Guest John N Posted September 8, 2007 Posted September 8, 2007 I have been struggling to get my remote access server to work. The symptoms are somewhat inconsistent, and I’m guessing that I missed something major here. I have two servers behind my firewall, a netopia 3386-ENT. One is providing web and mail services, and the other is a domain controller. Both are W2K3 fully patched. Our ISP issued us a /248 network giving us 6 usable IP addresses. The netopia is part of an enterprise network comprised of three site to site VPNs, both connecting to this network. The VPNs connect using a PPTP connection. I’m trying to get users to authenticate to the domain controller using RAS, and I’ve assigned one of the public IP addresses to pass PPTP back to the domain controller’s private IP address. Most of the time, it doesn’t even establish a connection. Sometimes it does, but only one person can use it. Of course, if I tell the router to pass all PPTP connections back to the domain controller’s internal address, none of the VPNs work. I’m stumped. I’m pretty sure that this is a firewall issue, as the VPN connections work fine from inside the network. Thanks for your help in advance.
Guest James McIllece [MS] Posted September 11, 2007 Posted September 11, 2007 Re: Cannot make connection with RAS server behind firewall. =?Utf-8?B?Sm9obiBO?= <JohnN@discussions.microsoft.com> wrote in news:80E4317D-D899-4733-83CD-58FE1E7B65AB@microsoft.com: > I have been struggling to get my remote access server to work. The > symptoms are somewhat inconsistent, and I’m guessing that I missed > something major here. > I have two servers behind my firewall, a netopia 3386-ENT. One is > providing web and mail services, and the other is a domain controller. > Both are W2K3 fully patched. > Our ISP issued us a /248 network giving us 6 usable IP addresses. > The netopia is part of an enterprise network comprised of three site > to site VPNs, both connecting to this network. The VPNs connect using > a PPTP connection. > > I’m trying to get users to authenticate to the domain controller > using RAS, and I’ve assigned one of the public IP addresses to pass > PPTP back to the domain controller’s private IP address. Most of > the time, it doesn’t even establish a connection. Sometimes it > does, but only one person can use it. Of course, if I tell the > router to pass all PPTP connections back to the domain controller’s > internal address, none of the VPNs work. I’m stumped. I’m pretty > sure that this is a firewall issue, as the VPN connections work fine > from inside the network. > > Thanks for your help in advance. > Hi there -- The scenario as you describe it is very confusing. Are you saying you have two branch offices and one main office and the two branch offices are connected via PPTP based site to site VPN to the main office? If so, are both branch offices connecting to the same VPN server at the main office? Are these persistent connections or dial on demand connections? You state that you want users to be authenticated using a RAS connection, but it is unclear where the users are located -- are you talking about people RASing in from home, or are you talking about people who are at the branch office locations? If you are talking about the branch office locations and you have a site to site VPN between the branch office and the main office, users do not need to use RAS (and should not) -- the site to site VPN creates a tunnel through which all traffic flows between the sites. All you have to do is get that working and when users log onto their domain member machines they will be authenticated by the closest DC, you don't need any extra connectiods or anything. (This assumes that you have your IP addressing set up correctly with DHCP, that DNS is working, etc.) -- James McIllece, Microsoft Please do not send email directly to this alias. This is my online account name for newsgroup participation only. This posting is provided "AS IS" with no warranties, and confers no rights.
Guest John N Posted September 11, 2007 Posted September 11, 2007 Re: Cannot make connection with RAS server behind firewall. James: Thanks so much for responding. I've answered your questions below. "James McIllece [MS]" wrote: > =?Utf-8?B?Sm9obiBO?= <JohnN@discussions.microsoft.com> wrote in > news:80E4317D-D899-4733-83CD-58FE1E7B65AB@microsoft.com: > > > I have been struggling to get my remote access server to work. The > > symptoms are somewhat inconsistent, and I’m guessing that I missed > > something major here. > > I have two servers behind my firewall, a netopia 3386-ENT. One is > > providing web and mail services, and the other is a domain controller. > > Both are W2K3 fully patched. > > Our ISP issued us a /248 network giving us 6 usable IP addresses. > > The netopia is part of an enterprise network comprised of three site > > to site VPNs, both connecting to this network. The VPNs connect using > > a PPTP connection. > > > > I’m trying to get users to authenticate to the domain controller > > using RAS, and I’ve assigned one of the public IP addresses to pass > > PPTP back to the domain controller’s private IP address. Most of > > the time, it doesn’t even establish a connection. Sometimes it > > does, but only one person can use it. Of course, if I tell the > > router to pass all PPTP connections back to the domain controller’s > > internal address, none of the VPNs work. I’m stumped. I’m pretty > > sure that this is a firewall issue, as the VPN connections work fine > > from inside the network. > > > > Thanks for your help in advance. > > > > Hi there -- > > The scenario as you describe it is very confusing. > > Are you saying you have two branch offices and one main office and the two > branch offices are connected via PPTP based site to site VPN to the main > office? > Almost. The branch office has two VPNs connected to the main office. Once is for the telephone system, and is on a different subnet. The other is for data. > If so, are both branch offices connecting to the same VPN server at the > main office? Yes. They are persistent connections - always up. Are these persistent connections or dial on demand > connections? > > You state that you want users to be authenticated using a RAS connection, > but it is unclear where the users are located -- are you talking about > people RASing in from home, or are you talking about people who are at the > branch office locations? People from home, or sitting in a hotel, etc. Obviously, nobody from the remote offices needs to authenticate using RAS, as the VPN takes care of that. > > If you are talking about the branch office locations and you have a site to > site VPN between the branch office and the main office, users do not need > to use RAS (and should not) -- the site to site VPN creates a tunnel > through which all traffic flows between the sites. All you have to do is > get that working and when users log onto their domain member machines they > will be authenticated by the closest DC, you don't need any extra > connectiods or anything. (This assumes that you have your IP addressing set > up correctly with DHCP, that DNS is working, etc.) > > -- > James McIllece, Microsoft > > Please do not send email directly to this alias. This is my online account > name for newsgroup participation only. > > This posting is provided "AS IS" with no warranties, and confers no rights. >
Guest James McIllece [MS] Posted October 3, 2007 Posted October 3, 2007 Re: Cannot make connection with RAS server behind firewall. =?Utf-8?B?Sm9obiBO?= <JohnN@discussions.microsoft.com> wrote in news:4E013811-B4CC-4882-A824-7E602D62BC07@microsoft.com: > James: > > Thanks so much for responding. I've answered your questions below. > > "James McIllece [MS]" wrote: > >> =?Utf-8?B?Sm9obiBO?= <JohnN@discussions.microsoft.com> wrote in >> news:80E4317D-D899-4733-83CD-58FE1E7B65AB@microsoft.com: >> >> > I have been struggling to get my remote access server to work. The >> > symptoms are somewhat inconsistent, and I’m guessing that I >> > missed something major here. >> > I have two servers behind my firewall, a netopia 3386-ENT. One is >> > providing web and mail services, and the other is a domain >> > controller. >> > Both are W2K3 fully patched. >> > Our ISP issued us a /248 network giving us 6 usable IP addresses. >> > The netopia is part of an enterprise network comprised of three >> > site to site VPNs, both connecting to this network. The VPNs >> > connect using a PPTP connection. >> > >> > I’m trying to get users to authenticate to the domain >> > controller using RAS, and I’ve assigned one of the public IP >> > addresses to pass PPTP back to the domain controller’s >> > private IP address. Most of the time, it doesn’t even >> > establish a connection. Sometimes it does, but only one person can >> > use it. Of course, if I tell the router to pass all PPTP >> > connections back to the domain controller’s internal >> > address, none of the VPNs work. I’m stumped. I’m >> > pretty sure that this is a firewall issue, as the VPN connections >> > work fine from inside the network. >> > >> > Thanks for your help in advance. >> > >> >> Hi there -- >> >> The scenario as you describe it is very confusing. >> >> Are you saying you have two branch offices and one main office and >> the two branch offices are connected via PPTP based site to site VPN >> to the main office? >> > > Almost. The branch office has two VPNs connected to the main office. > Once is for the telephone system, and is on a different subnet. The > other is for data. >> If so, are both branch offices connecting to the same VPN server at >> the main office? > > Yes. > > They are persistent connections - always up. > > Are these persistent connections or dial on demand >> connections? >> >> You state that you want users to be authenticated using a RAS >> connection, but it is unclear where the users are located -- are you >> talking about people RASing in from home, or are you talking about >> people who are at the branch office locations? > > People from home, or sitting in a hotel, etc. Obviously, nobody from > the remote offices needs to authenticate using RAS, as the VPN takes > care of that. > >> >> If you are talking about the branch office locations and you have a >> site to site VPN between the branch office and the main office, users >> do not need to use RAS (and should not) -- the site to site VPN >> creates a tunnel through which all traffic flows between the sites. >> All you have to do is get that working and when users log onto their >> domain member machines they will be authenticated by the closest DC, >> you don't need any extra connectiods or anything. (This assumes that >> you have your IP addressing set up correctly with DHCP, that DNS is >> working, etc.) >> >> -- >> James McIllece, Microsoft >> >> Please do not send email directly to this alias. This is my online >> account name for newsgroup participation only. >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> > Hi there -- It is possible that it's a firewall issue. If I remember correctly the RRAS Help contains the list of exceptions you need in your firewall on the DC to get RRAS working. If you can't find that info there you can see the content at the Routing and Remote Access Tech Center, at http://technet.microsoft.com/en-us/network/bb545655.aspx. This site also contains a lot of step-by-step guides and deployment content that will help you. -- James McIllece, Microsoft Please do not send email directly to this alias. This is my online account name for newsgroup participation only. This posting is provided "AS IS" with no warranties, and confers no rights.
Recommended Posts