problem with VPN running on static IP address

hi,
i have a server2003 box which is a web server, and i want to configure
it as a VPN server for PPTP connections. all i want to do is let remote
clients access a shared folder securely. the datacenter assigned a
static IP address and dns to the server.

i am having trouble with this, because twice i have run the wizard to
configure VPN, and both times it basically took down the web server and
booted me out of remote administration. the first time i ran it, i
chose VPN + Nat as the configuration, and the basic firewall was
ticked, i guess this was the culprit. the second time, i chose VPN,
without dial-in, and allocate IP Addresses automatically, the option to
set up static filters to protect the VPN was also ticked.

i am quite embarassed at this stage to keep phoning up the datacenter
to get them to disable RRAS!

how can i safely add the most simple VPN configuration to allow sharing
folders without blocking normal web server traffic, or the remote
desktop connection?
i've read the long MS official docs on VPN setup, but my environment or
requiremnts don't really match the scenarios. i have set up some users
with dial-in privilege.

thanks for any tips.
tim

You may want to use incoming conenction or re-configure the NAT. quoted from http://howtonetworking.com.

Case Study - No one can access the server after setup VPN



Situation: One client tried to setup VPN by selecting Remote access (dial up or VPN) option under RRAS Setup Wizard. The VPN server worked and outside VPN client could access it.



Problem: As soon as the VPN enabled, no one in the LAN could access the server any more.



Troubleshooting: we used PortQry to scan the server and found the server blocking all ports except 1723. When installing Remote access (dial up or VPN) option, the RRAS Inbound and Outbound Filtering blocks all traffic except VPN by default.



Recommendation:



1.. He can setup VPN using Incoming Connection.
2.. Modify the Inbound and Outbound manually to allow LAN traffic.
3.. Setup VPN and NAT for the better management.


Case Study - Can't access the server using RDC after enabling VPN



Situation: A company used to use RDC to access the server remotely. They just setup VPN by selecting VPN and NAT option under RRAS Setup Wizard. The VPN server worked and outside VPN client could access it.



Problem: Since then, they could not access the server using RDC from outside.



Troubleshooting: By default, the VPN/NAT blocks all ports except VPN after setup VPN/NAT.



Recommendation: They should access the server using the private IP instead of the public IP. If they do want to access the server using the public IP, they should open the port 3389 under NAT Services and Ports.



Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Tim_Mac" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
hi,
i have a server2003 box which is a web server, and i want to configure
it as a VPN server for PPTP connections. all i want to do is let remote
clients access a shared folder securely. the datacenter assigned a
static IP address and dns to the server.

i am having trouble with this, because twice i have run the wizard to
configure VPN, and both times it basically took down the web server and
booted me out of remote administration. the first time i ran it, i
chose VPN + Nat as the configuration, and the basic firewall was
ticked, i guess this was the culprit. the second time, i chose VPN,
without dial-in, and allocate IP Addresses automatically, the option to
set up static filters to protect the VPN was also ticked.

i am quite embarassed at this stage to keep phoning up the datacenter
to get them to disable RRAS!

how can i safely add the most simple VPN configuration to allow sharing
folders without blocking normal web server traffic, or the remote
desktop connection?
i've read the long MS official docs on VPN setup, but my environment or
requiremnts don't really match the scenarios. i have set up some users
with dial-in privilege.

thanks for any tips.
tim

hi Bob,
thanks for the reply. i tried setting up Incoming Connections, and as
soon as i clicked Next in the wizard, my remote desktop got cut off,
and it blocked all web traffic. this is a live server and i can't
really afford to have any downtime.

i had to phone the datacenter and get them to log in and delete the
incoming connection. it seems crazy to me that the wizard would do
this by default, without any obvious warnings like "any remote desktops
will be disconnected, all web server traffic will be blocked, " etc.

what can i do? the windows firewall / ICS service is running but
turned off.
thanks.
tim

we need more information about your system, do you have 2 NICs on the server? it is running DC? posting the reouring table (after enable VPN) here may help.
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Tim_Mac" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
hi Bob,
thanks for the reply. i tried setting up Incoming Connections, and as
soon as i clicked Next in the wizard, my remote desktop got cut off,
and it blocked all web traffic. this is a live server and i can't
really afford to have any downtime.

i had to phone the datacenter and get them to log in and delete the
incoming connection. it seems crazy to me that the wizard would do
this by default, without any obvious warnings like "any remote desktops
will be disconnected, all web server traffic will be blocked, " etc.

what can i do? the windows firewall / ICS service is running but
turned off.
thanks.
tim

also have you tried to manage the NAT if you enabled it?
For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Robert L [MS-MVP]" <(E-Mail Removed)> wrote in message news:%(E-Mail Removed)...
You may want to use incoming conenction or re-configure the NAT. quoted from http://howtonetworking.com.

Case Study - No one can access the server after setup VPN



Situation: One client tried to setup VPN by selecting Remote access (dial up or VPN) option under RRAS Setup Wizard. The VPN server worked and outside VPN client could access it.



Problem: As soon as the VPN enabled, no one in the LAN could access the server any more.



Troubleshooting: we used PortQry to scan the server and found the server blocking all ports except 1723. When installing Remote access (dial up or VPN) option, the RRAS Inbound and Outbound Filtering blocks all traffic except VPN by default.



Recommendation:



1.. He can setup VPN using Incoming Connection.
2.. Modify the Inbound and Outbound manually to allow LAN traffic.
3.. Setup VPN and NAT for the better management.


Case Study - Can't access the server using RDC after enabling VPN



Situation: A company used to use RDC to access the server remotely. They just setup VPN by selecting VPN and NAT option under RRAS Setup Wizard. The VPN server worked and outside VPN client could access it.



Problem: Since then, they could not access the server using RDC from outside.



Troubleshooting: By default, the VPN/NAT blocks all ports except VPN after setup VPN/NAT.



Recommendation: They should access the server using the private IP instead of the public IP. If they do want to access the server using the public IP, they should open the port 3389 under NAT Services and Ports.



Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
I recommend Brinkster for web hosting!

"Tim_Mac" <(E-Mail Removed)> wrote in message news:(E-Mail Removed) oups.com...
hi,
i have a server2003 box which is a web server, and i want to configure
it as a VPN server for PPTP connections. all i want to do is let remote
clients access a shared folder securely. the datacenter assigned a
static IP address and dns to the server.

i am having trouble with this, because twice i have run the wizard to
configure VPN, and both times it basically took down the web server and
booted me out of remote administration. the first time i ran it, i
chose VPN + Nat as the configuration, and the basic firewall was
ticked, i guess this was the culprit. the second time, i chose VPN,
without dial-in, and allocate IP Addresses automatically, the option to
set up static filters to protect the VPN was also ticked.

i am quite embarassed at this stage to keep phoning up the datacenter
to get them to disable RRAS!

how can i safely add the most simple VPN configuration to allow sharing
folders without blocking normal web server traffic, or the remote
desktop connection?
i've read the long MS official docs on VPN setup, but my environment or
requiremnts don't really match the scenarios. i have set up some users
with dial-in privilege.

thanks for any tips.
tim

hi robert,
it's not a DC, and there is only one NIC. the server roles configured
are: file server, application server, streaming media server. the
server is in a datacenter as a stand-alone web server, connected to
their network via one NIC, with a static IP address. i just read on
another post that you need 2 nics to have a VPN. why on earth? what
good is the second NIC if it doesn't connect to anywhere!?

i want remote clients to be able to access a shared folder, over a
secure web connection. and i gather VPN using incoming connections is
the simplest way of doing this. i understand that if i use incoming
connections the NAT stuff is configured automatically. i absolutely
can't afford to try setting up incoming connections again, without
knowing for sure that it won't block off web traffic, or the remote
desktop connection.

really appreciate any help. i can post my security configuration xml
file (from SCW) if that's any use.
tim

A VPN (Virtual Private Network) allows a client to connect to a private
LAN through the Internet. It is similar to a RAS connection, except it uses
the Internet as the carrier rather than a communication line.

The reason why two NICs are used in the standard config is this. One NIC
is the connection to the private LAN and the second is the connection to the
Internet. The client connects to the public NIC, and the VPN traffic is then
tunnelled through this connection. On arrival the packet is unencapsulated
and decrypted, then forwarded to the private LAN.

If the server has only a private IP, then the initial connection must be
made to a router with a public address, and the VPN connection forwarded to
the server across the LAN. If the server has only a public IP, the VPN
connection is made to that interface. The only private interface is the
"virtual" interface which the server creates to be the VPN endpoint. The VPN
client can access only the VPN server itself.

To configure a machine with one NIC to act as a remote access server,
use the manual config option in the RRAS setup wizard.

Tim_Mac wrote:
> hi robert,
> it's not a DC, and there is only one NIC. the server roles configured
> are: file server, application server, streaming media server. the
> server is in a datacenter as a stand-alone web server, connected to
> their network via one NIC, with a static IP address. i just read on
> another post that you need 2 nics to have a VPN. why on earth? what
> good is the second NIC if it doesn't connect to anywhere!?
>
> i want remote clients to be able to access a shared folder, over a
> secure web connection. and i gather VPN using incoming connections is
> the simplest way of doing this. i understand that if i use incoming
> connections the NAT stuff is configured automatically. i absolutely
> can't afford to try setting up incoming connections again, without
> knowing for sure that it won't block off web traffic, or the remote
> desktop connection.
>
> really appreciate any help. i can post my security configuration xml
> file (from SCW) if that's any use.
> tim

hi Bill,
thanks for the reply. the server only has a public IP, and there is
no 'internal' LAN so to speak. any files needing to be shared are on
the web server itself.
if i got with manual config in RRAS setup, can you assure me that it
will not block web traffic and kick me off the remote desktop
connection?

thanks
tim

Noboby could quarantee that without checking out the whole setup. But
enabling the server for remote access should do no more than set up the WAN
miniports for VPN. It should not affect any of the existing networking.

Tim_Mac wrote:
> hi Bill,
> thanks for the reply. the server only has a public IP, and there is
> no 'internal' LAN so to speak. any files needing to be shared are on
> the web server itself.
> if i got with manual config in RRAS setup, can you assure me that it
> will not block web traffic and kick me off the remote desktop
> connection?
>
> thanks
> tim

I'm interested in what you said about being able to access the vpn server
through the "virtual" interface. I've been trying to get this to work for
days and have had no success.

I'm trying to do the same thing Tim is, and have also locked myself out many
times. I've done a lot of work on firewalls so I understand why I've locked
myself out (if you don't understand the difference between TCP and
TCP-established, you stand a good chance of locking yourself out), but it is
still frustrating.

I've gotten the vpn to connect, but looking at the routes it gives me I
don't see how it could possibly work. I give it a range to use for vpn
client addresses: 172.22.0.1 - 172.22.0.250. It takes the first address
172.22.0.1 as the "virtual" interface, and then assignes them starting with
172.22.0.2 to clients that connect via vpn. Then it delivers the following
routes to the client:

172.22.0.0 255.255.0.0 172.22.0.2 172.22.0.2
so far, so good. It looks as though I connect to the "virtual" interface
through my vpn client PPP virtual interface.

But then it also gives me this route:
172.22.0.2 255.255.255.255 127.0.0.1 127.0.0.1
(!!)
how is this supposed to work? I connect to the vpn through my local
loopback interface?

I can't ping the virtual interface 172.22.0.1, or anything on the vpn
server, needless to say.

I'm really disappointed in the lack of good documentation on what should be
a simple task.

I have a remote server that has a single outside interface. I've tried
creating a special loopback internal interface, using the built-in loopback
interface and neither one seems to work as the inside interface. I'm not
sure why it needs that, the virtual interface used as the VPN endpoint ought
to give vpn clients access to the vpn server for file sharing purposes
(subject to packet filtering limitations), but it doesn't.

I've also tried vpn standalone with some manual tweaking, vpn plus NAT and
neither one seems to let me just access the files on the vpn server, which is
all I really want to do!

I also studied the howtonetworking site that Bill recommended, studied it in
great detail, and found it to be of no use in explaining this basic task.

I'm ready to just punt on RRAS and put in a $30 D-link vpn firewall. Too
bad my ISP hasn't agreed to let me do that ...


"Bill Grant" wrote:

> A VPN (Virtual Private Network) allows a client to connect to a private
> LAN through the Internet. It is similar to a RAS connection, except it uses
> the Internet as the carrier rather than a communication line.
>
> The reason why two NICs are used in the standard config is this. One NIC
> is the connection to the private LAN and the second is the connection to the
> Internet. The client connects to the public NIC, and the VPN traffic is then
> tunnelled through this connection. On arrival the packet is unencapsulated
> and decrypted, then forwarded to the private LAN.
>
> If the server has only a private IP, then the initial connection must be
> made to a router with a public address, and the VPN connection forwarded to
> the server across the LAN. If the server has only a public IP, the VPN
> connection is made to that interface. The only private interface is the
> "virtual" interface which the server creates to be the VPN endpoint. The VPN
> client can access only the VPN server itself.
>
> To configure a machine with one NIC to act as a remote access server,
> use the manual config option in the RRAS setup wizard.
>
> Tim_Mac wrote:
> > hi robert,
> > it's not a DC, and there is only one NIC. the server roles configured
> > are: file server, application server, streaming media server. the
> > server is in a datacenter as a stand-alone web server, connected to
> > their network via one NIC, with a static IP address. i just read on
> > another post that you need 2 nics to have a VPN. why on earth? what
> > good is the second NIC if it doesn't connect to anywhere!?
> >
> > i want remote clients to be able to access a shared folder, over a
> > secure web connection. and i gather VPN using incoming connections is
> > the simplest way of doing this. i understand that if i use incoming
> > connections the NAT stuff is configured automatically. i absolutely
> > can't afford to try setting up incoming connections again, without
> > knowing for sure that it won't block off web traffic, or the remote
> > desktop connection.
> >
> > really appreciate any help. i can post my security configuration xml
> > file (from SCW) if that's any use.
> > tim
>
>
>