Access Server
Setup Wizard provides the following configuration options:
-Internet connection server
-Remote access server
-Virtual private network (VPN) server
-Network router
-Manually configured router
Routing and Remote Access Server Stops Authenticating Dial-Up
Networking Clients
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q227747& ]
I'm not sure how your boss will be connecting from
his home computer... if it's ADSL, here is a link:
[ http://www.i386.com/Default.asp?page=docs/comms-adslw2k.htm&category=COMMS&keyword=&id=868
]
Installation of an ADSL connection under Windows 2000
is the easiest to install it has already built-in
support for it.
Post ADSL installation.
Before installation, ensure that you have a working
NIC installed with an RJ-45 connector. You don't
need to give it an IP address unless you ISP has
advised you so.
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
This link details the necessary steps to get a
VPN connection set up on both the server and
client sides.
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q257333& ]
This article describes how to configure Windows 2000
Professional to Windows 2000 Professional virtual private
network (VPN) connections. Prior to Windows 2000
Professional, Microsoft did not offer the ability to
connect two client computers over a VPN connection.
Previous versions of Windows required you to add the
Point-to-Point Tunneling Protocol (PPTP) on Windows NT 4.0
Server to establish VPN connections. With the release of
Windows 2000 Professional, Microsoft offers the ability to
connect two clients that run Windows 2000 Professional by
using VPN technology. Windows 2000 Professional enables
only one VPN connection at a time and requires Internet
Protocol (IP).
Before you start the configuration, ensure that the
following preparations have been made on the Windows 2000
Professional-based computer:
-If you use dial-up equipment to connect to the Internet,
install your dial-up equipment (for example, your modem or
Integrated Services Digital Network [ISDN] adapter) and
add the appropriate support. For modems, add the modem; in
Control Panel, double-click Modems. For ISDN adapters,
follow the manufacturer's instructions to install the
adapter and the device driver in Windows 2000.
-If you use permanent-link equipment to connect to the
Internet, install the equipment (Digital Data System
[DDS], T-Carrier, Frame Relay, asymmetric digital
subscriber line [ADSL], or cable modem) and add the
appropriate support.
-Ensure that the IP and support for your internal network
adapter is installed during the configuration of
networking options.
Increasing Security on Windows 2000 VPN Server
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q255784& ]
Here is a support doc for VPN deployment:
[ http://www.microsoft.com/windows2000/docs/vpndeploy.doc ]
It has ALOT of information in it. It will take
you a while to read it through.
Also a newsgroup regarding VPN and RAS
[ http://communities.microsoft.com/newsgroups/messageList.asp?ICP=windows2000&sLCID=us&NewsGroup=microsoft.public.win2000.ras_routing
]
Planning and Installing a Windows 2000 Remote Access VPN Server
[ http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0101.asp
]
Topics on this Page
-Types of VPN Technologies
-Network Planning Considerations
-VPN Server Planning Considerations
-Configuring the VPN Server
-For More Information
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
Some miscellaneous links:
Remote Access
[ http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/default.asp
]
These documents explain Windows® 2000 support for
remote access using Virtual Private Networking (VPN).
VPN uses such services as Point-to-Point Tunneling
Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP),
and IP Security (IPSec) to allow a user to securely
connect to services and content available on one
network from a different network.
HOW TO: Allow Remote Users to Access Your Network in Windows 2000
[ http://support.microsoft.com/default.aspx?scid=KB;EN-US;q300434& ]
IN THIS TASK
-How to Configure Routing and Remote Access Service in Windows 2000
-Enabling the Routing and Remote Access Service
-Enabling Windows 2000 Routing and Remote Access Service to Allow
Dial-up Connections or VPN Connections
-Allowing Access and Policies
-Troubleshooting
-Number of Connections
-REFERENCES
Virtual Private Networking
[ http://www.labmice.net/networking/vpn.htm ]
What is a virtual private network (VPN)?
[ http://kb.indiana.edu/data/ajrq.htm ]
In Windows 2000 or Windows XP Professional, why is
the option to connect to a virtual private network
unavailable?
[ http://kb.indiana.edu/data/akuu.html ]
In Windows 2000, how can I configure my computer
to use a VPN?
[ http://kb.indiana.edu/data/ajpv.html ]
While attempting to connect to the VPN Server,
why do I get a message about the server not
responding or unable to complete a connection?
[ http://kb.indiana.edu/data/akkn.html ]
Virtual Private Network (VPN), An Overview
[ http://www.gsu.edu/~wwwccs/docs/vpn/vpn.htm ]
VPN - Windows 2000
[ http://www.gsu.edu/~wwwccs/docs/vpn/vpnw2000.htm ]
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
*Some pages have connection info like IP addresses
and server names that obviously does not apply in
your case and is listed merely for example purposes.
I hope I covered all possible situations for you in
your scenario today. I wish you alot of luck. You
will have a nice warm fuzzy feeling inside when it's
all working. ;0)
If you need clarification of information I posted
here, I will be looking back frequently during the
afternoon and I will try to reply quickly.
@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@=@
-search techniques-
site:support.microsoft.com Routing remote access
[ ://www.google.com/search?q=site:support.microsoft.com+Routing+remote+access&num=20&hl=en&lr=&ie=UTF-8&safe=off&start=20&sa=N
]
site:support.microsoft.com VPN
[ ://www.google.com/search?sourceid=navclient&q=site:support%2Emicrosoft%2Ecom+VPN
]
VPN "Windows 2000" setup
[ ://www.google.com/search?q=site:support.microsoft.com+Routing+remote+access&num=20&hl=en&lr=&ie=UTF-8&safe=off&start=20&sa=N
]
thanks for using answers.google
-AI |
Request for Answer Clarification by
networkwannabe-ga
on
02 Sep 2002 18:28 PDT
Hi again. While I want to express my sincere appreciation for your
efforts thus far, I'm really not any further ahead than I was when I
posted my question.
I've already been to the support.microsoft.com pages and read lots
about VPN configurations; pptn protocols; and all the concepts around
planning and deploying VPN. Perhaps the error is in the way I posed
my questions. I have already configured, successfully, as it turns
out, Routing and Remote Access service. I've installed the new NIC
and have it set as the VPN adapter. I've identified and set 11 ip's
198.168.30.200 through 198.168.30.210 to run the connections through.
What I can't seem to do is get through the firewall to have the server
respond. So, my 'how to' question remains unanswered. How do I
configure my firewall to allow access to port 1723 and allow data with
IP protocol 47?
If you feel you can offer some further assistance, I'd love to hear
from you. I've been on-site here since mid-day mountain time and,
frankly, am considering just installing PC Anywhere and screwing the
VPN stuff.
Your thoughts are welcomed.
Regards,
Net
|
Request for Answer Clarification by
networkwannabe-ga
on
02 Sep 2002 20:03 PDT
Well, AI, being the stubborn mule that I am, I did successfully Telnet
into my Router and enable PPTN connections and can now get to my VPN
server. New issue, though, is a 691 error message that states: 691:
Either your user account is not registered with the domain listed,
your password is expired, or you mistyped the information. If you do
not specify a domain, the remote access server attempts to verify your
user name and password on the domain of which it is a member.
Carefully retype your user name, password, and domain. If you are
unsure of this information, ask your system administrator.
Odd thing is that the user names and passwords are exactly correct.
Have you encountered this before? I'm wondering now if it's down to a
user authentication thing. From the RAS server properties, I've got
EAP not checked and MS-CHAP v2 checked and MS-CHAP checked. All
others CHAP, SPAP and PAP are unchecked. Any thoughts?
Netwannabe
|
Request for Answer Clarification by
networkwannabe-ga
on
02 Sep 2002 21:10 PDT
From your lack of response, I'll take it that you are either 1) not
available anymore or 2) have left me to my own ends. Either way
thanks for your attempt at assisting me. Perhaps the request was for
too much simplicity on a complicated issue.
Regards,
Netwannabe
|
Clarification of Answer by
alienintelligence-ga
on
02 Sep 2002 21:13 PDT
Sorry, I had to work today unlike a lot of
other people. I am trying to write up a more
comprehensive reply... but I can't give you
something that won't help, so it will take a
new round of research.
I am formatting what I have so far and trying
to arrange it in a productive order.
Please forgive me for the wait.
-AI
|
Clarification of Answer by
alienintelligence-ga
on
02 Sep 2002 21:18 PDT
Does this mean the firewall is no long an
issue and routing is successful and we are
down to tracing an authentication issue?
thanks
-AI
|
Clarification of Answer by
alienintelligence-ga
on
03 Sep 2002 01:38 PDT
Ok, well I'm not too sure how to answer now.
I have a long document regarding the firewall,
but it seems like you are thru that now.
If your current problem is authentication, that
error 691 doesn't appear to be a specific code
for VPN. Still looking though.
I'd like to help get you connected but I need
to know where we are at now.
pcAnywhere and DameWare are good alternatives.
Not a bad idea to have one of those installed.
Terminal Server should be included with your
OS installation and provides a nice remote for
management.
-AI
|
Request for Answer Clarification by
networkwannabe-ga
on
03 Sep 2002 11:21 PDT
Hi AI. The firewall is not a problem at this point. Authentication
seems to be. Will try a few other things but am rather hit and miss
with it as I followed and rechecked the steps prescribed by MS for
setting this up.
Thanks anyway.
Net
|
Clarification of Answer by
alienintelligence-ga
on
03 Sep 2002 14:51 PDT
Hi net...
While I was researching the question previously
I came across a page that mentioned something
regarding trying with a known administrator acct.
This would let you know if the problem was truly
authentication or if it was simply permissions.
Have you tried with the Administrator account yet?
-AI
|
Request for Answer Clarification by
networkwannabe-ga
on
03 Sep 2002 15:52 PDT
Yes I have. I have created a new group called VPN_Users and placed
the three managers in it and the administrators. I have created a
rule that requires a vpn user to 1) be using PPTN and 2) be a member
of the VPN_Users group. The administrator id and password were the
first that I tried actually. Still no luck. As I mentioned before,
from the RAS server properties, I've got
EAP not checked and MS-CHAP v2 checked and MS-CHAP checked. All
others CHAP, SPAP and PAP are unchecked. Dunno what else to do at
this point...other than start again...which I've done twice, now.
Net
|
Clarification of Answer by
alienintelligence-ga
on
06 Sep 2002 06:05 PDT
Hi again net...
Are you still stuck at your last point?
I consulted with a few associates and we
were unable to simulate your current install
position. Any authentication denial we have
gotten was based on permissions or incorrect
authentication methods.
Is it possible to bring the two computers
together to reduce any possibility of there
being a blockage of connections?
-AI
|
Request for Answer Clarification by
networkwannabe-ga
on
07 Sep 2002 07:05 PDT
What I have done, at this point, is to reduce the Routing and Remote
Access filtering to one simple filter: Users must belong to the
VPN_Users group and all 3 managers and the administrator do. Still no
joy.
I've installed PC Anywhere as a temp-to-medium length fix but will
continue to try to resolve this.
Thanks for your attempt at assistance.
Regards,
Kevin
|
Clarification of Answer by
alienintelligence-ga
on
08 Sep 2002 02:31 PDT
Ok, I'm still curious though...
Have you brought your boss' computer
into work, on the same side of all the
firewalls and routers?
Have you done a port scan or other
detection methods from the client
computer to the server computer?
Just in case it's a problem with the
current installation, have you tried
alternate installations or alternate
computers at either place?
-AI
|
