Lost outside Connectivity to my Windows 2000 server

Discussion in 'Windows Networking' started by RDK, Feb 3, 2010.

  1. RDK

    RDK Guest

    Hi folks.....Today I may have shot my self in the foot! I have a Windows
    2000 Server which has been operating just fine for years.

    Today decided to also try to use it as a VPN server for access to the
    network from outside. This network is a Domain with an Active Directory
    server, etc.

    With several references from the Web for guides, I ran the "Routing and
    Remote Access" app to setup this VPN. All seemed to go just fine. I tested
    it internally and it worked as expected.

    However, when I got outside of our network, not only did the VPN not
    connect, but I had also lost access to the webserver.

    I'm desperate for ideas.

    So far I have rebooted the server, several times. I have removed the VPN
    server object.

    I hope you have some good ideas....RDK
     
    RDK, Feb 3, 2010
    #1
    1. Advertisements

  2. RDK

    RDK Guest

    Hi Folks.....Some additional information. As I said the webserver has been
    functional for many years without issues. We have two ISP (main and backup)
    and this server has NICs for both ISP external IP addresses. We have two
    routers, one for each ISP.

    For the VPN we chose the "Backup" ISP as the internet gateway and modified
    the router to pass the VPN port (1723, as I recall) and the IPSEC ports 500,
    50-51. The other router was not touched.

    Since I can no longer reach the webserver IIS via either NIC I have ruled
    out an error in our configuration of the "backup ISP" router.

    It is as though I have configured a "Firewall" on this Win2k server to block
    all traffic which is not from the internal networks.

    I'm stumped....RDK
     
    RDK, Feb 3, 2010
    #2
    1. Advertisements

  3. RDK

    RDK Guest

    Hi Folks....More info. I would appear that the problem was initiated as I
    was working with the "Routing and Remote Access" early in the day but never
    finishing it by clicking "finish". By looking at the web logs we see that
    all external traffic quit about 11:20 and that is about the same time as I
    see this entry in the System Event Log:
    ================
    source is "Remote Access: and the event ID is 20192
    A certificate could not be found. Connections that use the L2TP protocol
    over IPSec require the installation of a machine certificate, also known as
    a computer certificate. No L2TP calls will be accepted.

    ================

    In additions we have now determined that this server cannot reach the
    internet, ie www.google.com in IE times out. It does, however, see other
    webservers on our network through the same NICs.

    Again, it appears that we/I have some how set up a firewall/filters which
    are preventing all "non-local" traffic from reaching this server.

    Any ideas and help would be much appreciated......RDK
     
    RDK, Feb 3, 2010
    #3
  4. RDK

    RDK Guest

    Falcon....Thanks for the response.

    Yesterday I removed the VPN server from the RRAS manager by "right click" /
    delete.

    I'm not sure what you mean by "re-run the CEICW", can you be more explicit?

    Right now I would just like to have it back the way it was yesterday AM. We
    are GHOST it right now so an IPCONFIG is not available.

    Thanks.....RDK
     
    RDK, Feb 3, 2010
    #4
  5. RDK

    RDK Guest

    Hi Falcon (and the rest of you Folks).....I think we are back!!! And I think
    the issue was RRAS installation of the VPN server. Yesterday when I was
    last in the RRAS Console I though I had deleted the VPN server object (right
    click / delete) but apparently that does/did not remove the object. I just
    now returned there to see the object was still in the console so this time I
    right click / disable, got the warning message about having to totally
    reconfigure the VPN object if I did this and replied OK.

    Instantly web access returned to the server.

    I have rebooted and things seem ok.

    I will now Ghost the drive again and AGAIN try to install the VPN but will
    use Falcon's method as outlined below.

    Thanks for you help.......RDK
     
    RDK, Feb 3, 2010
    #5
  6. RDK

    RDK Guest

    Hi folks....Thanks again for your help. I'm back up and running with IIS
    but not with the VPN.

    I tried to follow Falcon's instructions below without success. I'm working
    on a Windows 2000 server which is part of an Active Directory domain. When
    I get the Network Connections Wizard going this is what happens:

    1. first screen labeled "Network Connection Type" offers 5 options, one of
    which is "accept Incoming Connections"

    2. when I select that option I'm greeted with a popup dialog which basically
    says that since this server is in a domain that I have to use the RRAS
    console to configure for this option

    Am I doing something wrong???

    Now that I have my webserver back and understand how I lost connectivity
    (and have a GHOST image of the system drive) I will try again to configure
    RRAS for a VPN. The first question I have is, is there a problem having an
    Internet IIS server and an RRAS VPN server on the same box?

    Thanks....RDK
     
    RDK, Feb 3, 2010
    #6
  7. I wouldn't suggest it. Besides security, the multihoming aspect of what RRAS
    does (more than one IP) *may* cause issues if you don't configure IIS
    specifically to use the NIC's IP, otherwise the other IPs will be accepted.

    Hopefully this server is not a DC. Multuhoming a DC is worse.



    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Feb 4, 2010
    #7
  8. RDK

    RDK Guest

    Hi Ace.... I owe you a reply for your help with our Exchange problem, but
    later for that.

    OK, for my VPN project: I have a Windows 2000 server whose sole purpose in
    life up to now was as a "sandbox" webserver for some personal websites and
    test versions of production websites. It is NOW (note emphasis) multihomed
    (2) and a single gateway. The two NICs are: one (B 172.16.0.0) for a
    intranet network to our production servers for administration and
    maintenance and the other (A 192.168.29.0) for access to the Internet (with
    the gateway). The Internet IP address for B comes into a CISCO router for
    port filtering and forwarding to the 192.168.29.x address. IP&Host-Headers
    are used for the websites.

    The objective is to setup a VPN to the intranet network so we can work from
    offsite.

    I did this at home with my Windows 2000 server, but 1) it is not in a
    domain, 2) has only one NIC and 3) gets its traffic from the Internet via
    port forwarding from my SonicWall router. Right now it is working just fine
    for both Web and VPN access to that server and thus my home network.

    We would like to have something like this working here at work. However,
    every time I have tried, I'm forced to use the RRAS console and when I'm
    done the server ONLY sees intranet traffic and can only get to intranet
    resources. The Internet is "gone" and does not come back until I disable
    the RRAS VPN server.

    What am I doing wrong and what are my options?.....RDK
     
    RDK, Feb 5, 2010
    #8
  9. RDK

    Bill Grant Guest

    It sounds to me as if you used the wrong option in the setup wizard for
    RRAS.

    From memory (it's been a while) what seems like the obvious choice in
    Server 2000 configures the server for VPN _only_. That means it installs
    packet filters on the public interface to block all traffic except VPN
    related traffic.

    Don't use the option to configure a VPN server. Use the remote access
    server option and then select the VPN option (or something along those
    lines).
     
    Bill Grant, Feb 5, 2010
    #9

  10. I agree. I think it's somewhere in the options, possibly getting the two
    interfaces reversed? I've seen that before. Otherwise your memory
    recollection is about as good as mine without seeing it in front of me.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #10
  11. Oh, and no problems for helping with that. I actually don't remember where
    that thread was! :)

    Ace
     
    Ace Fekay [MVP-DS, MCT], Feb 5, 2010
    #11
  12. RDK

    j_cocker

    Joined:
    Mar 22, 2015
    Messages:
    11
    Likes Received:
    0
    I agree with Ace Fekay above - sounds familiar
     
    j_cocker, Mar 22, 2015
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.