VPN/Remote Desktop/Internet problem

We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers running AD and
DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN server.
We have about 40 XP workstations on the LAN, and 10 VPN clients running XP
or 2000.

VPN client access is configured via the public IP address of our Cisco Pix
firewall (only route from ADSL connection to the LAN), and they login to
Remote Desktop on the PDC to access the database and file-shares only.

The only detectable problem with this set-up is - VPN users can't access the
Internet from the PDC remote desktop. They get 'cannot find server or DNS
error' - sounds like a clue!
Can anyone point me to a CLEAR article which explains why this problem
arises and how it can be solved? I don't want the security and support
headache of configuring the VPN clients (world-wide) for split-tunnel to get
Internet from their ISP.

Are there any other potential problems I am ignorant of?

TIA,
--
Newell White

First of all, it is not recommended to enable RRAS on a DC. Since you have Cisco PIX, I would use Cisco VPN.

Secondly, I would setup a group policy to restrict TS/RDP users to access the Internet if they access to the DC. So, do you have group policy to block internet access?

Can you ping a public IP after RDC to the DC?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Newell White" <(E-Mail Removed)> wrote in message news:A7D3D7B8-1589-434C-926E-(E-Mail Removed)...
We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers running AD and
DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN server.
We have about 40 XP workstations on the LAN, and 10 VPN clients running XP
or 2000.

VPN client access is configured via the public IP address of our Cisco Pix
firewall (only route from ADSL connection to the LAN), and they login to
Remote Desktop on the PDC to access the database and file-shares only.

The only detectable problem with this set-up is - VPN users can't access the
Internet from the PDC remote desktop. They get 'cannot find server or DNS
error' - sounds like a clue!
Can anyone point me to a CLEAR article which explains why this problem
arises and how it can be solved? I don't want the security and support
headache of configuring the VPN clients (world-wide) for split-tunnel to get
Internet from their ISP.

Are there any other potential problems I am ignorant of?

TIA,
--
Newell White

I basically agree with Bob. The PDC emulator is the worst choice for the
VPN server. The PIX is the best choice. If you must use a Windows server,
don't use the PDC emulator for a remote access server. Even if you use the
other W2k3 for RRAS you may have probems if it is a DNS server or is a
master browser for the LAN. See KB 292822 and 830063 .

Robert L [MS-MVP] wrote:
> First of all, it is not recommended to enable RRAS on a DC. Since you
> have Cisco PIX, I would use Cisco VPN.
>
> Secondly, I would setup a group policy to restrict TS/RDP users to
> access the Internet if they access to the DC. So, do you have group
> policy to block internet access?
>
> Can you ping a public IP after RDC to the DC?
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "Newell White" <(E-Mail Removed)> wrote in
> message news:A7D3D7B8-1589-434C-926E-(E-Mail Removed)...
> We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers
> running AD and
> DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN server.
> We have about 40 XP workstations on the LAN, and 10 VPN clients
> running XP
> or 2000.
>
> VPN client access is configured via the public IP address of our
> Cisco Pix
> firewall (only route from ADSL connection to the LAN), and they
> login to
> Remote Desktop on the PDC to access the database and file-shares
> only.
>
> The only detectable problem with this set-up is - VPN users can't
> access the
> Internet from the PDC remote desktop. They get 'cannot find server
> or DNS
> error' - sounds like a clue!
> Can anyone point me to a CLEAR article which explains why this
> problem
> arises and how it can be solved? I don't want the security and
> support
> headache of configuring the VPN clients (world-wide) for
> split-tunnel to get
> Internet from their ISP.
>
> Are there any other potential problems I am ignorant of?
>
> TIA,
> --
> Newell White

Sorry for delay in replying, but here in UK business hours have had great
difficulty connecting to this group after logging in. 'Page not available'

First reply to Bob:
Don't have a policy prohibiting Internet Access.
Pinging routable IP address times out.
Pinging same address by name leaves blank DOS window which disappears after
several minutes.

Now to Bill:
I inherited this set-up (previous admin left before I joined to do a
different job, I have had to self-educate to keep network running - small
firm!).
Yes our roaming users use Cisco VPN client, and tunnel terminates in our
Cisco Pix.
Does that mean inherited W2k3 VPN server role is redundant, and I can close
it down?

Further question:
To ease restricted upload speed on our ADSL connection, I have to configure
users to access Internet by their local ISP - plan was to disable 'Use Remote
Gateway' on their Windows XP VPN connection.
But if the Cisco Pix is the tunnel end, it must be doing some sort of
routing to reach Remote Desktop on the DC. Do I have to configure
split-tunnel on the Pix?

Thanks to all
--
Newell White


"Bill Grant" wrote:

> I basically agree with Bob. The PDC emulator is the worst choice for the
> VPN server. The PIX is the best choice. If you must use a Windows server,
> don't use the PDC emulator for a remote access server. Even if you use the
> other W2k3 for RRAS you may have probems if it is a DNS server or is a
> master browser for the LAN. See KB 292822 and 830063 .
>
> Robert L [MS-MVP] wrote:
> > First of all, it is not recommended to enable RRAS on a DC. Since you
> > have Cisco PIX, I would use Cisco VPN.
> >
> > Secondly, I would setup a group policy to restrict TS/RDP users to
> > access the Internet if they access to the DC. So, do you have group
> > policy to block internet access?
> >
> > Can you ping a public IP after RDC to the DC?
> >
> > Bob Lin, MS-MVP, MCSE & CNE
> > Networking, Internet, Routing, VPN Troubleshooting on
> > http://www.ChicagoTech.net
> > How to Setup Windows, Network, VPN & Remote Access on
> > http://www.HowToNetworking.com
> > "Newell White" <(E-Mail Removed)> wrote in
> > message news:A7D3D7B8-1589-434C-926E-(E-Mail Removed)...
> > We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers
> > running AD and
> > DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN server.
> > We have about 40 XP workstations on the LAN, and 10 VPN clients
> > running XP
> > or 2000.
> >
> > VPN client access is configured via the public IP address of our
> > Cisco Pix
> > firewall (only route from ADSL connection to the LAN), and they
> > login to
> > Remote Desktop on the PDC to access the database and file-shares
> > only.
> >
> > The only detectable problem with this set-up is - VPN users can't
> > access the
> > Internet from the PDC remote desktop. They get 'cannot find server
> > or DNS
> > error' - sounds like a clue!
> > Can anyone point me to a CLEAR article which explains why this
> > problem
> > arises and how it can be solved? I don't want the security and
> > support
> > headache of configuring the VPN clients (world-wide) for
> > split-tunnel to get
> > Internet from their ISP.
> >
> > Are there any other potential problems I am ignorant of?
> >
> > TIA,
> > --
> > Newell White
>
>
>

If the remote clients are connecting to the PIX using the Cisco VPN
client, they are not connecting to the Windows machine by VPN, so you do not
need the Windows machine to be a VPN server. The clients connect to the
Windows server by RDP on top of the VPN connection to your LAN
firewall/router.

The remotes may be authenticating their VPN connection against AD though.
The Cisco could be offloading that to the DC using RADIUS.

Trying to make an Internet connection through RDP over VPN certainly
doesn't sound like a good idea to me. It would be very slow even if you
could make it work.

Newell White wrote:
> Sorry for delay in replying, but here in UK business hours have had
> great difficulty connecting to this group after logging in. 'Page not
> available'
>
> First reply to Bob:
> Don't have a policy prohibiting Internet Access.
> Pinging routable IP address times out.
> Pinging same address by name leaves blank DOS window which disappears
> after several minutes.
>
> Now to Bill:
> I inherited this set-up (previous admin left before I joined to do a
> different job, I have had to self-educate to keep network running -
> small firm!).
> Yes our roaming users use Cisco VPN client, and tunnel terminates in
> our Cisco Pix.
> Does that mean inherited W2k3 VPN server role is redundant, and I can
> close it down?
>
> Further question:
> To ease restricted upload speed on our ADSL connection, I have to
> configure users to access Internet by their local ISP - plan was to
> disable 'Use Remote Gateway' on their Windows XP VPN connection.
> But if the Cisco Pix is the tunnel end, it must be doing some sort of
> routing to reach Remote Desktop on the DC. Do I have to configure
> split-tunnel on the Pix?
>
> Thanks to all
>
>> I basically agree with Bob. The PDC emulator is the worst choice
>> for the VPN server. The PIX is the best choice. If you must use a
>> Windows server, don't use the PDC emulator for a remote access
>> server. Even if you use the other W2k3 for RRAS you may have probems
>> if it is a DNS server or is a master browser for the LAN. See KB
>> 292822 and 830063 .
>>
>> Robert L [MS-MVP] wrote:
>>> First of all, it is not recommended to enable RRAS on a DC. Since
>>> you have Cisco PIX, I would use Cisco VPN.
>>>
>>> Secondly, I would setup a group policy to restrict TS/RDP users to
>>> access the Internet if they access to the DC. So, do you have group
>>> policy to block internet access?
>>>
>>> Can you ping a public IP after RDC to the DC?
>>>
>>> Bob Lin, MS-MVP, MCSE & CNE
>>> Networking, Internet, Routing, VPN Troubleshooting on
>>> http://www.ChicagoTech.net
>>> How to Setup Windows, Network, VPN & Remote Access on
>>> http://www.HowToNetworking.com
>>> "Newell White" <(E-Mail Removed)> wrote in
>>> message news:A7D3D7B8-1589-434C-926E-(E-Mail Removed)...
>>> We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers
>>> running AD and
>>> DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN
>>> server. We have about 40 XP workstations on the LAN, and 10 VPN
>>> clients running XP
>>> or 2000.
>>>
>>> VPN client access is configured via the public IP address of our
>>> Cisco Pix
>>> firewall (only route from ADSL connection to the LAN), and they
>>> login to
>>> Remote Desktop on the PDC to access the database and file-shares
>>> only.
>>>
>>> The only detectable problem with this set-up is - VPN users can't
>>> access the
>>> Internet from the PDC remote desktop. They get 'cannot find server
>>> or DNS
>>> error' - sounds like a clue!
>>> Can anyone point me to a CLEAR article which explains why this
>>> problem
>>> arises and how it can be solved? I don't want the security and
>>> support
>>> headache of configuring the VPN clients (world-wide) for
>>> split-tunnel to get
>>> Internet from their ISP.
>>>
>>> Are there any other potential problems I am ignorant of?
>>>
>>> TIA,
>>> --
>>> Newell White

Thanks Bill for continuing education.

It looks as though I can configure the VPN clients to use split tunnel by
revising the setup of the Pix, which will configure their routing when they
connect. This should give them local ISP Internet access.

I will also shut down VPN server on my PDC.
--
Newell White


"Bill Grant" wrote:

> If the remote clients are connecting to the PIX using the Cisco VPN
> client, they are not connecting to the Windows machine by VPN, so you do not
> need the Windows machine to be a VPN server. The clients connect to the
> Windows server by RDP on top of the VPN connection to your LAN
> firewall/router.
>
> The remotes may be authenticating their VPN connection against AD though.
> The Cisco could be offloading that to the DC using RADIUS.
>
> Trying to make an Internet connection through RDP over VPN certainly
> doesn't sound like a good idea to me. It would be very slow even if you
> could make it work.
>
> Newell White wrote:
> > Sorry for delay in replying, but here in UK business hours have had
> > great difficulty connecting to this group after logging in. 'Page not
> > available'
> >
> > First reply to Bob:
> > Don't have a policy prohibiting Internet Access.
> > Pinging routable IP address times out.
> > Pinging same address by name leaves blank DOS window which disappears
> > after several minutes.
> >
> > Now to Bill:
> > I inherited this set-up (previous admin left before I joined to do a
> > different job, I have had to self-educate to keep network running -
> > small firm!).
> > Yes our roaming users use Cisco VPN client, and tunnel terminates in
> > our Cisco Pix.
> > Does that mean inherited W2k3 VPN server role is redundant, and I can
> > close it down?
> >
> > Further question:
> > To ease restricted upload speed on our ADSL connection, I have to
> > configure users to access Internet by their local ISP - plan was to
> > disable 'Use Remote Gateway' on their Windows XP VPN connection.
> > But if the Cisco Pix is the tunnel end, it must be doing some sort of
> > routing to reach Remote Desktop on the DC. Do I have to configure
> > split-tunnel on the Pix?
> >
> > Thanks to all
> >
> >> I basically agree with Bob. The PDC emulator is the worst choice
> >> for the VPN server. The PIX is the best choice. If you must use a
> >> Windows server, don't use the PDC emulator for a remote access
> >> server. Even if you use the other W2k3 for RRAS you may have probems
> >> if it is a DNS server or is a master browser for the LAN. See KB
> >> 292822 and 830063 .
> >>
> >> Robert L [MS-MVP] wrote:
> >>> First of all, it is not recommended to enable RRAS on a DC. Since
> >>> you have Cisco PIX, I would use Cisco VPN.
> >>>
> >>> Secondly, I would setup a group policy to restrict TS/RDP users to
> >>> access the Internet if they access to the DC. So, do you have group
> >>> policy to block internet access?
> >>>
> >>> Can you ping a public IP after RDC to the DC?
> >>>
> >>> Bob Lin, MS-MVP, MCSE & CNE
> >>> Networking, Internet, Routing, VPN Troubleshooting on
> >>> http://www.ChicagoTech.net
> >>> How to Setup Windows, Network, VPN & Remote Access on
> >>> http://www.HowToNetworking.com
> >>> "Newell White" <(E-Mail Removed)> wrote in
> >>> message news:A7D3D7B8-1589-434C-926E-(E-Mail Removed)...
> >>> We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers
> >>> running AD and
> >>> DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN
> >>> server. We have about 40 XP workstations on the LAN, and 10 VPN
> >>> clients running XP
> >>> or 2000.
> >>>
> >>> VPN client access is configured via the public IP address of our
> >>> Cisco Pix
> >>> firewall (only route from ADSL connection to the LAN), and they
> >>> login to
> >>> Remote Desktop on the PDC to access the database and file-shares
> >>> only.
> >>>
> >>> The only detectable problem with this set-up is - VPN users can't
> >>> access the
> >>> Internet from the PDC remote desktop. They get 'cannot find server
> >>> or DNS
> >>> error' - sounds like a clue!
> >>> Can anyone point me to a CLEAR article which explains why this
> >>> problem
> >>> arises and how it can be solved? I don't want the security and
> >>> support
> >>> headache of configuring the VPN clients (world-wide) for
> >>> split-tunnel to get
> >>> Internet from their ISP.
> >>>
> >>> Are there any other potential problems I am ignorant of?
> >>>
> >>> TIA,
> >>> --
> >>> Newell White
>
>
>