File shares not accessible on VPN server?

Discussion in 'Windows Networking' started by Vernalex, Apr 27, 2004.

  1. Vernalex

    Vernalex Guest

    I currently have a Windows Server 2003 computer that is running routing and
    remote access to provide access from outside our network. The benefit of
    this is that NetBIOS/SMB ports are blocked at our WAN router, but we can use
    a VPN to gain secure access to SMB shares that are inside the network.

    The computer hosting the VPN is a simple machine. It is not on an active
    directory and it does little else than share resources. So, to set up the
    VPN I used the Routing and Remote Access Server setup wizard. Since I only
    have a single NIC I used the custom configuration and selected the VPN
    access. This then allowed me to access the network from offsite using the
    default policies set by the wizard.

    But, I have come across a problem. The VPN connects just fine. And when
    connected I receive an IP from the server's LAN. I can then access other
    computers on that network. However, when I try to connect to a Windows share
    on the VPN server it fails to get a response from the server. I first
    thought this may be a security issue, but now I am not sure. A friend of
    mine with Small Business Server 2003 doesn't have this problem. I have read
    books on this subject, searched the web and the usenet, and asked people
    that I thought would know... but, I haven't been able to come up with an
    answer.

    If anyone has an answer then please let me know. Thanks :)
     
    Vernalex, Apr 27, 2004
    #1
    1. Advertisements

  2. Vernalex

    eddiec Guest

    maybe this is a routing issue. try pinging or a traceroute to the VPN server
    when connected remotely
     
    eddiec, Apr 27, 2004
    #2
    1. Advertisements

  3. Vernalex

    Bill Grant Guest

    The first thing to check is that you can access the server. When the
    client connects, click the icon in the system tray and click on Details.
    This will display the IP address of the server. Check that you can ping this
    IP. Next try to ping by server name. If that works, routing and name
    resolution are working.

    Browse the server wirh "net view \\servername" and try to map a share
    using "net use z: \\servername\filename" . If it complains about your
    username, use the username\password options in net use.
     
    Bill Grant, Apr 27, 2004
    #3
  4. Vernalex

    Vernalex Guest

    Bill,

    I have located the issue, but not the root of the problem. In the
    past I have tried resolving the server, and it worked fine. The IP
    pinged fine and the DNS and NetBIOS names resolved properly to the IP.
    But, when I tried to map the drive it wouldn't work.

    But, I ran through your directions anyhow in hopes I would figure
    something out because from the way you and eddiec speak, it sounds
    like my problem isn't the default behavior as I was assuming. When I
    checked the details of the connection I realized the problem though.
    The IP of the VPN server was different from the real IP of the server.
    A few "oohhhhhh"s later and I checked the server's connections through
    ipconfig. There is a connection called "PPP adapter RAS Server (Dial
    In) Interface" that is descripted as "WAN (PPP/SLIP) Interface" that
    contains the dial-in interface IP that differs from the NIC's IP.
    Running through the Routing and Remote Access MSC I can see it is
    called "Internal" for its LAN and Demand Dial name.

    So, once I connect through the VPN the WINS server give me the real
    IP of the server for the NetBIOS name and the DNS servers give me the
    real IP for its DNS name ... but, it only accepts connections on the
    IP assigned to it for the dial-in interface. This means that if I try
    to connect through the \\ip of it, then I can browse the shares. At
    least now I have a work around. :)

    I am wondering if anyone knows if I can get rid of this behavior. I
    would much prefer having the same IP for the dial-in interface as the
    server's IP. The server is not supposed (as for network policy here)
    to have two IPs.

    Originally to set this up I used the Routing and Remote Access MSC.
    I right clicked the server's name in the list and used "Configure and
    Enable Routing and Remote Access". Next. Custom configuration (because
    the VPN option from that menu requires two NICs). Tick VPN access box.
    Finish. I am guessing this creates default policies that create the
    behavior of having two IPs, or perhaps this is a required behavior.

    I should also point out that I do not maintain the WINS server here
    and the dial-in IP as well as the normal server IP are pingable from
    the Internet. Only SMB traffic is blocked from the Internet. So when I
    VPN in, the IP it receives from the WINS server is the IP I used to
    dial-in to the VPN.

    Any ideas? Thanks :)

    Joseph Dowden
     
    Vernalex, Apr 27, 2004
    #4
  5. It is not possible for two interfaces to have the same IP#. Every interface
    on the server must have a unique IP# including all the Dialin Interfaces.
    This is normal behavor,...has nothing to do with Windows or any MS product,
    and you can't do anything about it,...it is the way TCP/IP networks are.

    The only other thing I can think of is that you may be mistakenly assuming
    that the login you used when connecting with VPN also logs you into the
    Network,...it does not. The credentials you used to make the connection do
    only that,..they make the connection, but nothing else. At this point you
    are connected at the Layer3&4 levels but that has nothing to do with logging
    into the Domain to be able to access resources, also your machine itself as
    far as the machine account on the domain is concerned, is not logged in
    either..

    If you notice at the very beginning when at the Crtl+Alt+Del prompt at your
    work station there is a checkbox where you put in the credentials that says
    "Login using Dialup Networking" (or something like that). You must check
    that box, then when you log into the machine you will be prompted for which
    dial-up connection to use. Following this process logs both you and your
    machine into the domain via the VPN connection at the same time that you log
    into the machine. Your workstation must be a member of the Domain for this
    to work.
     
    Phillip Windell, Apr 27, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.