HOW TO: Turn On and Configure Inbound VPN Access in Small Business Server 2000

Summary

This step-by-step article describes how to correctly configure Routing and Remote Access on Small Business Server (SBS) 2000 to accept incoming VPN connections from remote workstations.

This article is specific to an installation of SBS 2000 that has two network adapters. This article does not describe how to configure custom Remote Access Policies or logon scripts.

Before you proceed, you must complete the following tasks:

  • Complete the steps that are outlined in the following Microsoft Knowledge Base article:

    306802 How to configure Small Business Server for full time Internet access with two network adapters

    Specifically in this article, make sure that the SBS 2000 Internet Connection Wizard has been completed and both of the Enable ISA Server packet filtering and Virtual Private Networking (PPTP client access) settings are turned on. You can check these settings by checking the ISA Server packet filters for the appropriate filters. Look for the packet filters that are created by the Internet Connection Wizard for VPN support. To do so:
    1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
    2. Expand the Servers and Arrays branch, click server name, click Access Policy, and then click IP Packet Filters.
    3. On the right pane, look for "BackOffice PptpCallPredefinedType" and "BackOffice PptpReceivePredefinedType".
    4. If these are not present (or are turned off), run the Internet Connection Wizard again, and then click Do Not Change for Configure Hardware, click Do Not Change for Exchange Server, POP3 and "Enable ISA Server packet filtering", and then click to select the Virtual Private Networking (PPTP client access) check box.
  • Make sure that the network binding order in the advanced settings for Network and Dial-up connections on the SBS 2000 computer is correct. Note that the internal network is frequently first in the list, the external network adapter is listed second, and Remote Access Connections is last.
  • Make sure that DNS is configured correctly. This means that the internal and external network adapter's DNS settings are pointing to the internal IP address of the SBS 2000 computer and the ISP's DNS servers are specified in the Forwarders tab in the DNS Management Console.
  • Make sure that WINS is installed and running on the SBS 2000 computer and the internal network adapter on the SBS 2000 computer is configured to point to itself for WINS resolution. By default, note that WINS is installed and configured on SBS 2000.
  • If you have a third-party hardware firewall between the external network adapter on the SBS 2000 computer and the Internet, it must support the incoming VPN connection and be correctly configured to forward the incoming VPN request to the external network adapter of the SBS 2000 computer.
  • Microsoft recommends that you install the latest Windows 2000 Server service pack. For information about how to do so, please visit the following Microsoft Web site:
If external clients cannot establish an inbound VPN connection to the server after you complete these steps and configure Routing and Remote Access, view the "Troubleshooting" section of this article.

Configure SBS 2000 to Accept Inbound VPN Connections

  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click your server, and then click Configure and Enable Routing and Remote Access.

    If Routing and Remote Access is configured already, the Configure and Enable Routing and Remote Access command will be unavailable. In that case, right-click the server, and then click Disable Routing and Remote Access. Then, right-click the server and click Configure and Enable Routing and Remote Access.
  3. On the "Welcome to the Routing and Remote Access Server Setup" page, click Next.
  4. Click Manually Configure Server, click Next, and then click Finish.
  5. Click Yes to start the Routing and Remote Access service. Note that you must not click Virtual Private Network (VPN) Server. This configures Routing and Remote Access with the following parameters:
    • Filters: None.
    • Router: Enabled.
    • Remote Access Server: Enabled.
    • IP address assignment is set to DHCP.
    • VPN ports: There are five PPTP connections, and five L2TP connections.
  6. Microsoft recommends that you set Routing and Remote Access to use a static pool of IP addresses for the remote VPN clients. When you select your static pool addressing scheme, note that:
    • The address pool must be included in the Internet Security and Acceleration (ISA) Server's local address table (LAT). To view the LAT in ISA Server, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management. Expand Servers and Arrays, expand server name, expand Network Configuration, and then click Local Address Table (LAT).
    • The address pool must not be on the same subnet as the internal or external network adapter.
    Note that a default installation of SBS 2000 contains 10.0.0.0 through 10.255.255.255 and 172.16.0.0 through 172.31.255.255. Depending on your internal IP addressing scheme, you can use one of the ranges that are predefined in the LAT. If you have to add an additional LAT entry for the static pool range, right-click Local Address Table (LAT), point to New, and then click LAT Entry.

    To set Routing and Remote Access to use a static pool of IP addresses for incoming VPN clients:
    1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
    2. Right-click the server name (local), and then click Properties.
    3. Click the IP tab.
    4. Click Static address pool, and then click ADD.
    5. Type your static range.
    6. Click OK to close New Address Range Properties.
  7. After the Routing and Remote Access service is started, right-click the server name on the left side of the Routing and Remote Access management snap-in, and then click Properties.
  8. On the IP tab under server name (local) Properties, locate the Adapter box. In the Adapter box, change the selection from Allow RAS to select adapter to the internal network adapter. Click OK to close this dialog box. This setting allocates WINS and DNS server addresses that are defined on the internal network adapter on the SBS 2000 computer to the remote VPN (DHCP) clients.
  9. On the left side of the screen, click Remote Access Policies, right-click Allow access if dial-in permission is enabled, and then click Properties.
  10. Click Grant remote access permission.
  11. Quit the Routing and Remote Access management console.
  12. Start Active Directory Users and Computers, and then click the Users container. Open the properties of a user, and then grant the user "dial-in" permissions on the Dial-In tab.
  13. Obtain and install the hotfix from "Q292822: Name Resolution and Connectivity Issues on Windows 2000 Domain Controller with Routing and Remote Access and DNS Installed".

Common Issues

The most common issues with VPN on SBS 2000 come from:

  • Running one of the predefined template wizards that is included in the Routing and Remote Access Management Console.
  • Following the instructions that are included in the following Microsoft Knowledge Base article:

    308208 HOW TO: Install and configure a virtual private network server in Windows 2000

    These instructions configure SBS 2000 to act exclusively as a VPN server and only accept VPN connections. Symptoms of using this predefined template include:
    1. Users on the Local Area Network (LAN) cannot browse the Internet.
    2. The SBS 2000 computer may not be able to send or receive SMTP e-mail messages.
    3. Users may not be able to log on to the SBS 2000 domain.
    To determine if the Routing and Remote Access VPN wizard was completed on the server:

    1. Start the Routing and Remote Access snap-in.
    2. Expand server name (local).
    3. Expand IP Routing.
    4. Click General.
    5. On the right side of the screen, right-click the external network adapter, and then click Properties.
    6. Click Input Filters, Output Filters, or both.
    7. If this screen is populated, the VPN server was probably selected in the Routing and Remote Access Setup Wizard. If it is apparent that Routing and Remote Access was set up with the VPN wizard, Turn off and then turn on Routing and Remote Access. For information about how to do so, complete step 1 in the "Troubleshooting" section of this article.
  • A hardware firewall or router is between the external network adapter of the SBS 2000 computer and the Internet. For a VPN client to access the SBS 2000 computer by using a VPN connection, all routers between the remote VPN client and the server must allow traffic to pass through TCP port 1723 (PPTP) and must support protocol type 47. Protocol type 47 is the Generic Routing Encapsulation (GRE) protocol.
  • You have not completed the steps that are included in the following Microsoft Knowledge Base article:
    306802 How to configure Small Business Server for full time Internet access with two network adapters

Troubleshooting

If a remote access VPN client cannot successfully connect to the SBS 2000 computer:

  1. Turn off and then turn on Routing and Remote Access. This method is listed first because it is the simplest and quickest way to correct mis-configurations in Routing and Remote Access.
    1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
    2. Right-click server name (local), and then click Disable Routing and Remote Access.
    3. Click Yes when you receive the warning message.
    4. Perform steps 1-12 in the "Configure SBS 2000 to Accept Inbound VPN Connections" section earlier in this article to again turn on and reconfigure Routing and Remote Access. You only have to complete step 13 one time, and you do not have to reapply the hotfix if it has been previously applied.
  2. Try to establish a VPN connection from an internal client to the internal network adapter of the SBS 2000 computer. Turn off the firewall client on the VPN client if it is installed. If this does not resolve the issue, the issue is most likely the server itself, and it is likely that other network problems exist on the server, LAN, or both. Check Event Viewer for errors about TCP/IP. Make sure that all of the appropriate services are started on the SBS 2000 computer. Check Device Manager for problems with the physical network adapters.
  3. Use Pptpsrv.exe and Pptpclnt.exe to verify communication on port 1723 and that GRE47 requests are being passed between the remote VPN client and the SBS 2000 computer. These two tools are included with Windows 2000 Support Tools. You can install these tools on the SBS 2000 computer by running Setup.exe from the Support\Tools folder on the SBS 2000 CD1. After you install the Support Tools, click Start, point to Programs, point to Windows 2000 Support Tools, and then click Tools Help. View the "P" section, and then click PPTP Ping for information about how to use this utility.

    NOTE: You must stop the Routing and Remote Access service on the SBS 2000 computer so that PPTPSRV can bind to port 1723.
  4. If step 3 does not work, re-configure the physical network by using the following steps. The following steps emulate an incoming VPN connection from a remote VPN client to the SBS 2000 computer. This helps you to determine whether the failure is caused by your local router/firewall, a router on the Internet, or on the SBS 2000 computer.
    1. Connect the external network adapter on the SBS 2000 computer to a simple hub by using a patch cable.
    2. Connect a client computer to the same hub by using a patch cable.
    3. Configure the TCP/IP settings on the client computer to be on the same subnet as the external network adapter of the SBS 2000 computer. For example, if the IP address/subnet mask on external network adapter on the SBS 2000 computer is 157.57.10.8/255.255.0.0, configure the client with an IP address of 157.57.10.9/255.255.0.0.
    4. Turn off the Firewall Client/Winsock Proxy Client on the client computer.
    5. Configure the VPN connection on the client as you would on a "true" external VPN client.
    6. Test the VPN connection.
    7. If it is successful, the problem probably is with something external to the SBS 2000 network. Contact your ISP or hardware firewall vendor for more help.
    8. If it fails, a configuration/hardware issue on the client or server exists that is not addressed in this article. Make note of the error the client receives and any relevant errors in the SBS 2000 Event Viewer log and visit http://support.microsoft.com to search for any known issues.

References

241252 VPN tunnels - PPTP protocol packet description and use

314076 HOW TO: Configure a connection to a virtual private network (VPN) in Windows XP

For additional information about the Routing and Remote Access wizards that are included with Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

256644 Description of Remote Access wizards

Propriedades

ID do Artigo: 320697 - Última Revisão: 30 de out de 2006 - Revisão: 1

Comentários