vpn access

Discussion in 'Server Networking' started by Param R., Nov 4, 2004.

  1. Param R.

    Param R. Guest

    Hi all, we are planning on setting up 4 2003 servers at a Data Center. The
    data center will be providing the hardware firewall. One of these 4 servers
    will be a Domain Controller running 2003 Standard. Do I have the ability to
    setup some sort of VPN server built into windows? Reason I am asking is the
    Data Center is charging serious $$ to setup vpn access. I would rather if
    possible set it up ourselves if it isnt too much of an administrative
    hassle. We will only have about 5 users using VPN to access this remote
    network. If it is possible, what services do i need to install and configure
    on the Domain Controller? Also, what ports do they need to open up on the
    firewall?

    Any help here is much appreciated.

    thanks,
    Param
     
    Param R., Nov 4, 2004
    #1
    1. Advertisements

  2. it is not recommended to install VPN on DC. I would setup a hardware VPN
    instead.

    --
    For more and other information, go to http://www.ChicagoTech.net

    Don't send e-mail or reply to me except you need consulting services.
    Posting on MS newsgroup will benefit all readers and you may get more help.

    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
    http://www.ChicagoTech.net
    Networking Solutions, http://www.chicagotech.net/networksolutions.htm
    VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
    VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
    VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
    This posting is provided "AS IS" with no warranties.
     
    Robert L [MS-MVP], Nov 4, 2004
    #2
    1. Advertisements

  3. Param R.

    Param R. Guest

    Why is it not recommended? To my knowledge SBS does exactly that. We are not
    talking about a lot of users here. Just 5 to start off with. I am just
    trying to cost justify the ISP charging me $500/month for 5 user VPNs. That
    is ridiculous.

    thanks!
     
    Param R., Nov 4, 2004
    #3
  4. The following quotation from http://www.ChicagoTech.net may help. If you
    want to, you can install VPN on the DC, but you may experience some
    connection issues and you may need to spend more time on troubleshooting.

    Connection issues on DC, ISA, DNS and WINS server as VPN server

    Symptom: You have a Windows 2000/2003 server is configured as VPN running
    DNS, WINS, you may experience some connection issues. 1) the internal
    computers can't ping the server by name; 2) if the server is a DC and Master
    Browser, you may have a computer browsing issue; 3) you may receive Event
    ID: 4319 - A duplicate name has been detected on the tcp network; 4) You may
    receive error messages like "No Logon Servers Available to Service your
    Logon Request" when you try to open file shares or map network drives to the
    Routing and Remote Access server; 5) if the server is also a DC, you may not
    be able to logon the domain; 6) if the server is also running ISA, you
    cannot browse the Web from client computers on the local network, regardless
    of whether the computers are configured to use Web Proxy or the Microsoft
    Firewall Client. For example, "The page cannot be displayed" may appear in
    the Web browser with a "cannot find server or DNS" error message.

    Cause: When a VPN client connects to the VPN server, the server creates a
    PPP adapter to communicate with the remote computer. The server may then
    register the IP address of this PPP adapter in the DNS or the WINS database.
    When the internal computers try to connect to the IP address of the PPP
    adapter, them cannot reach the PPP adapter, then the connections fail.

    --
    For more and other information, go to http://www.ChicagoTech.net

    Don't send e-mail or reply to me except you need consulting services.
    Posting on MS newsgroup will benefit all readers and you may get more help.

    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
    http://www.ChicagoTech.net
    Networking Solutions, http://www.chicagotech.net/networksolutions.htm
    VPN Solutions, http://www.chicagotech.net/vpnsolutions.htm
    VPN Process and Error Analysis, http://www.chicagotech.net/VPN process.htm
    VPN Troubleshooting, http://www.chicagotech.net/vpn.htm
    This posting is provided "AS IS" with no warranties.
     
    Robert L [MS-MVP], Nov 4, 2004
    #4
  5. Param R.

    Param R. Guest

    Does MS have a KB Article for these issues with a workaround?

    TIA!
     
    Param R., Nov 4, 2004
    #5
  6. Doug Sherman [MVP], Nov 4, 2004
    #6
  7. Param R.

    Guest Guest

    wah wah wah.....
    now how about reality? i have RRAS setup to allow incoming PPTP VPN
    connections on many DC's and it works flawlessly. yes youll get the
    occassional warning or browser error in the logs but it does not hurt
    functionality in any way.
    setup RRAS (its built in). your firewall will have to allow port 1723 for
    PPTP VPN traffic, and the GRE protocol. GRE usually only needs port 47 but
    different product will use different terminology. for instance on a linksys
    router the term "allow PPTP passthrough" automatically allows GRE.
    hope this helps
     
    Guest, Nov 4, 2004
    #7
  8. Param R.

    Param R. Guest

    Both these relate to Windows 2000. Do the same apply to Windows Server 2003
    Standard as well?

    thanks!
     
    Param R., Nov 4, 2004
    #8
  9. Doug Sherman [MVP], Nov 4, 2004
    #9
  10. Param R.

    Bill Grant Guest

    GRE (Generic Routing Encapsulation) is not a port. It is a protocol, just
    like TCP. (In fact it is IP protocol 47). You do not forward it. You allow
    or block it, just as you do for other protocols.

    The reason you must allow GRE in both directions is that the encrypted
    data travels as the payload of an IP packet with a GRE header. If you block
    GRE, no VPN data is transmitted and the connection fails.
     
    Bill Grant, Nov 4, 2004
    #10
  11. Param R.

    Bill Grant Guest

    To return to the original problem. Any Windows 2000/2003 server can be
    configured to act as a VPN server. If you have a choice, do not use a DC
    because multihoming a DC can cause odd problems. And a remote access server
    becomes multihomed as soon as a client connects to it.

    These problems can be sorted out, and you can certainly use a DC as a
    remote access server. To configure 2003 server for remote access, see KB
    323381 .

    Firewall settings depend on the type of access. For PPTP, you need to
    forward tcp port 1723 from the firewall to the server to extend the VPN
    connection to the server. You also need to allow GRE in both directions (as
    discussed above). Firewall requirements are different for L2TP if you want
    to go that way. Note that L2TP requires certificates and IPSec.
     
    Bill Grant, Nov 6, 2004
    #11
  12. Param R.

    spepi Guest

    I have 2 - 2003 Servers for my VPN clients. I do get the Event ID 4319 all
    the time. Is it really worth going into the registry and make changes there
    when the VPN is working?
     
    spepi, Mar 10, 2005
    #12
  13. Param R.

    Bill Grant Guest

    That's up to you. If it isn't causing any other problems and you can live
    with it, I guess it isn't worth the effort.

    On the other hand, if you make the registry change and clean up WINS, it
    should be gone forever.

    The registry change and WINS cleanup advice is in KB 292822 item 1 f-h
    and item 2.

    What IP range are you using for the remote clients? This problem should
    only show up if you are using "on subnet" addresses (ie in the same IP
    subnet as the server's LAN NIC). The most recent advice is to not disable
    Netbios over TCP/IP on the "virtual" interface, but to put the remotes in
    their own subnet. (KB 830063 .) Of course you have to enable IP routing on
    the RRAS server and check that routing works to the remotes through the RRAS
    server (if the RRAS server is not the default router for the LAN).
     
    Bill Grant, Mar 11, 2005
    #13
  14. Param R.

    spepi Guest

    I wasnt here in the original setup. I will have to look at the IP range. We
    do not have Wins at all, as far as I know. Im new to the company and I am
    going through things little by little.

    thanks
     
    spepi, Mar 11, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.