Certain applications do not work through VPN

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

We have just implemented a new RRAS server that allows our remote users to
dial into a modem pool or just vpn into our network if they already have a
internet connection. The server is a Windows 2003 running RRAS. This server
sits in our DMZ and has only one interface. The firewall handles the request
to this server. The problem that I am having is that once a user vpn's into
our network there is a particular application that does not work. If they
dial-up into our network then the application works. I thought that by
default all packets are allowed and nothing is filtered on the rras server.
Does anyone know what may be causing this? Any help is greatly appreciated.

Thanks
 
ky said:
Hi,

We have just implemented a new RRAS server that allows our remote users to
dial into a modem pool or just vpn into our network if they already have a
internet connection. The server is a Windows 2003 running RRAS. This server
sits in our DMZ and has only one interface. The firewall handles the request
to this server. The problem that I am having is that once a user vpn's into
our network there is a particular application that does not work. If they
dial-up into our network then the application works. I thought that by
default all packets are allowed and nothing is filtered on the rras server.
Does anyone know what may be causing this? Any help is greatly
Click to expand...
appreciated.

It's two vague, "does not work".

One guess would be the routing but you
seem to imply that everything else works
(which itself is unspecific.)
 
hi herb,

sorry about being so vague. let me start over. our rras server sits in our
dmz which is on a 192.168.6.x network and our trusted network sits on
192.168.5.x network. when a user vpns into our office the rras server is
configured with a relay agent on our trusted network that assigns addresses
with a scope of 192.168.6.x to these vpn users. once connected the remote
user can access resources on our trusted network via files shares, remote
desktop and can even browse to the internet with no problem. there is a
particular application (ovision) that accesses two unix servers on the
trusted network that will not work - meaning it can not communicate for some
reason. the weird thing is i can ping those two unix servers from the client
machine with an ip address in the dmz with no problem. another thing is this
rras server also handles a modem bank that users dial into. once the user
dials into this server they are also assigned an ip address of 192.168.6.x
which is in the dmz. the funny thing is these dial up users can use this
application fine without and problems. i hope this is enough info to start
with. thanks in advance.
 
ky said:
hi herb,

sorry about being so vague. let me start over. our rras server sits in our
dmz which is on a 192.168.6.x network and our trusted network sits on
192.168.5.x network. when a user vpns into our office the rras server is
configured with a relay agent on our trusted network that assigns addresses
with a scope of 192.168.6.x to these vpn users. once connected the remote
user can access resources on our trusted network via files shares, remote
desktop and can even browse to the internet with no problem.
Click to expand...

So routing works correctly (assuming the following
are on one of the same networks -- so that the
routing to the working services proves it works
for them.)
there is a
particular application (ovision) that accesses two unix servers on the
trusted network that will not work - meaning it can not communicate for some
reason. the weird thing is i can ping those two unix servers from the client
machine with an ip address in the dmz with no problem.
Click to expand...

How about name? If IP works (ping) and name
does not, then you have a name resolution problem.

(If so) Are the UNIX servers registered in your
internal DNS?

Are the VPN machines receiving the INTERNAL
DNS server for their DNS? (They should.)

Are other apps working due to NetBIOS (e.g., WINS
servers)?
another thing is this
rras server also handles a modem bank that users dial into. once the user
dials into this server they are also assigned an ip address of 192.168.6.x
which is in the dmz. the funny thing is these dial up users can use this
application fine without and problems. i hope this is enough info to start
with. thanks in advance.
Click to expand...

One must strongly suspect name resolution
based on your report. (Check clients with
"ipconfig /all" while connected -- both those
that work against those that don't and pay
particular attention to the DNS settings.)

If different, you likely have it set differently
on the two interfaces -- modem bank vs. VPN.

If this isn't it, look for differences in filters on
the interfaces (unlikely since you don't mention
them, but possible.)
 
Herb,

I actually cant get the application to work now either way. whether I dial
in or vpn in. i can ping the two unix servers by name and by ip address. both
unix servers have static entries in our wins servers as well. (let note that
we are on an nt 4 domain.) when vpn users authenticate and are assigned an ip
address on the 192.168.6.x address they also get the dns and wins servers on
the 192.168.5.x network which is our trusted network. as i stated earlier i
can use all other applications such as remote desktop, mount file shares and
even use sql enterprise manager. the only application that does not work is
ovision which contacts those two unix servers that are on the 192.168.5.x
network.

we have a windows 2000 ras server here that we are replacing with this new
windows 2003 server. now if you vpn into this ras server everything works
like a charm. i have compared the ipconfig /all settings from both
connections and everything is the same. i can post those if necessary.
 
ky said:
Herb,

I actually cant get the application to work now either way. whether I dial
in or vpn in. i can ping the two unix servers by name and by ip address. both
unix servers have static entries in our wins servers as well. (let note that
we are on an nt 4 domain.)
Click to expand...

Ok, then we can't rule out a routing problem
this way, but you did say that Ping works so
that would eliminate routing.

Can you get the App to work at all? How
about locally? How about on another local
(non dial/non-VPN) subnet?

Maybe it has quite working everywhere?
when vpn users authenticate and are assigned an ip
address on the 192.168.6.x address they also get the dns and wins servers on
the 192.168.5.x network which is our trusted network. as i stated earlier i
can use all other applications such as remote desktop, mount file shares and
even use sql enterprise manager.
Click to expand...

Is the affective app using DNS or WINS/NetBIOS
name resolution?

If it is using one or the other, try proving that that
name resolution works.

Ping the DNS name for DNS, try "net view \\Servername"*
for NetBIOS and maybe follow with "nbtstat -r" to prove
you actually resolved a NetBIOS name.

Go against the UNIX box even though you know
that it will likely fail the actual FILE access -- we
want to prove the name resolve whichever way
the app does it.
the only application that does not work is
ovision which contacts those two unix servers that are on the 192.168.5.x
network.
Click to expand...

Divide and conquer.

Find what works and play that against what
doesn't until you prove what is not working.

Most such problems are easy to fix once you
find them.
we have a windows 2000 ras server here that we are replacing with this new
windows 2003 server. now if you vpn into this ras server everything works
like a charm. i have compared the ipconfig /all settings from both
connections and everything is the same. i can post those if necessary.
Click to expand...

I can look but first we need to know WHAT to
look for.
 
okay i have compared all the settings on each connection and everything is
identical. on the client machine i have static entries in the host file that
point to the ip address of the two unix servers. so it resolves based on the
host file. i have tried it with just using wins but the ovision application
never connects for some odd reason. this is possibly because of the node type
which resolves netbios names in a different order. when i do a ping to the
unix server and then do a nbtstat -r i get resolved by name server and
regiested by name server. but when i do a net view \\unix server i a network
path not found.

i have tested it locally and the application is able to connect to the
servers and funciton. i am able to us the applicatin when connected through
vpn to the windows 2000 ras server but i am uanble to use the application
while connected via vpn through the windows 2003 ras server. the only
different i can tell is that the one ras server is a windows 2003 ras server
and the other one is a windows 2000 ras server. at this point i am kind of at
a lost.
 
Back
Top