RRAS (for VPN) and IIS on the same server?

[Guest]

I have installed RRAS on a W2K3 Server with the default configuration for VPN
client connections on PPTP with the default filters on the
VPN-Network-interface. I have running IIS on the same server, that has to be
accessed from the Intranet-Network interface, both from the intranet et from
internet throug the standard gateway used on all the intranet. The reason for
this unusual config is that I need two DSL connections, one for all common
internet communication, and a decicated one for the Application provided to
the VPN clients to be able to guarantee no bandwidth limitations.
Now the server has an erratic behavior, and often either RAS does not reply
to the incoming VPN-connections, or IIS does not reply to the HTTP requests
on the intranet-Network-interface, that originate on the Inernet and arrive
to the server by NAT.
I think it may be a routing problem. I have two 0.0.0.0 routes, one through
the external VPN-adapter, one through the internal LAN-adapter.
Question: Is it possible to have RRAS (for VPN) and IIS on the same server?
If yes, how should it be configured to provide a reliable service?
Thanks to anyone that could help me find the solution

 

[Robert L [MS-MVP]]

1. yes, you should be able to have both VPN and IIS on the same server.

2. Do you have two NICs?

3. It could be routing issue or VPN blocking the traffic. posting the results of ipconfig /all and routing table here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have installed RRAS on a W2K3 Server with the default configuration for VPN
client connections on PPTP with the default filters on the
VPN-Network-interface. I have running IIS on the same server, that has to be
accessed from the Intranet-Network interface, both from the intranet et from
internet throug the standard gateway used on all the intranet. The reason for
this unusual config is that I need two DSL connections, one for all common
internet communication, and a decicated one for the Application provided to
the VPN clients to be able to guarantee no bandwidth limitations.
Now the server has an erratic behavior, and often either RAS does not reply
to the incoming VPN-connections, or IIS does not reply to the HTTP requests
on the intranet-Network-interface, that originate on the Inernet and arrive
to the server by NAT.
I think it may be a routing problem. I have two 0.0.0.0 routes, one through
the external VPN-adapter, one through the internal LAN-adapter.
Question: Is it possible to have RRAS (for VPN) and IIS on the same server?
If yes, how should it be configured to provide a reliable service?
Thanks to anyone that could help me find the solution

 

[Guest]

Thank you Robert.
2. Yes I do. 'Local Area Connection 2' is connected to the DSL modem that
receives the VPN. 'Local Area Connection' is connected to the LAN. All IP
traffic except VPN should come from and go to the gateway on the LAN.

1. Now what works: 1. Clients connect to RAS by VPN over 'Local Area
Connection 2' NIC. 2. Intranet clients can connect to IIS.
What does not work: an external client cannot connect to IIS (He connects to
the firewall (internal IP 10.0.1.63) of the LAN, which sends the packet to
the 'Local Area Connection'-NIC by NAT (SUA only). Is it a routing problem
that causes the server to answer on 'Local Area Connection 2' ?
What works half way: The server machine can connect to the internet. But it
does it over the VPN-NIC instead of over the LAN-NIC

I tried with a metric 2 for the VPN-NIC. This caused VPN-clients to be
unable to connect, but allowed Clients to connect to IIS.

Is it possible, that if the server receives an IP packet on the LAN-NIC,
that it sends the reply IP packet on the VPN-NIC and vice versa?

3. Below the ipconfig and route print listing. Now the metric is all 1. I
have the default packet filters on 'Local Area Connection 2' in RRAS, and I
have manually added one filter that allows the server to connect to internet
.. Unfortunately I did not find a way to paste it here, but I don't think the
problem lies there.
C:\Documents and Settings\administrateur>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dmz1
Primary Dns Suffix . . . . . . . : local.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : local.com

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.2.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : local.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection
Physical Address. . . . . . . . . : 00-02-A5-01-8D-A0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.1.96
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.0.1.63
DHCP Server . . . . . . . . . . . : 10.0.1.1
DNS Servers . . . . . . . . . . . : 10.0.1.1
212.74.161.1
212.74.152.1
Primary WINS Server . . . . . . . : 10.0.1.1
Lease Obtained. . . . . . . . . . : vendredi, 23. décembre 2005 09:32:43
Lease Expires . . . . . . . . . . : samedi, 24. décembre 2005 09:32:43

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C90
5B-TX)
Physical Address. . . . . . . . . : 00-50-DA-72-8B-E2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 10.0.1.1
212.74.161.1
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\administrateur>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 02 a5 01 8d a0 ...... Intel(R) PRO/100 VM Network Connection
0x10004 ...00 50 da 72 8b e2 ...... 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-
TX)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.63 10.0.1.96 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 1
10.0.0.0 255.0.0.0 10.0.1.96 10.0.1.96 1
10.0.1.96 255.255.255.255 127.0.0.1 127.0.0.1 1
10.0.2.1 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.2.2 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.3 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.4 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.6 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.8 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.9 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.10 255.255.255.255 10.0.2.1 10.0.2.1 1
10.255.255.255 255.255.255.255 10.0.1.96 10.0.1.96 1
62.202.17.109 255.255.255.255 192.168.0.1 192.168.0.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.2 192.168.0.2 1
192.168.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.2 192.168.0.2 1
212.74.161.179 255.255.255.255 192.168.0.1 192.168.0.2 1
217.20.192.182 255.255.255.255 192.168.0.1 192.168.0.2 1
224.0.0.0 240.0.0.0 10.0.1.96 10.0.1.96 1
224.0.0.0 240.0.0.0 192.168.0.2 192.168.0.2 1
255.255.255.255 255.255.255.255 10.0.1.96 10.0.1.96 1
255.255.255.255 255.255.255.255 192.168.0.2 192.168.0.2 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
"Robert L [MS-MVP]" a écrit :

 

[Robert L [MS-MVP]]

that is your problem. you should not add two default gateways on a multihomed server.

0.0.0.0 0.0.0.0 10.0.1.63 10.0.1.96 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 1

This link may help
Routing
Don't add default gateway across disjoint networks Is it possible both sites of
the VPN using the same IP range Metric is the same for both the remote ....
www.chicagotech.net/routing.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Thank you Robert.
2. Yes I do. 'Local Area Connection 2' is connected to the DSL modem that
receives the VPN. 'Local Area Connection' is connected to the LAN. All IP
traffic except VPN should come from and go to the gateway on the LAN.

1. Now what works: 1. Clients connect to RAS by VPN over 'Local Area
Connection 2' NIC. 2. Intranet clients can connect to IIS.
What does not work: an external client cannot connect to IIS (He connects to
the firewall (internal IP 10.0.1.63) of the LAN, which sends the packet to
the 'Local Area Connection'-NIC by NAT (SUA only). Is it a routing problem
that causes the server to answer on 'Local Area Connection 2' ?
What works half way: The server machine can connect to the internet. But it
does it over the VPN-NIC instead of over the LAN-NIC

I tried with a metric 2 for the VPN-NIC. This caused VPN-clients to be
unable to connect, but allowed Clients to connect to IIS.

Is it possible, that if the server receives an IP packet on the LAN-NIC,
that it sends the reply IP packet on the VPN-NIC and vice versa?

3. Below the ipconfig and route print listing. Now the metric is all 1. I
have the default packet filters on 'Local Area Connection 2' in RRAS, and I
have manually added one filter that allows the server to connect to internet
. Unfortunately I did not find a way to paste it here, but I don't think the
problem lies there.
C:\Documents and Settings\administrateur>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : dmz1
Primary Dns Suffix . . . . . . . : local.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : local.com

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.2.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : local.com
Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection
Physical Address. . . . . . . . . : 00-02-A5-01-8D-A0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.1.96
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.0.1.63
DHCP Server . . . . . . . . . . . : 10.0.1.1
DNS Servers . . . . . . . . . . . : 10.0.1.1
212.74.161.1
212.74.152.1
Primary WINS Server . . . . . . . : 10.0.1.1
Lease Obtained. . . . . . . . . . : vendredi, 23. décembre 2005 09:32:43
Lease Expires . . . . . . . . . . : samedi, 24. décembre 2005 09:32:43

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100 PCI TX NIC
(3C90
5B-TX)
Physical Address. . . . . . . . . : 00-50-DA-72-8B-E2
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 10.0.1.1
212.74.161.1
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\Documents and Settings\administrateur>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 02 a5 01 8d a0 ...... Intel(R) PRO/100 VM Network Connection
0x10004 ...00 50 da 72 8b e2 ...... 3Com EtherLink XL 10/100 PCI TX NIC
(3C905B-
TX)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.63 10.0.1.96 1
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 1
10.0.0.0 255.0.0.0 10.0.1.96 10.0.1.96 1
10.0.1.96 255.255.255.255 127.0.0.1 127.0.0.1 1
10.0.2.1 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.2.2 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.3 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.4 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.6 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.8 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.9 255.255.255.255 10.0.2.1 10.0.2.1 1
10.0.2.10 255.255.255.255 10.0.2.1 10.0.2.1 1
10.255.255.255 255.255.255.255 10.0.1.96 10.0.1.96 1
62.202.17.109 255.255.255.255 192.168.0.1 192.168.0.2 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.2 192.168.0.2 1
192.168.0.2 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.0.255 255.255.255.255 192.168.0.2 192.168.0.2 1
212.74.161.179 255.255.255.255 192.168.0.1 192.168.0.2 1
217.20.192.182 255.255.255.255 192.168.0.1 192.168.0.2 1
224.0.0.0 240.0.0.0 10.0.1.96 10.0.1.96 1
224.0.0.0 240.0.0.0 192.168.0.2 192.168.0.2 1
255.255.255.255 255.255.255.255 10.0.1.96 10.0.1.96 1
255.255.255.255 255.255.255.255 192.168.0.2 192.168.0.2 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None
"Robert L [MS-MVP]" a écrit :