VPN connects but cannot browse network

  • Thread starter Thread starter Little Elvis
  • Start date Start date
L

Little Elvis

I have setup a Server 2008 with RRAS and the Routing services. This machine
has only a single NIC and is behind a NAT router and firewall. I have
forwarded port 1723 and GRE to the IP of the server.

My clients can sucessfully connect but they cannot access my network. I want
them to use the Sharepoint services which is on the same machine as the VPN
server.

I have my own DHCP and DNS cache located on another machine. I have setup
VPN to assign remote IP addresses from the DHCP. This does happen properly.
But users cannot browse my network nor access any of the webservers. The
network access just times out in IE according to my users.

What have I missed? NPS seems properly setup...connections are allowed. No
IP restrictions at all. Enable Router Manager is ticked on the Interface.
I've looked around everywhere I can for a couple of days now and can't see
what I've done wrong.

Wondering if I should use static routes instead. and create a separate pool
of IP address in another subnet? I'm not a networking expert either...this is
challenge for me.

VP server is:
IP 192.168.1.231
gateway 192.168.1.254 (router)
mask 255.255.0.0

I was thinking the pool will be 192.168.2.x
and setup static route as:
192.168.1.0 255.255.255.0 gateway 192.168.1.231

I'm not a networking expert and my user's don't know a thing about
computers...so I'm not getting much help either.

Any ideas what I've done wrong?

Sal.
 
There is no Static Routes. The user is already *in* the subnet they are
using,..there is no where to route to.

"Browsing" requires functional Name Resolution. VPN provides a
connection,..that's it,..just a connection,...nothing else. Your Name
Resolution has to be done by allowing your clients to get the proper DNS and
WINS specs via the DHCP. This usually reqires the DHCP Relay Agent to be
added within RRAS when RRAS is being used as your VPN "engine".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
 
The DNS and WINS are set properly I can see that when I test it from another
machine. I'm missing some routing somewhere. Probably just a tick box.

I'm being polite about your response...
 
Little Elvis said:
The DNS and WINS are set properly I can see that when I test it from
another
machine. I'm missing some routing somewhere. Probably just a tick box.
Click to expand...

No. There is no "routing" here to deal with

If your DNS and WINS are correct you should be able to ping the names (both
the netbios name and the FQDN) and it should return the correct LAN IP#
(even if the ping itself fails).
I'm being polite about your response...
Click to expand...

I have no idea why you mentioned that.
I always try to go directly to the real problem,...which may not have
anything to do with the actual question asked because sometimes (a lot of
the time, actually) people are asking for the wrong thing.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.[/QUOTE]
 
WINS and DNS working correctly when I connect from withing the intranet to
the VPN server. But I admit this is not a perfect test. I have no means to
connect from home...I live in a area where there is no broadband.

My user cannot open Sharepoint from IE eventhough the Sharepoint server is
on the same machine as VPN. I have ticked
"IPv4 Router" and LAN and demand-dail routing and IPv4 Remote access Server

I have ticked
"enable router manager" on both my NIC and "Internal" connections. DHCP
relay agent is enabled on "internal" and I can see that it works.

In NPS I have enabled "connection to MS Routing...." and turned on "Grant
Access". I have also created my own rule with full access for those specific
users.

My NAT router is forwarding properly and GRE set....

Not to repeat myself...but have I missed something there?
What debugging facilities do I have to trace this?

Any other suggestions? where I could look.
 
Little Elvis said:
WINS and DNS working correctly when I connect from withing the intranet to
the VPN server. But I admit this is not a perfect test. I have no means to
connect from home...I live in a area where there is no broadband.
Click to expand...

The user user will have to test that with Ping and tell you what it does.
You cannot accuartely test that from inside the LAN (as you said).


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Well the user seems to have access...he gets the Sharepoint login box...but
then Sharepoint doesn't come up..so wonder if this is a Sharepoint issue??

Not sure what happened to get the vpn working.

Sal
 
Little Elvis said:
Well the user seems to have access...he gets the Sharepoint login
box...but
then Sharepoint doesn't come up..so wonder if this is a Sharepoint issue??
Click to expand...

Sharepoint does have issues when trying to make it available to the Public
side. I believe it often stems from Link Translation issues where the Links
within the pages are not valid when viewed from the Public side.

Go to www.isaserver.org and do some searches for Publisihing Sharepoint with
ISA. You can also do the search from Google's Advanced search by limiting
the search Domain to isaserver.org. I don't not have any personal
experience with Sharpoint at all whatsoever,...I have never even been able
to get it installed successfully in a Lab,..let alone publishing it with
ISA.
Not sure what happened to get the vpn working.
Click to expand...

It was probably always working,..but the user may have mislead you with an
exagerated description of the problem,...it happens to me all the time.
When a user calls me, regardless of what they say,...it "really"
means,.."Phil, just hangup the phone and walk over there and look at the
problem for yourself."

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------
 
Sorry, I guess you aren't using ISA. I spend a lot of time in the ISA
groups and tend to forget that I am not in them,..when I am not in them.
But the general idea can still be true no matter what you are using.

But if the user gets the Login box then he at least *got there*. So I think
you have a Sharepoint problem from that point.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Thanks, yes this client is very techophobe...even though he is a software
designer!

Anyway. I started off with RRAS behind a NAT firewall..and now I've just
gone to RAS (incoming connection) and see how that goes.

When I send him the script to run (ipconfig /all, route print, tracert, ping
etc..) He never does it. Its almost impossible to debug serverside.

Unfortunately I can't walk over...he's in Canada and I'm in the UK. Remote
Assistance maybe?

Sal.
 
Create a logmein account (www.logmein.com).
Use the "free" version.
He will have to go to the Logmein.com with the credentials of the account
you create and have him install the "logmein free" to his machine.

Then you can go to www.logmein.com with those credentials an remote into his
machine.

If he doesn't want to do that with his workstation then he needs to find
some piece of junk machine on their LAN and do it with it. The point is
that you need a machine sitting on his LAN that you can remote into and test
from.

Keep in mind that sometimes when the VPN goes "up" or goes "down" it can cut
the logmein session, but when you reconnect it would be right where you left
off.
However if the test machine cannot get to the internet when the VPN is up
then you won't be able to remote back into it again.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
 
Back
Top