File shares not accessible on VPN server?

I currently have a Windows Server 2003 computer that is running routing and
remote access to provide access from outside our network. The benefit of
this is that NetBIOS/SMB ports are blocked at our WAN router, but we can use
a VPN to gain secure access to SMB shares that are inside the network.

The computer hosting the VPN is a simple machine. It is not on an active
directory and it does little else than share resources. So, to set up the
VPN I used the Routing and Remote Access Server setup wizard. Since I only
have a single NIC I used the custom configuration and selected the VPN
access. This then allowed me to access the network from offsite using the
default policies set by the wizard.

But, I have come across a problem. The VPN connects just fine. And when
connected I receive an IP from the server's LAN. I can then access other
computers on that network. However, when I try to connect to a Windows share
on the VPN server it fails to get a response from the server. I first
thought this may be a security issue, but now I am not sure. A friend of
mine with Small Business Server 2003 doesn't have this problem. I have read
books on this subject, searched the web and the usenet, and asked people
that I thought would know... but, I haven't been able to come up with an
answer.

If anyone has an answer then please let me know. Thanks

maybe this is a routing issue. try pinging or a traceroute to the VPN server
when connected remotely

"Vernalex" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I currently have a Windows Server 2003 computer that is running routing
and
> remote access to provide access from outside our network. The benefit of
> this is that NetBIOS/SMB ports are blocked at our WAN router, but we can
use
> a VPN to gain secure access to SMB shares that are inside the network.
>
> The computer hosting the VPN is a simple machine. It is not on an active
> directory and it does little else than share resources. So, to set up the
> VPN I used the Routing and Remote Access Server setup wizard. Since I only
> have a single NIC I used the custom configuration and selected the VPN
> access. This then allowed me to access the network from offsite using the
> default policies set by the wizard.
>
> But, I have come across a problem. The VPN connects just fine. And when
> connected I receive an IP from the server's LAN. I can then access other
> computers on that network. However, when I try to connect to a Windows
share
> on the VPN server it fails to get a response from the server. I first
> thought this may be a security issue, but now I am not sure. A friend of
> mine with Small Business Server 2003 doesn't have this problem. I have
read
> books on this subject, searched the web and the usenet, and asked people
> that I thought would know... but, I haven't been able to come up with an
> answer.
>
> If anyone has an answer then please let me know. Thanks

The first thing to check is that you can access the server. When the
client connects, click the icon in the system tray and click on Details.
This will display the IP address of the server. Check that you can ping this
IP. Next try to ping by server name. If that works, routing and name
resolution are working.

Browse the server wirh "net view \\servername" and try to map a share
using "net use z: \\servername\filename" . If it complains about your
username, use the username\password options in net use.

"Vernalex" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I currently have a Windows Server 2003 computer that is running routing
and
> remote access to provide access from outside our network. The benefit of
> this is that NetBIOS/SMB ports are blocked at our WAN router, but we can
use
> a VPN to gain secure access to SMB shares that are inside the network.
>
> The computer hosting the VPN is a simple machine. It is not on an active
> directory and it does little else than share resources. So, to set up the
> VPN I used the Routing and Remote Access Server setup wizard. Since I only
> have a single NIC I used the custom configuration and selected the VPN
> access. This then allowed me to access the network from offsite using the
> default policies set by the wizard.
>
> But, I have come across a problem. The VPN connects just fine. And when
> connected I receive an IP from the server's LAN. I can then access other
> computers on that network. However, when I try to connect to a Windows
share
> on the VPN server it fails to get a response from the server. I first
> thought this may be a security issue, but now I am not sure. A friend of
> mine with Small Business Server 2003 doesn't have this problem. I have
read
> books on this subject, searched the web and the usenet, and asked people
> that I thought would know... but, I haven't been able to come up with an
> answer.
>
> If anyone has an answer then please let me know. Thanks

Bill,

I have located the issue, but not the root of the problem. In the
past I have tried resolving the server, and it worked fine. The IP
pinged fine and the DNS and NetBIOS names resolved properly to the IP.
But, when I tried to map the drive it wouldn't work.

But, I ran through your directions anyhow in hopes I would figure
something out because from the way you and eddiec speak, it sounds
like my problem isn't the default behavior as I was assuming. When I
checked the details of the connection I realized the problem though.
The IP of the VPN server was different from the real IP of the server.
A few "oohhhhhh"s later and I checked the server's connections through
ipconfig. There is a connection called "PPP adapter RAS Server (Dial
In) Interface" that is descripted as "WAN (PPP/SLIP) Interface" that
contains the dial-in interface IP that differs from the NIC's IP.
Running through the Routing and Remote Access MSC I can see it is
called "Internal" for its LAN and Demand Dial name.

So, once I connect through the VPN the WINS server give me the real
IP of the server for the NetBIOS name and the DNS servers give me the
real IP for its DNS name ... but, it only accepts connections on the
IP assigned to it for the dial-in interface. This means that if I try
to connect through the \\ip of it, then I can browse the shares. At
least now I have a work around.

I am wondering if anyone knows if I can get rid of this behavior. I
would much prefer having the same IP for the dial-in interface as the
server's IP. The server is not supposed (as for network policy here)
to have two IPs.

Originally to set this up I used the Routing and Remote Access MSC.
I right clicked the server's name in the list and used "Configure and
Enable Routing and Remote Access". Next. Custom configuration (because
the VPN option from that menu requires two NICs). Tick VPN access box.
Finish. I am guessing this creates default policies that create the
behavior of having two IPs, or perhaps this is a required behavior.

I should also point out that I do not maintain the WINS server here
and the dial-in IP as well as the normal server IP are pingable from
the Internet. Only SMB traffic is blocked from the Internet. So when I
VPN in, the IP it receives from the WINS server is the IP I used to
dial-in to the VPN.

Any ideas? Thanks

Joseph Dowden

"Bill Grant" <not.available@online> wrote in message news:<(E-Mail Removed)>...
> The first thing to check is that you can access the server. When the
> client connects, click the icon in the system tray and click on Details.
> This will display the IP address of the server. Check that you can ping this
> IP. Next try to ping by server name. If that works, routing and name
> resolution are working.
>
> Browse the server wirh "net view \\servername" and try to map a share
> using "net use z: \\servername\filename" . If it complains about your
> username, use the username\password options in net use.
>
> "Vernalex" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I currently have a Windows Server 2003 computer that is running routing
> and
> > remote access to provide access from outside our network. The benefit of
> > this is that NetBIOS/SMB ports are blocked at our WAN router, but we can
> use
> > a VPN to gain secure access to SMB shares that are inside the network.
> >
> > The computer hosting the VPN is a simple machine. It is not on an active
> > directory and it does little else than share resources. So, to set up the
> > VPN I used the Routing and Remote Access Server setup wizard. Since I only
> > have a single NIC I used the custom configuration and selected the VPN
> > access. This then allowed me to access the network from offsite using the
> > default policies set by the wizard.
> >
> > But, I have come across a problem. The VPN connects just fine. And when
> > connected I receive an IP from the server's LAN. I can then access other
> > computers on that network. However, when I try to connect to a Windows
> share
> > on the VPN server it fails to get a response from the server. I first
> > thought this may be a security issue, but now I am not sure. A friend of
> > mine with Small Business Server 2003 doesn't have this problem. I have
> read
> > books on this subject, searched the web and the usenet, and asked people
> > that I thought would know... but, I haven't been able to come up with an
> > answer.
> >
> > If anyone has an answer then please let me know. Thanks

"Vernalex" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I am wondering if anyone knows if I can get rid of this behavior. I
> would much prefer having the same IP for the dial-in interface as the
> server's IP. The server is not supposed (as for network policy here)
> to have two IPs.

It is not possible for two interfaces to have the same IP#. Every interface
on the server must have a unique IP# including all the Dialin Interfaces.
This is normal behavor,...has nothing to do with Windows or any MS product,
and you can't do anything about it,...it is the way TCP/IP networks are.

The only other thing I can think of is that you may be mistakenly assuming
that the login you used when connecting with VPN also logs you into the
Network,...it does not. The credentials you used to make the connection do
only that,..they make the connection, but nothing else. At this point you
are connected at the Layer3&4 levels but that has nothing to do with logging
into the Domain to be able to access resources, also your machine itself as
far as the machine account on the domain is concerned, is not logged in
either..

If you notice at the very beginning when at the Crtl+Alt+Del prompt at your
work station there is a checkbox where you put in the credentials that says
"Login using Dialup Networking" (or something like that). You must check
that box, then when you log into the machine you will be prompted for which
dial-up connection to use. Following this process logs both you and your
machine into the domain via the VPN connection at the same time that you log
into the machine. Your workstation must be a member of the Domain for this
to work.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


> Originally to set this up I used the Routing and Remote Access MSC.
> I right clicked the server's name in the list and used "Configure and
> Enable Routing and Remote Access". Next. Custom configuration (because
> the VPN option from that menu requires two NICs). Tick VPN access box.
> Finish. I am guessing this creates default policies that create the
> behavior of having two IPs, or perhaps this is a required behavior.
>
> I should also point out that I do not maintain the WINS server here
> and the dial-in IP as well as the normal server IP are pingable from
> the Internet. Only SMB traffic is blocked from the Internet. So when I
> VPN in, the IP it receives from the WINS server is the IP I used to
> dial-in to the VPN.
>
> Any ideas? Thanks
>
> Joseph Dowden
>
> "Bill Grant" <not.available@online> wrote in message
news:<(E-Mail Removed)>...
> > The first thing to check is that you can access the server. When the
> > client connects, click the icon in the system tray and click on Details.
> > This will display the IP address of the server. Check that you can ping
this
> > IP. Next try to ping by server name. If that works, routing and name
> > resolution are working.
> >
> > Browse the server wirh "net view \\servername" and try to map a
share
> > using "net use z: \\servername\filename" . If it complains about your
> > username, use the username\password options in net use.
> >
> > "Vernalex" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > I currently have a Windows Server 2003 computer that is running
routing
> > and
> > > remote access to provide access from outside our network. The benefit
of
> > > this is that NetBIOS/SMB ports are blocked at our WAN router, but we
can
> > use
> > > a VPN to gain secure access to SMB shares that are inside the network.
> > >
> > > The computer hosting the VPN is a simple machine. It is not on an
active
> > > directory and it does little else than share resources. So, to set up
the
> > > VPN I used the Routing and Remote Access Server setup wizard. Since I
only
> > > have a single NIC I used the custom configuration and selected the VPN
> > > access. This then allowed me to access the network from offsite using
the
> > > default policies set by the wizard.
> > >
> > > But, I have come across a problem. The VPN connects just fine. And
when
> > > connected I receive an IP from the server's LAN. I can then access
other
> > > computers on that network. However, when I try to connect to a Windows
> > share
> > > on the VPN server it fails to get a response from the server. I first
> > > thought this may be a security issue, but now I am not sure. A friend
of
> > > mine with Small Business Server 2003 doesn't have this problem. I have
> > read
> > > books on this subject, searched the web and the usenet, and asked
people
> > > that I thought would know... but, I haven't been able to come up with
an
> > > answer.
> > >
> > > If anyone has an answer then please let me know. Thanks