Lost outside Connectivity to my Windows 2000 server

Hi folks.....Today I may have shot my self in the foot! I have a Windows
2000 Server which has been operating just fine for years.

Today decided to also try to use it as a VPN server for access to the
network from outside. This network is a Domain with an Active Directory
server, etc.

With several references from the Web for guides, I ran the "Routing and
Remote Access" app to setup this VPN. All seemed to go just fine. I tested
it internally and it worked as expected.

However, when I got outside of our network, not only did the VPN not
connect, but I had also lost access to the webserver.

I'm desperate for ideas.

So far I have rebooted the server, several times. I have removed the VPN
server object.

I hope you have some good ideas....RDK

Hi Folks.....Some additional information. As I said the webserver has been
functional for many years without issues. We have two ISP (main and backup)
and this server has NICs for both ISP external IP addresses. We have two
routers, one for each ISP.

For the VPN we chose the "Backup" ISP as the internet gateway and modified
the router to pass the VPN port (1723, as I recall) and the IPSEC ports 500,
50-51. The other router was not touched.

Since I can no longer reach the webserver IIS via either NIC I have ruled
out an error in our configuration of the "backup ISP" router.

It is as though I have configured a "Firewall" on this Win2k server to block
all traffic which is not from the internal networks.

I'm stumped....RDK


"RDK" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi folks.....Today I may have shot my self in the foot! I have a Windows
> 2000 Server which has been operating just fine for years.
>
> Today decided to also try to use it as a VPN server for access to the
> network from outside. This network is a Domain with an Active Directory
> server, etc.
>
> With several references from the Web for guides, I ran the "Routing and
> Remote Access" app to setup this VPN. All seemed to go just fine. I
> tested it internally and it worked as expected.
>
> However, when I got outside of our network, not only did the VPN not
> connect, but I had also lost access to the webserver.
>
> I'm desperate for ideas.
>
> So far I have rebooted the server, several times. I have removed the VPN
> server object.
>
> I hope you have some good ideas....RDK
>
>
>

Hi Folks....More info. I would appear that the problem was initiated as I
was working with the "Routing and Remote Access" early in the day but never
finishing it by clicking "finish". By looking at the web logs we see that
all external traffic quit about 11:20 and that is about the same time as I
see this entry in the System Event Log:
================
source is "Remote Access: and the event ID is 20192
A certificate could not be found. Connections that use the L2TP protocol
over IPSec require the installation of a machine certificate, also known as
a computer certificate. No L2TP calls will be accepted.

================

In additions we have now determined that this server cannot reach the
internet, ie www.google.com in IE times out. It does, however, see other
webservers on our network through the same NICs.

Again, it appears that we/I have some how set up a firewall/filters which
are preventing all "non-local" traffic from reaching this server.

Any ideas and help would be much appreciated......RDK
"RDK" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi folks.....Today I may have shot my self in the foot! I have a Windows
> 2000 Server which has been operating just fine for years.
>
> Today decided to also try to use it as a VPN server for access to the
> network from outside. This network is a Domain with an Active Directory
> server, etc.
>
> With several references from the Web for guides, I ran the "Routing and
> Remote Access" app to setup this VPN. All seemed to go just fine. I
> tested it internally and it worked as expected.
>
> However, when I got outside of our network, not only did the VPN not
> connect, but I had also lost access to the webserver.
>
> I'm desperate for ideas.
>
> So far I have rebooted the server, several times. I have removed the VPN
> server object.
>
> I hope you have some good ideas....RDK
>
>
>

Falcon....Thanks for the response.

Yesterday I removed the VPN server from the RRAS manager by "right click" /
delete.

I'm not sure what you mean by "re-run the CEICW", can you be more explicit?

Right now I would just like to have it back the way it was yesterday AM. We
are GHOST it right now so an IPCONFIG is not available.

Thanks.....RDK

"Falcon ITS" <(E-Mail Removed)> wrote in message
news:4569d7f2-db05-4414-9205-(E-Mail Removed)...
> RDK,
>
> P.S. If you are going to have LESS than 5 VPN users, there is an
> easier way to configure VPN without the need for RRAS.
>
> 1. Turn of RRAS and re-run the ceicw to get your server back to how it
> was before.
> 2. Make sure Windows Firewall is OFF.
> 3. Open port 1723 on your HW firewall and forward to Server
> 4. Make sure your router supports GRE pass through
> 5. Go to Network Connections > New Connections Wizard
> 6. Select Set Up Advanced Connections > Accept Incoming Connections
> 7. Select Allow VPN the check off which users will be allowed to VPN
> in.
> 8. Next, select TCP/IP Properties. If your Server is the DCHP server,
> select assign auto using DHCP. Otherwise, provide a range of addresses
> within the Server subnet that is OUTSIDE your DHCP Scope. This wayteh
> assigned address will not conflict with addresses your router may have
> already handed out.
> 9. Click Next, Fish and...
> 10 Voila!
>
>
> Miguel Fra
> Falcon ITS
> http://www.falconits.com
>
>
>

Hi Falcon (and the rest of you Folks).....I think we are back!!! And I think
the issue was RRAS installation of the VPN server. Yesterday when I was
last in the RRAS Console I though I had deleted the VPN server object (right
click / delete) but apparently that does/did not remove the object. I just
now returned there to see the object was still in the console so this time I
right click / disable, got the warning message about having to totally
reconfigure the VPN object if I did this and replied OK.

Instantly web access returned to the server.

I have rebooted and things seem ok.

I will now Ghost the drive again and AGAIN try to install the VPN but will
use Falcon's method as outlined below.

Thanks for you help.......RDK

"Falcon ITS" <(E-Mail Removed)> wrote in message
news:4569d7f2-db05-4414-9205-(E-Mail Removed)...
> RDK,
>
> P.S. If you are going to have LESS than 5 VPN users, there is an
> easier way to configure VPN without the need for RRAS.
>
> 1. Turn of RRAS and re-run the ceicw to get your server back to how it
> was before.
> 2. Make sure Windows Firewall is OFF.
> 3. Open port 1723 on your HW firewall and forward to Server
> 4. Make sure your router supports GRE pass through
> 5. Go to Network Connections > New Connections Wizard
> 6. Select Set Up Advanced Connections > Accept Incoming Connections
> 7. Select Allow VPN the check off which users will be allowed to VPN
> in.
> 8. Next, select TCP/IP Properties. If your Server is the DCHP server,
> select assign auto using DHCP. Otherwise, provide a range of addresses
> within the Server subnet that is OUTSIDE your DHCP Scope. This wayteh
> assigned address will not conflict with addresses your router may have
> already handed out.
> 9. Click Next, Fish and...
> 10 Voila!
>
>
> Miguel Fra
> Falcon ITS
> http://www.falconits.com
>
>
>

Hi folks....Thanks again for your help. I'm back up and running with IIS
but not with the VPN.

I tried to follow Falcon's instructions below without success. I'm working
on a Windows 2000 server which is part of an Active Directory domain. When
I get the Network Connections Wizard going this is what happens:

1. first screen labeled "Network Connection Type" offers 5 options, one of
which is "accept Incoming Connections"

2. when I select that option I'm greeted with a popup dialog which basically
says that since this server is in a domain that I have to use the RRAS
console to configure for this option

Am I doing something wrong???

Now that I have my webserver back and understand how I lost connectivity
(and have a GHOST image of the system drive) I will try again to configure
RRAS for a VPN. The first question I have is, is there a problem having an
Internet IIS server and an RRAS VPN server on the same box?

Thanks....RDK

"Falcon ITS" <(E-Mail Removed)> wrote in message
news:4569d7f2-db05-4414-9205-(E-Mail Removed)...
> RDK,
>
> P.S. If you are going to have LESS than 5 VPN users, there is an
> easier way to configure VPN without the need for RRAS.
>
> 1. Turn of RRAS and re-run the ceicw to get your server back to how it
> was before.
> 2. Make sure Windows Firewall is OFF.
> 3. Open port 1723 on your HW firewall and forward to Server
> 4. Make sure your router supports GRE pass through
> 5. Go to Network Connections > New Connections Wizard
> 6. Select Set Up Advanced Connections > Accept Incoming Connections
> 7. Select Allow VPN the check off which users will be allowed to VPN
> in.
> 8. Next, select TCP/IP Properties. If your Server is the DCHP server,
> select assign auto using DHCP. Otherwise, provide a range of addresses
> within the Server subnet that is OUTSIDE your DHCP Scope. This wayteh
> assigned address will not conflict with addresses your router may have
> already handed out.
> 9. Click Next, Fish and...
> 10 Voila!
>
>
> Miguel Fra
> Falcon ITS
> http://www.falconits.com
>
>
>

"RDK" <(E-Mail Removed)> wrote in message
news:u$(E-Mail Removed)...
> Hi folks....Thanks again for your help. I'm back up and running with IIS
> but not with the VPN.
>
> I tried to follow Falcon's instructions below without success. I'm
> working on a Windows 2000 server which is part of an Active Directory
> domain. When I get the Network Connections Wizard going this is what
> happens:
>
> 1. first screen labeled "Network Connection Type" offers 5 options, one of
> which is "accept Incoming Connections"
>
> 2. when I select that option I'm greeted with a popup dialog which
> basically says that since this server is in a domain that I have to use
> the RRAS console to configure for this option
>
> Am I doing something wrong???
>
> Now that I have my webserver back and understand how I lost connectivity
> (and have a GHOST image of the system drive) I will try again to configure
> RRAS for a VPN. The first question I have is, is there a problem having
> an Internet IIS server and an RRAS VPN server on the same box?
>
> Thanks....RDK

I wouldn't suggest it. Besides security, the multihoming aspect of what RRAS
does (more than one IP) *may* cause issues if you don't configure IIS
specifically to use the NIC's IP, otherwise the other IPs will be accepted.

Hopefully this server is not a DC. Multuhoming a DC is worse.



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Hi Ace.... I owe you a reply for your help with our Exchange problem, but
later for that.

OK, for my VPN project: I have a Windows 2000 server whose sole purpose in
life up to now was as a "sandbox" webserver for some personal websites and
test versions of production websites. It is NOW (note emphasis) multihomed
(2) and a single gateway. The two NICs are: one (B 172.16.0.0) for a
intranet network to our production servers for administration and
maintenance and the other (A 192.168.29.0) for access to the Internet (with
the gateway). The Internet IP address for B comes into a CISCO router for
port filtering and forwarding to the 192.168.29.x address. IP&Host-Headers
are used for the websites.

The objective is to setup a VPN to the intranet network so we can work from
offsite.

I did this at home with my Windows 2000 server, but 1) it is not in a
domain, 2) has only one NIC and 3) gets its traffic from the Internet via
port forwarding from my SonicWall router. Right now it is working just fine
for both Web and VPN access to that server and thus my home network.

We would like to have something like this working here at work. However,
every time I have tried, I'm forced to use the RRAS console and when I'm
done the server ONLY sees intranet traffic and can only get to intranet
resources. The Internet is "gone" and does not come back until I disable
the RRAS VPN server.

What am I doing wrong and what are my options?.....RDK

"Ace Fekay [MVP-DS, MCT]" <(E-Mail Removed)> wrote in message
news:O$(E-Mail Removed)...
> "RDK" <(E-Mail Removed)> wrote in message
> news:u$(E-Mail Removed)...
>> Hi folks....Thanks again for your help. I'm back up and running with IIS
>> but not with the VPN.
>>
>> I tried to follow Falcon's instructions below without success. I'm
>> working on a Windows 2000 server which is part of an Active Directory
>> domain. When I get the Network Connections Wizard going this is what
>> happens:
>>
>> 1. first screen labeled "Network Connection Type" offers 5 options, one
>> of which is "accept Incoming Connections"
>>
>> 2. when I select that option I'm greeted with a popup dialog which
>> basically says that since this server is in a domain that I have to use
>> the RRAS console to configure for this option
>>
>> Am I doing something wrong???
>>
>> Now that I have my webserver back and understand how I lost connectivity
>> (and have a GHOST image of the system drive) I will try again to
>> configure RRAS for a VPN. The first question I have is, is there a
>> problem having an Internet IIS server and an RRAS VPN server on the same
>> box?
>>
>> Thanks....RDK
>
> I wouldn't suggest it. Besides security, the multihoming aspect of what
> RRAS does (more than one IP) *may* cause issues if you don't configure IIS
> specifically to use the NIC's IP, otherwise the other IPs will be
> accepted.
>
> Hopefully this server is not a DC. Multuhoming a DC is worse.
>
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

"RDK" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Ace.... I owe you a reply for your help with our Exchange problem, but
> later for that.
>
> OK, for my VPN project: I have a Windows 2000 server whose sole purpose
> in life up to now was as a "sandbox" webserver for some personal websites
> and test versions of production websites. It is NOW (note emphasis)
> multihomed (2) and a single gateway. The two NICs are: one (B 172.16.0.0)
> for a intranet network to our production servers for administration and
> maintenance and the other (A 192.168.29.0) for access to the Internet
> (with the gateway). The Internet IP address for B comes into a CISCO
> router for port filtering and forwarding to the 192.168.29.x address.
> IP&Host-Headers
> are used for the websites.
>
> The objective is to setup a VPN to the intranet network so we can work
> from offsite.
>
> I did this at home with my Windows 2000 server, but 1) it is not in a
> domain, 2) has only one NIC and 3) gets its traffic from the Internet via
> port forwarding from my SonicWall router. Right now it is working just
> fine for both Web and VPN access to that server and thus my home network.
>
> We would like to have something like this working here at work. However,
> every time I have tried, I'm forced to use the RRAS console and when I'm
> done the server ONLY sees intranet traffic and can only get to intranet
> resources. The Internet is "gone" and does not come back until I disable
> the RRAS VPN server.
>
> What am I doing wrong and what are my options?.....RDK
>
> "Ace Fekay [MVP-DS, MCT]" <(E-Mail Removed)> wrote in
> message
> news:O$(E-Mail Removed)...
>> "RDK" <(E-Mail Removed)> wrote in message
>> news:u$(E-Mail Removed)...
>>> Hi folks....Thanks again for your help. I'm back up and running with
>>> IIS
>>> but not with the VPN.
>>>
>>> I tried to follow Falcon's instructions below without success. I'm
>>> working on a Windows 2000 server which is part of an Active Directory
>>> domain. When I get the Network Connections Wizard going this is what
>>> happens:
>>>
>>> 1. first screen labeled "Network Connection Type" offers 5 options, one
>>> of which is "accept Incoming Connections"
>>>
>>> 2. when I select that option I'm greeted with a popup dialog which
>>> basically says that since this server is in a domain that I have to use
>>> the RRAS console to configure for this option
>>>
>>> Am I doing something wrong???
>>>

It sounds to me as if you used the wrong option in the setup wizard for
RRAS.

From memory (it's been a while) what seems like the obvious choice in
Server 2000 configures the server for VPN _only_. That means it installs
packet filters on the public interface to block all traffic except VPN
related traffic.

Don't use the option to configure a VPN server. Use the remote access
server option and then select the VPN option (or something along those
lines).

"Bill Grant" <not.available@online> wrote in message
news:(E-Mail Removed)...
>
>
> "RDK" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi Ace.... I owe you a reply for your help with our Exchange problem, but
>> later for that.
>>
>> OK, for my VPN project: I have a Windows 2000 server whose sole purpose
>> in life up to now was as a "sandbox" webserver for some personal websites
>> and test versions of production websites. It is NOW (note emphasis)
>> multihomed (2) and a single gateway. The two NICs are: one (B
>> 172.16.0.0) for a intranet network to our production servers for
>> administration and maintenance and the other (A 192.168.29.0) for access
>> to the Internet (with the gateway). The Internet IP address for B comes
>> into a CISCO router for port filtering and forwarding to the 192.168.29.x
>> address. IP&Host-Headers
>> are used for the websites.
>>
>> The objective is to setup a VPN to the intranet network so we can work
>> from offsite.
>>
>> I did this at home with my Windows 2000 server, but 1) it is not in a
>> domain, 2) has only one NIC and 3) gets its traffic from the Internet via
>> port forwarding from my SonicWall router. Right now it is working just
>> fine for both Web and VPN access to that server and thus my home network.
>>
>> We would like to have something like this working here at work. However,
>> every time I have tried, I'm forced to use the RRAS console and when I'm
>> done the server ONLY sees intranet traffic and can only get to intranet
>> resources. The Internet is "gone" and does not come back until I disable
>> the RRAS VPN server.
>>
>> What am I doing wrong and what are my options?.....RDK
>>
>> "Ace Fekay [MVP-DS, MCT]" <(E-Mail Removed)> wrote in
>> message
>> news:O$(E-Mail Removed)...
>>> "RDK" <(E-Mail Removed)> wrote in message
>>> news:u$(E-Mail Removed)...
>>>> Hi folks....Thanks again for your help. I'm back up and running with
>>>> IIS
>>>> but not with the VPN.
>>>>
>>>> I tried to follow Falcon's instructions below without success. I'm
>>>> working on a Windows 2000 server which is part of an Active Directory
>>>> domain. When I get the Network Connections Wizard going this is what
>>>> happens:
>>>>
>>>> 1. first screen labeled "Network Connection Type" offers 5 options, one
>>>> of which is "accept Incoming Connections"
>>>>
>>>> 2. when I select that option I'm greeted with a popup dialog which
>>>> basically says that since this server is in a domain that I have to use
>>>> the RRAS console to configure for this option
>>>>
>>>> Am I doing something wrong???
>>>>
>
> It sounds to me as if you used the wrong option in the setup wizard for
> RRAS.
>
> From memory (it's been a while) what seems like the obvious choice in
> Server 2000 configures the server for VPN _only_. That means it installs
> packet filters on the public interface to block all traffic except VPN
> related traffic.
>
> Don't use the option to configure a VPN server. Use the remote access
> server option and then select the VPN option (or something along those
> lines).


I agree. I think it's somewhere in the options, possibly getting the two
interfaces reversed? I've seen that before. Otherwise your memory
recollection is about as good as mine without seeing it in front of me.

Ace