PPTP issue

I am trying to setup my MS VPN to authenticate against AD. I am going to
have a few (3) employees that are going to authenticate from whereever they
maybe to our home office.

I set up the radius server and that seemed to go just fine. I was able to
setup our "Employees" group to be able to authenticate. Then I go over to
Routing and Remote Access Server Snap In. The server that I have has two
interfaces/nics. I select the nic with the address that is going to be on
the dmz as the interface that connects to the internet. Then select that I
will be using Radius and put in that server.

Then when everything is done I get the DHCP Relay message and so I set that
up, but when the service restarts I then can never access the server any
longer. This same server is our DHCP server so I can not get to the internet
or anything.

I know this is confusing but if you guys/girls have any questions to help me
resolve this i can gladly provide those. Thanks all.

--
Thanks so Much

Mike

Message posted via http://www.winserverkb.com

I am confused. What machine is acting as the remote access (VPN) server?
If it is a Windows machine, you do not need RADIUS. If it is a domain member
server it can automatically authenticate against AD. It just needs to be a
member of the RRAS and IAS server group.

If it is not a Windows machine and you want to use RADIUS, you do not
need RRAS. You only need IAS server running on a Windows server.

Mike via WinServerKB.com wrote:
> I am trying to setup my MS VPN to authenticate against AD. I am
> going to have a few (3) employees that are going to authenticate from
> whereever they maybe to our home office.
>
> I set up the radius server and that seemed to go just fine. I was
> able to setup our "Employees" group to be able to authenticate. Then
> I go over to Routing and Remote Access Server Snap In. The server
> that I have has two interfaces/nics. I select the nic with the
> address that is going to be on the dmz as the interface that connects
> to the internet. Then select that I will be using Radius and put in
> that server.
>
> Then when everything is done I get the DHCP Relay message and so I
> set that up, but when the service restarts I then can never access
> the server any longer. This same server is our DHCP server so I can
> not get to the internet or anything.
>
> I know this is confusing but if you guys/girls have any questions to
> help me resolve this i can gladly provide those. Thanks all.

Bill,

I am sorry for creating the confusion. The Windows 2003 Server is the VPN
Server. We are a very very small organization (5 people at this point). So
our IT needs are not too great but we have people on the road all the time
that need access to our home office data (i.e. Access Database)

So I am running on the Windows 2003 server as the Domain Controller, VPN
Server, DHCP.

I was using this article from Microsoft as a "guide" of how to setup our VPN
here. I do not have all the machines that this guide has in it due to our
limited resources and it said that I needed to be running Radius so I did.
Here is the link:

http://www.microsoft.com/technet/pro.../rmotevpn.mspx


I do have RRAS and IAS services running but am having issues with RRAS
service.

Bill Grant wrote:
> I am confused. What machine is acting as the remote access (VPN) server?
>If it is a Windows machine, you do not need RADIUS. If it is a domain member
>server it can automatically authenticate against AD. It just needs to be a
>member of the RRAS and IAS server group.
>
> If it is not a Windows machine and you want to use RADIUS, you do not
>need RRAS. You only need IAS server running on a Windows server.
>
>> I am trying to setup my MS VPN to authenticate against AD. I am
>> going to have a few (3) employees that are going to authenticate from
>[quoted text clipped - 15 lines]
>> I know this is confusing but if you guys/girls have any questions to
>> help me resolve this i can gladly provide those. Thanks all.

--
Thanks so Much

Mike

Message posted via http://www.winserverkb.com

Running remote access on a DC is not recommended, but it will work. It
can cause problems on the network because the DC has two IPs as soon as a
remote client actually connects. (The RRAS server gets an extra IP for the
"internal" interface which is the server end of the VPN connections). There
is a description of the problems and workarounds in KB 292822 .

If your server's "public" interface is in a DMZ you may have trouble
getting VPN to work because of the firewall on the DMZ. To check that your
server is configured correctly, test it by making a VPN connection from a
LAN machine using the server's private IP. There is no point in trying from
a remote location until you know that the server can handle VPN.

Mike via WinServerKB.com wrote:
> Bill,
>
> I am sorry for creating the confusion. The Windows 2003 Server is
> the VPN Server. We are a very very small organization (5 people at
> this point). So our IT needs are not too great but we have people on
> the road all the time that need access to our home office data (i.e.
> Access Database)
>
> So I am running on the Windows 2003 server as the Domain Controller,
> VPN Server, DHCP.
>
> I was using this article from Microsoft as a "guide" of how to setup
> our VPN here. I do not have all the machines that this guide has in
> it due to our limited resources and it said that I needed to be
> running Radius so I did. Here is the link:
>
> http://www.microsoft.com/technet/pro.../rmotevpn.mspx
>
>
> I do have RRAS and IAS services running but am having issues with RRAS
> service.
>
> Bill Grant wrote:
>> I am confused. What machine is acting as the remote access (VPN)
>> server? If it is a Windows machine, you do not need RADIUS. If it is
>> a domain member server it can automatically authenticate against AD.
>> It just needs to be a member of the RRAS and IAS server group.
>>
>> If it is not a Windows machine and you want to use RADIUS, you do
>> not need RRAS. You only need IAS server running on a Windows server.
>>
>>> I am trying to setup my MS VPN to authenticate against AD. I am
>>> going to have a few (3) employees that are going to authenticate
>>> from
>> [quoted text clipped - 15 lines]
>>> I know this is confusing but if you guys/girls have any questions to
>>> help me resolve this i can gladly provide those. Thanks all.

Bill,

Thanks for the article. I have 192.168.1.3 put into the DMZ on the router
while the 192.168.1.2 address is the internal nic.

How would i test the DMZ connectivity. I am very green when it comes to PPTP
and all of this. I would evening be willing to work over the phone on issues
and compensate whomever to get this working.

Bill Grant wrote:
> Running remote access on a DC is not recommended, but it will work. It
>can cause problems on the network because the DC has two IPs as soon as a
>remote client actually connects. (The RRAS server gets an extra IP for the
>"internal" interface which is the server end of the VPN connections). There
>is a description of the problems and workarounds in KB 292822 .
>
> If your server's "public" interface is in a DMZ you may have trouble
>getting VPN to work because of the firewall on the DMZ. To check that your
>server is configured correctly, test it by making a VPN connection from a
>LAN machine using the server's private IP. There is no point in trying from
>a remote location until you know that the server can handle VPN.
>
>> Bill,
>>
>[quoted text clipped - 31 lines]
>>>> I know this is confusing but if you guys/girls have any questions to
>>>> help me resolve this i can gladly provide those. Thanks all.

--
Thanks so Much

Mike

Message posted via http://www.winserverkb.com

You can't have the two NICs of the RRAS server in the same IP subnet.
You are confusing two different setups.You only need two NICs if the private
LAN is not connected to the Internet. (One NIC is in the private LAN, one is
public connected to the Internet). You already have an Internet connection
through the router. Your VPN clients will connect to the router's public
interface.

If you are using the DMZ option on the router you only need one NIC in
the server. This solves the firewall problems (because all traffic arriving
at the router is sent to the server), but it is not a good idea to do this
with a DC. You are exposing the DC to the Internet.

The only way to run it with two NICs is to set up a separate subnet to
link the server and the router. (This link would operate like a DMZ). This
would mean reconfiguing your LAN (because the LAN machines would not be able
to see the router directly). The server would be the default gateway for
your LAN.

Mike via WinServerKB.com wrote:
> Bill,
>
> Thanks for the article. I have 192.168.1.3 put into the DMZ on the
> router while the 192.168.1.2 address is the internal nic.
>
> How would i test the DMZ connectivity. I am very green when it comes
> to PPTP and all of this. I would evening be willing to work over the
> phone on issues and compensate whomever to get this working.
>
> Bill Grant wrote:
>> Running remote access on a DC is not recommended, but it will
>> work. It can cause problems on the network because the DC has two
>> IPs as soon as a remote client actually connects. (The RRAS server
>> gets an extra IP for the "internal" interface which is the server
>> end of the VPN connections). There is a description of the problems
>> and workarounds in KB 292822 .
>>
>> If your server's "public" interface is in a DMZ you may have
>> trouble getting VPN to work because of the firewall on the DMZ. To
>> check that your server is configured correctly, test it by making a
>> VPN connection from a LAN machine using the server's private IP.
>> There is no point in trying from a remote location until you know
>> that the server can handle VPN.
>>
>>> Bill,
>>>
>> [quoted text clipped - 31 lines]
>>>>> I know this is confusing but if you guys/girls have any questions
>>>>> to help me resolve this i can gladly provide those. Thanks all.

I took your advice and found another machine that I can run RRAS on instead
of running it on the DC. So now according to you I do not need two NICs in
the RRAS Server.

You are correct my router is getting the public address from my provider and
I now understand that is where my VPN clients will connect. This brings
another question up though. My ISP uses dynamic IP's. Since this was the
case I signed up for Dynamic DNS from http://www.dyndns.com but in order to
properly setup RRAS do you have to have a static IP or can you use a DNS name?


Thanks for the help

Bill Grant wrote:
> You can't have the two NICs of the RRAS server in the same IP subnet.
>You are confusing two different setups.You only need two NICs if the private
>LAN is not connected to the Internet. (One NIC is in the private LAN, one is
>public connected to the Internet). You already have an Internet connection
>through the router. Your VPN clients will connect to the router's public
>interface.
>
> If you are using the DMZ option on the router you only need one NIC in
>the server. This solves the firewall problems (because all traffic arriving
>at the router is sent to the server), but it is not a good idea to do this
>with a DC. You are exposing the DC to the Internet.
>
> The only way to run it with two NICs is to set up a separate subnet to
>link the server and the router. (This link would operate like a DMZ). This
>would mean reconfiguing your LAN (because the LAN machines would not be able
>to see the router directly). The server would be the default gateway for
>your LAN.
>
>> Bill,
>>
>[quoted text clipped - 24 lines]
>>>>>> I know this is confusing but if you guys/girls have any questions
>>>>>> to help me resolve this i can gladly provide those. Thanks all.

--
Thanks so Much

Mike

Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...rking/200512/1

The DNS name should work fine. dyndns should keep your DNS name updated
to point to your router's current IP.

Mike via WinServerKB.com wrote:
> I took your advice and found another machine that I can run RRAS on
> instead
> of running it on the DC. So now according to you I do not need two
> NICs in the RRAS Server.
>
> You are correct my router is getting the public address from my
> provider and I now understand that is where my VPN clients will
> connect. This brings another question up though. My ISP uses
> dynamic IP's. Since this was the case I signed up for Dynamic DNS
> from http://www.dyndns.com but in order to properly setup RRAS do you
> have to have a static IP or can you use a DNS name?
>
>
> Thanks for the help
>
> Bill Grant wrote:
>> You can't have the two NICs of the RRAS server in the same IP
>> subnet. You are confusing two different setups.You only need two
>> NICs if the private LAN is not connected to the Internet. (One NIC
>> is in the private LAN, one is public connected to the Internet). You
>> already have an Internet connection through the router. Your VPN
>> clients will connect to the router's public interface.
>>
>> If you are using the DMZ option on the router you only need one
>> NIC in the server. This solves the firewall problems (because all
>> traffic arriving at the router is sent to the server), but it is not
>> a good idea to do this with a DC. You are exposing the DC to the
>> Internet.
>>
>> The only way to run it with two NICs is to set up a separate
>> subnet to link the server and the router. (This link would operate
>> like a DMZ). This would mean reconfiguing your LAN (because the LAN
>> machines would not be able to see the router directly). The server
>> would be the default gateway for your LAN.
>>
>>> Bill,
>>>
>> [quoted text clipped - 24 lines]
>>>>>>> I know this is confusing but if you guys/girls have any
>>>>>>> questions to help me resolve this i can gladly provide those.
>>>>>>> Thanks all.

Thanks for the help thus far. I think I am slowly figuring this VPN issue
out from this board and others. I now have two physical machines running
windows 2003 server. One has the DC and the other has nothing at this point
running on it other than the OS.

I have that linksys router that is obviously getting the public IP address
that you explained would be getting the incoming connections. That is where
my problem is. I already have a linksys router and do not want to make my
windows machine a router with RRAS.

So now what would my options be here? When I install RRAS I can only choose
the network interfaces that are connected to the computer and not the public
interface of the router.

Bill Grant wrote:
> The DNS name should work fine. dyndns should keep your DNS name updated
>to point to your router's current IP.
>
>> I took your advice and found another machine that I can run RRAS on
>> instead
>[quoted text clipped - 35 lines]
>>>>>>>> questions to help me resolve this i can gladly provide those.
>>>>>>>> Thanks all.

--
Thanks so Much

Mike

Message posted via WinServerKB.com
http://www.winserverkb.com/Uwe/Forum...rking/200601/1