VPN Authentication & Mapping Issue

Hello All
I have already posted this in another group but don't seem to be getting a
hit and I am getting some what desperate for a solution.

I have a very strange problem that I am hoping sure someone here is able to
help me solve.
Our setup is like this:
1. Windows 2003 domain
2. Many remote users with IBM laptops or Fujisu Stylistic Tablets
3. Checkpoint SecureClient VPN client software
4. RSA Ace server for VPN authentication
5. Scriptlogic 6.5.2 for mapping drives etc

The problem:
We have several users that authenticate to our network through a VPN
connection. These users have Checkpoint SecureClient installed on their
machines and are authenticated to a RSA Ace server that is a Member Server
in our domain. Once the user is logged on they run a batch file that maps
thier network drives via a short-cut to the Slogic.bat file in the Netlogon
directory of our PDC Emulator. Now for most people this is not a problem but
for some laptop
users and all Fujisu Tablet users the process of trying to run the login
script takes anywhere from 30-60 minutes to complete. What happens to the
people having a problem is this:
1. User runs the short-cut to Slogic.bat
2. After about 7-15 minutes they are prompted for a username and password
3. If they type in their domain user name and password they get prompted
again after about 4-10 more minutes with a message saying "that
authentication has been previously tried and failed".
4. The user can then type in a username and password from a temporary
account I created to help resolve this problem. This account is just a
simple domain user.
5. After several more minutes the logon screen will appear but can take up
to 35-40 to complete
6. When complete, the user checks for their drives but none have mapped.

As you can image, they are not very happy after taking all of this time only
to find out things did not work.

If the same user logs onto the network with the same machine while they are
in the office, everything works very quickly and as it should.

I have looked in the trace file that Scriptlogic creates and this an example
of the error message that I see:
08:44:58 Mapping drive G \\Server1\Graphics [SLP00001 1/30]
08:46:02 Error: Unable to map drive: 1265 The system detected a possible
attempt to compromise security. Please ensure that you can contact the server
that authenticated you.
OR
20:52:27 Error: Unable to map drive: 1326 Logon failure: unknown user name
or bad password.

I have been in contact with Scriptlogic and they tell me it is a Windows
authentication issue. I read one post where a person appeared to have a
somewhat similar issue to mine and they apparently resolved it by hard coding
the DNS address to on the user machine to point to the DNS server in the
domain. I gave this a shot but did not have any success. This seems to be
an obvious case of authentication but for the life of me I am stumped.

Hopefully someone out there has run into the same problem that has been
dogging me for several months and is able to lend a hand.

Thank you to all that take the time to read this and especially those that
fire me off some suggestions.

JD Benton

Could be a DNS issue. When the users connect to the VPN are they using
the same DNS server as they would use if they were in the office?

psg

Chrispsg
Thank you for your reply.

When the users connects to the VPN they are using the DNS from their ISP. I
have tried hard coding the DNS address of our internal DNS server as the
primary DNS on the user's machines but this has not help.

JD Benton

"chrispsg" wrote:

> Could be a DNS issue. When the users connect to the VPN are they using
> the same DNS server as they would use if they were in the office?
>
> psg
>
>

When the user connects, the VPN connection (PPTP or L2TP) needs to use
the DNS server on your LAN. Make sure this connection using the correct
address and not the LAN connection of the laptop.

psg

Chris
Thanks for your reply. I am not sure I understand what you mean though.
Our users use their ethernet connection via highspeed (DSL or Cable) to
connect to the internet. Once this connection is established they use the
Checkpoint SecureClient to conntect to our LAN and create the secure VPN
tunnel.

Each user has a Linksys router that is configured to provide the internal
(192.168.x.x ) IP configuration for the ethernet connection on the user's
machine. Part of this configuration is a DNS address that points the the
Linksys router as the DSN server. The Linksys router gets its external IP
configuration including the DNS address from the user's ISP provider. I have
tried hard coding the IP address of the DNS server on our LAN into the
ethernet configuration on the user's machine but this has not resolved the
problem.

"chrispsg" wrote:

> When the user connects, the VPN connection (PPTP or L2TP) needs to use
> the DNS server on your LAN. Make sure this connection using the correct
> address and not the LAN connection of the laptop.
>
> psg
>
>

Didn't get your original note, what exactly is your issue?
As I have (35) users using checkpoint securemote... maybe I can help..

AL

In article <16643A3D-8F57-4E89-8146-(E-Mail Removed)>,
(E-Mail Removed) says...
> Chris
> Thanks for your reply. I am not sure I understand what you mean though.
> Our users use their ethernet connection via highspeed (DSL or Cable) to
> connect to the internet. Once this connection is established they use the
> Checkpoint SecureClient to conntect to our LAN and create the secure VPN
> tunnel.
>
> Each user has a Linksys router that is configured to provide the internal
> (192.168.x.x ) IP configuration for the ethernet connection on the user's
> machine. Part of this configuration is a DNS address that points the the
> Linksys router as the DSN server. The Linksys router gets its external IP
> configuration including the DNS address from the user's ISP provider. I have
> tried hard coding the IP address of the DNS server on our LAN into the
> ethernet configuration on the user's machine but this has not resolved the
> problem.
>
> "chrispsg" wrote:
>
> > When the user connects, the VPN connection (PPTP or L2TP) needs to use
> > the DNS server on your LAN. Make sure this connection using the correct
> > address and not the LAN connection of the laptop.
> >
> > psg
> >
> >
>

You need to tell Checkpoint SecureClient to use your LANs DNS server.
(not their ethernet connection). The internal IP config doesnt matter.
The VPN client adapter needs to be configured to use your main dns
servers on the main branch lan. To see what the vpn clients are using
currently..connect to the vpn and run ipconfig /all. it will show the
dns servers for the secureclient adapter. Make sure the DNS servers on
the DNS servers you use at the main office. Disregard the Local Area
Connection your looking for the PPTP or L2TP adapter configuration

psg

Hello Al
This is my original post.
"Hello All
I have already posted this in another group but don't seem to be getting a
hit and I am getting some what desperate for a solution.

I have a very strange problem that I am hoping sure someone here is able to
help me solve.
Our setup is like this:
1. Windows 2003 domain
2. Many remote users with IBM laptops or Fujisu Stylistic Tablets
3. Checkpoint SecureClient VPN client software
4. RSA Ace server for VPN authentication
5. Scriptlogic 6.5.2 for mapping drives etc

The problem:
We have several users that authenticate to our network through a VPN
connection. These users have Checkpoint SecureClient installed on their
machines and are authenticated to a RSA Ace server that is a Member Server
in our domain. Once the user is logged on they run a batch file that maps
thier network drives via a short-cut to the Slogic.bat file in the Netlogon
directory of our PDC Emulator. Now for most people this is not a problem but
for some laptop
users and all Fujisu Tablet users the process of trying to run the login
script takes anywhere from 30-60 minutes to complete. What happens to the
people having a problem is this:
1. User runs the short-cut to Slogic.bat
2. After about 7-15 minutes they are prompted for a username and password
3. If they type in their domain user name and password they get prompted
again after about 4-10 more minutes with a message saying "that
authentication has been previously tried and failed".
4. The user can then type in a username and password from a temporary
account I created to help resolve this problem. This account is just a
simple domain user.
5. After several more minutes the logon screen will appear but can take up
to 35-40 to complete
6. When complete, the user checks for their drives but none have mapped.

As you can image, they are not very happy after taking all of this time only
to find out things did not work.

If the same user logs onto the network with the same machine while they are
in the office, everything works very quickly and as it should.

I have looked in the trace file that Scriptlogic creates and this an example
of the error message that I see:
08:44:58 Mapping drive G \\Server1\Graphics [SLP00001 1/30]
08:46:02 Error: Unable to map drive: 1265 The system detected a possible
attempt to compromise security. Please ensure that you can contact the server
that authenticated you.
OR
20:52:27 Error: Unable to map drive: 1326 Logon failure: unknown user name
or bad password.

I have been in contact with Scriptlogic and they tell me it is a Windows
authentication issue. I read one post where a person appeared to have a
somewhat similar issue to mine and they apparently resolved it by hard coding
the DNS address to on the user machine to point to the DNS server in the
domain. I gave this a shot but did not have any success. This seems to be
an obvious case of authentication but for the life of me I am stumped.

Hopefully someone out there has run into the same problem that has been
dogging me for several months and is able to lend a hand.

Thank you to all that take the time to read this and especially those that
fire me off some suggestions."

JD Benton


"FOAD" wrote:

> Didn't get your original note, what exactly is your issue?
> As I have (35) users using checkpoint securemote... maybe I can help..
>
> AL
>
> In article <16643A3D-8F57-4E89-8146-(E-Mail Removed)>,
> (E-Mail Removed) says...
> > Chris
> > Thanks for your reply. I am not sure I understand what you mean though.
> > Our users use their ethernet connection via highspeed (DSL or Cable) to
> > connect to the internet. Once this connection is established they use the
> > Checkpoint SecureClient to conntect to our LAN and create the secure VPN
> > tunnel.
> >
> > Each user has a Linksys router that is configured to provide the internal
> > (192.168.x.x ) IP configuration for the ethernet connection on the user's
> > machine. Part of this configuration is a DNS address that points the the
> > Linksys router as the DSN server. The Linksys router gets its external IP
> > configuration including the DNS address from the user's ISP provider. I have
> > tried hard coding the IP address of the DNS server on our LAN into the
> > ethernet configuration on the user's machine but this has not resolved the
> > problem.
> >
> > "chrispsg" wrote:
> >
> > > When the user connects, the VPN connection (PPTP or L2TP) needs to use
> > > the DNS server on your LAN. Make sure this connection using the correct
> > > address and not the LAN connection of the laptop.
> > >
> > > psg
> > >
> > >
> >
>