Aaron Booker 
United States
Member since
5/7/2006
Registered Users
Posts: 11
 |
| 6/11/2006 08:40 AM |
|
Hi all,
I
have a site to site VPN setup between a remote office (3 XP Pro boxes)
and HQ (SBS Server, 8 XP Pro). I happen to be using Zywall 5's, but I
believe this problem is unrelated to the VPN Hardware.
HQ's network is: 10.112.12.x (SBS Server is 10.112.12.10)
Remote office network is: 10.112.14.x
The
Zywall is handing out DHCP on the remote network - and is handing out
DNS of 10.112.12.10. The remote boxes can surf the web using the SBS
DNS, but can't connect to companyweb or do /connectcomputer.
For
the solution to this issue, I have seen references to adding an IP
route on the SBS box, but after an hour+ of googling and searching here and elsewhere - I'm asking for
help on how to do that.
I don't want to have each remote user
(on the remote LAN) to have to use the software VPN connector as part of their daily workflow - I want
them to be using a site to site VPN, so that they're not "remote users"
but that they feel like they're on the network. Also - I'd like the
computers on the remote network to be accessible via RWW, and I'd like HQ to be able to print to the remote office - which also
necessitates the site to site VPN.
Thanks much!
Aaron Booker
|
|
|
|
|
|
Paul Janssen
The Netherlands
Member since
5/25/2005
Registered Users
Posts: 63
|
| 6/11/2006 10:47 AM |
|
Don't know if this will help you with your problems (because we use hardware routers for our site-to-site vpn connection and the gateway to our remote offices isn't the SBS server, but a router), but to add a static route on the SBS server do the following:
On the SBS server go to "Start" and select "Run"
Typ "cmd" and hit the "ok" button.
In the cmd window typ the following:
route add 10.112.14.0 mask 255.255.255.0 10.112.12.10 -p
The syntax of this function is:
ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF interface]
The -p is for making it permanent, without it the route will be deleted after a restart.
You can also typ "route" end hit enter to get an overview of the "route" function.
I don't know if it will work (no network specialist over here  ), because I don't know if the ip-adress for the gateway is correct. You could experiment with the gateway adress using the internal NIc or external NIC of the SBS server (also with selecting the interfacecard). |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12282
|
| 6/11/2006 12:24 PM |
|
Hi Aaron,
What error do you get when you try to run connectcomputer from the remote office? Please, post an ipconfig /all from the server, a workstation and a remote workstation. Open a command prompt by opening Start -> Run from the Start Menu and type cmd. From the command prompt type ipconfig /all >ip.txt. Attach this file to your answer. |
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Aaron Booker
United States
Member since
5/7/2006
Registered Users
Posts: 11
|
| 6/11/2006 05:59 PM |
|
Paul,
I'm offsite now so I can't test until tomorrow at the remote site but I think this is exactly what I was looking for.
My zyzels are creating a tunnel between them for the site to site VPN connection - and the remote office zywall is their gateway. I believe I'm creating exactly what you are currently doing. 
After I posted last night, I did change the IP addresses on the remote boxes to fixed addresses - using the SBS Server for DNS.
So, Marina - the remote machines look like this:
IP: 10.112.14.100 (101, 102)
Subnet: 255.255.255.0 (server is also class C)
Gateway: 10.112.14.1 (ZyWall 5 in remote office)
DNS: 10.112.12.10
I also turned on NetBios over IP as well as adding an entry for WINS at 10.112.12.10
The error I was getting for companyweb and /connectcomputer had to do with the IP address not being allowed by IIS. I did however install Trend CSM 3.x clients on the remote machines via https://10.112.12.10:4343 - flawless...
Thanks guys. I'll post more, and resolution if I have it.
Aaron |
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12282
|
|
Aaron Booker
United States
Member since
5/7/2006
Registered Users
Posts: 11
|
| 6/11/2006 07:33 PM |
|
Thanks very much. I'll report back tomorrow!
Aaron
|
|
|
|
|
|
Aaron Booker
United States
Member since
5/7/2006
Registered Users
Posts: 11
|
| 6/13/2006 03:48 AM |
|
Marina,
Thanks so much for your post. That fixed the problem! So simple, and so quick!
I did try "route add..." afterwards, but had to remove it - as it caused the remote site to lose connectivity to the main site. (including /remote via the outside IP).
I did find that even without adding the route to the SBS server - the server is able to keep track of the remote machines on the 10.112.14.x subnet - which allows RWW to function normally - so my remote workers can RWW to their computers from home, or from the main office!
Just for grins (and for someone coming along later) I added IP configs for my various machines below - one remote workstation, one "local" workstation, and the SBS Server. See attached!
Very cool stuff! Super slick. The Zyxel support was fantastic in getting our Zywall 5 UTM (main) and Zywall 5 (remote) connected for the site to site VPN. I highly recommend their products, and we love the extra layer of security that the Zywall 5 UTM is giving us - protection from Spyware, Virii, IDS, etc. http://www.zyxel.us (here in the states)
We're still using the SBS VPN software connect piece for the remote users - easier to support that way, though the Zywalls could do that too, of course.
Aaron Booker
Hardlines Company
http://www.hardlines.com
Webcasting, Web hosting, and Network Consulting
|
 Attachment: 1613483767771.txt
Attachment: 1613483767754.txt
Attachment: 161350398971.txt
|
|
|
|
|
Aaron Booker
United States
Member since
4/12/2006
Registered Users
Posts: 1
|
| 6/13/2006 06:08 AM |
|
Oops. Spoke too quickly...
In allowing the remote subnet access to the SBS server, as Marina suggested, I seem to have blocked access to /remote and /exchange from other locations... I was onsite much of the day doing the /connectcomputer gig and migrating docs to sharepoint and now I'm home and can't remote in! Ouch. I'll have to go onsite tomorrow and fix IIS.
Anybody have any thoughts as how to correct what I did?
Thanks all!
Aaron
My error is:
You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.
Please try the following:
- Contact the Web site administrator if you believe you should be able to view this directory or page.
HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)
Technical Information (for support personnel)
- Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
- Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12282
|
| 6/29/2006 05:05 PM |
|
Hi Aaron,
The remote workstation is missing the dns suffix though. Why don't you set them to dynamically grab an IP and DNS?
About IIS: have you added both subnets to the IP restrictions of the default website?
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Aaron Booker
United States
Member since
5/7/2006
Registered Users
Posts: 11
|
| 6/29/2006 05:47 PM |
|
Marina,
What I did to solve the problem was add the WINS information in tcp/ip advanced, as well as change the default search domain... Also I did add both subnets to the IP restrictions of the default website. All problems got resolved then.
I think I found the solution to this issue on expertsexchange...
Aaron
|
|
|
|
|
|
brad mello
United States
Member since
7/8/2008
Registered Users
Posts: 1
|
| 7/08/2008 02:32 AM |
|
Site to Site VPN - Remote network XP machines can ping SBS Server at HQ but can't /connectcomputer
I payed the fee to read the article because it describes my company's IT landscape exactly.
1 SBS server w/ 8 local clients on LAN A
and 5 clients on remote LAN B
The 3 answer articles only describe a method for adding a Domain Controller at the remote office via VPN w/ ISA but it does not describe how to accomplish this with an SBS Server with 1 NIC, no ISA and no DC at the remote site...
Could you help me locate instructions for the configuration originally posted above?
VPN connected and all pingable
Thank you,
Brad
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12282
|
| 8/31/2008 02:05 AM |
|
Hi Brad,
That series of articles indeed describe the procedure where SBS is using 2 nics with ISA, so the remote DC needs to use RRAS for the vpn. If you have 1 nic in the server, you could create a hardware vpn tunnel between the two routers.
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|