Re: netgear VPN/Router

From: Gary Karasik (gkarasik2fea.net)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 09:51:50 -0800

> It would if the Router at your SBS end was on the INSIDE of your network
> - it's not, it's on the OUTSIDE...

Believe it or not, this is starting to make sense. I thought that's what we
were doing when we forwarded the port to the external NIC on the server.

GaryK

"David Elders" <david_elders@nospam.hotmail.com> wrote in message
news:ujuqJ30EEHA.1128@TK2MSFTNGP11.phx.gbl...

>
> To your SBS box any PCs that are connecting via your Router > Router VPN
> link are just like PCs plugged into any switch/hub whatever on the
external
> side of your SBS box. These wouldn't have access to internal LAN resources
> without VPN'ing onto the external NIC either. That's by design. Anything
> outside your LAN has to authenticate/log-on to your LAN before it'll gain
> access to any internal resources.
>
> Your Router > Router VPN is just that - Router > Router. It's not Router >
> SBS...
>
> Hope that clears things up a little.
>
> Regards,
>
>
>
> David
>
>
> "Gary Karasik" <gkarasik2fea.net> wrote in message
> news:Or6Diu0EEHA.2908@TK2MSFTNGP09.phx.gbl...
> > This I don't understand. Doesn't a permananent router-to-router VPN link
> > allow the workstations at the remote site to be part of the network at
the
> > host site without having to manually run the MS VPN software?
> >
> > GaryK
> >
> > "David Elders" <david_elders@nospam.hotmail.com> wrote in message
> > news:uQkhoVxEEHA.696@TK2MSFTNGP12.phx.gbl...
> > > Hi Gary,
> > >
> > > Why? What's the reason not to use it? Especially if it works...
> > >
> > > If you have a Router-Router config giving you in effect a permanent
> > > site-site link, that allows you to VPN from remote clients at the
> 'remote'
> > > site directly to the external NIC [via port forwarding obviously]
rather
> > > than having to go across the Internet to get there.
> > >
> > > Regards,
> > >
> > >
> > >
> > > David
> > >
> > >
> > >
> > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > news:%231vwTNvEEHA.3568@tk2msftngp13.phx.gbl...
> > > > Thanks, David. I was hoping to find a way to make it work without
the
> MS
> > > VPN
> > > > client. I'll likely end up bypassing the proxy server.
> > > >
> > > > GaryK
> > > >
> > > > "David Elders" <david_elders@nospam.hotmail.com> wrote in message
> > > > news:%23BMtj0tEEHA.2076@TK2MSFTNGP09.phx.gbl...
> > > > > That's where your theory is falling down Gary.
> > > > >
> > > > > With these two Netgear VPN boxes connecting to each other, you
will
> > > still
> > > > > need to run the MS client in order to connect to the SBS box. If
you
> > > don't
> > > > > VPN onto the SBS box itself, you don't get access to the LAN
> > resources.
> > > > All
> > > > > you're doing with the Netgear to Netgear set-up is VPN'ing to the
> > > OUTSIDE
> > > > of
> > > > > your SBS network. The reason that you can't get access from the
> > outside
> > > is
> > > > > that your SBS box/Proxy is doing it's job properly... only clients
> > > > > authenticated on the SBS box should be able to use LAN
resources...
> > > > >
> > > > > Hope that clarifies matters.
> > > > >
> > > > > Cheers,
> > > > >
> > > > >
> > > > >
> > > > > David
> > > > >
> > > > >
> > > > >
> > > > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > > > news:O8perNpEEHA.3408@tk2msftngp13.phx.gbl...
> > > > > > Sorry if I'm being dumb here - if the remote clients can already
> VPN
> > > > into
> > > > > > the SBS box using the MS VPN client over PPTP why are you trying
> to
> > > use
> > > > > the
> > > > > > Netgear client? Seems like you're creating some work for
yourself
> to
> > > do
> > > > > > what's already working another way. Like I say, I could be
reading
> > > this
> > > > > > wrong! :-)
> > > > > >
> > > > > > I have two Netgear VPN boxes. They will, when properly
configured,
> > > > > > auto-establish a hardware-VPN tunnel between them, making the MS
> > > client
> > > > > > connection unnecessary. Of course, this is useful only if the
> > > > workstations
> > > > > > can access system resources.
> > > > > >
> > > > > > GaryK
> > > > > >
> > > > > >
> > > > > > "David Elders" <david_elders@nospam.hotmail.com> wrote in
message
> > > > > > news:uRsPIZoEEHA.3748@TK2MSFTNGP11.phx.gbl...
> > > > > > > Hi Gary,
> > > > > > >
> > > > > > > Replies in-line:
> > > > > > >
> > > > > > > David
> > > > > > >
> > > > > > >
> > > > > > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > > > > > news:eXdVGKoEEHA.688@tk2msftngp13.phx.gbl...
> > > > > > > > Thanks very much for the detailed response. Please see
inline:
> > > > > > > >
> > > > > > > > > If the user's are only connecting via the Router-Router
VPN
> > they
> > > > > won't
> > > > > > > see
> > > > > > > > > any of the LAN resources. They have to VPN onto the SBS
box
> to
> > > do
> > > > > so.
> > > > > > > > > Are your remote clients attempting to VPN onto the SBS box
> via
> > > > PPTP
> > > > > or
> > > > > > > > > IPSEC? Which of these [or both?] is the Netgear VPN using?
> > > > > > > >
> > > > > > > > Even without the Netgear boxes connected, the clients can,
> using
> > > the
> > > > > MS
> > > > > > > PPTP
> > > > > > > > VPN client, VPN through the Netgear and into the SBS box and
> > that
> > > > all
> > > > > > > works
> > > > > > > > fine. The Netgear VPN client will do only IPSec.
> > > > > > >
> > > > > > > Can't recall off the top of my head whether RRAS supports
IPSEC
> or
> > > if
> > > > it
> > > > > > > just supports PPTP. That might not be the case but its worth
> > > > checking...
> > > > > > >
> > > > > > > >
> > > > > > > > > Obviously, if the Netgear is 'answering' VPN calls on
> > > > > PPTP/IPSEC/both,
> > > > > > > > > then it's not going to pass through these onto the SBS
box.
> > > > > > > > > For PPTP onto your SBS box all you should have to do is to
> > > enable
> > > > > port
> > > > > > > > > forwarding for port 1723 onto your SBS box's external NIC.
> The
> > > > > Netgear
> > > > > > > > > will also have to forward the GRE protocol although you
> > > shouldn't
> > > > > have
> > > > > > > to
> > > > > > > > > configure anything for this - chances are the router
either
> > will
> > > > or
> > > > > > > won't
> > > > > > > > pass
> > > > > > > > > the protocol.
> > > > > > > >
> > > > > > > > I currently have the Netgear forwarding 1723 to the external
> NIC
> > > > > > (thinking
> > > > > > > > that the SBS box would then take care of the routing to the
> > > internal
> > > > > NIC
> > > > > > > as
> > > > > > > > it does with the MS PPTP client}. I'll try forwarding port
> 1723
> > > > > through
> > > > > > > the
> > > > > > > > Netgear to the internal NIC.
> > > > > > > >
> > > > > > >
> > > > > > > Nope - that's correct. The Netgear should be forwarding 1723
to
> > the
> > > > > > external
> > > > > > > NIC on the SBS box. The incoming PPTP VPN requests should then
> be
> > > > dealt
> > > > > > with
> > > > > > > by RRAS on the SBS box. Bear in mind that forwarding 1723 will
> > only
> > > > pass
> > > > > > > PPTP requests - not IPSEC. More detail below:
> > > > > > >
> > > > > > > http://www.winnetmag.com/Files/40832/Table_01.html
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;832017&Product=ISAS
> > > > > > >
> > > > > > > > > What you could do is to have the 2 Routers connect for the
> > > > permanent
> > > > > > VPN
> > > > > > > > > between them using IPSEC and have your remote users
> connecting
> > > to
> > > > > the
> > > > > > > > > SBS box via PPTP with 1723 forwarding from the Netgear to
> the
> > > SBS
> > > > > box.
> > > > > > > > > Hope thats some help at least..
> > > > > > > >
> > > > > > > > They can currently VPN into the SBS box without the Netgear
> > boxes
> > > > > being
> > > > > > > > connected. Is there some advantage to having the Netgear
boxes
> > > > > connected
> > > > > > > > also?
> > > > > > > >
> > > > > > >
> > > > > > > Sorry if I'm being dumb here - if the remote clients can
already
> > VPN
> > > > > into
> > > > > > > the SBS box using the MS VPN client over PPTP why are you
trying
> > to
> > > > use
> > > > > > the
> > > > > > > Netgear client? Seems like you're creating some work for
> yourself
> > to
> > > > do
> > > > > > > what's already working another way. Like I say, I could be
> reading
> > > > this
> > > > > > > wrong! :-)
> > > > > > >
> > > > > > > > GaryK
> > > > > > > >
> > > > > > > > > Cheers,
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > David
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > > > > > > > news:ekM2oVeEEHA.3576@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > Answering your second question first, yes, I did
stop/start
> > the
> > > > web
> > > > > > > proxy.
> > > > > > > > >
> > > > > > > > > As far as what I get from the Netgear VPN client: It's not
> > what
> > > I
> > > > > get
> > > > > > > from
> > > > > > > > > the Netgear VPN client. That's just a test bed. The
> advantage
> > > lies
> > > > > in
> > > > > > > the
> > > > > > > > > fact that the NVM318s will, once correctly configured,
> > > > > auto-establish
> > > > > > a
> > > > > > > > > persistent, hardware-based VPN tunnel between them. Of
> course
> > > such
> > > > a
> > > > > > > > tunnel
> > > > > > > > > does no good if the users can't access any resources.
> > > > > > > > >
> > > > > > > > > GaryK
> > > > > > > > > "Cris Hanna (SBS-MVP)" <crisnospamhanna@mindspring.com>
> wrote
> > in
> > > > > > message
> > > > > > > > > news:%23%23uV4xdEEHA.2768@tk2msftngp13.phx.gbl...
> > > > > > > > > Gary
> > > > > > > > > Just out of curiousity, what do you hope to get from the
> > Netgear
> > > > VPN
> > > > > > > > client,
> > > > > > > > > that you are not getting with MS VPN client?
> > > > > > > > >
> > > > > > > > > after you disabled packet filtering did you by chance stop
> and
> > > > > restart
> > > > > > > > > webproxy and winsock proxy services on the server???
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Cris Hanna, SBS-MVP
> > > > > > > > > ----------------------------------------------
> > > > > > > > > Please DO NOT respond to me directly but post all
responses
> > here
> > > > in
> > > > > > the
> > > > > > > > > newsgroup so that all can share the information
> > > > > > > > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > > > > > > > news:Ohh4FTWEEHA.1128@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > SBS 4.5, Merv. Proxy Server, not ISA.
> > > > > > > > >
> > > > > > > > > GaryK
> > > > > > > > >
> > > > > > > > > "Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote
> in
> > > > > message
> > > > > > > > > news:%23DdC5hVEEHA.3080@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > Does the Netgear VPN client use IPSEC? If so, I believe
> ISA
> > > is
> > > > > not
> > > > > > > > > > compatible with IPSEC.
> > > > > > > > > >
> > > > > > > > > > How to pass IPSec traffic through ISA Server
> > > > > > > > > > http://www.isaserver.org/articles/IPSec_Passthrough.html
> > > > > > > > > >
> > > > > > > > > > Using Internet Protocol Security with Network Address
> > > > Translation
> > > > > > and
> > > > > > > > > > Internet Security Acceleration Server
> > > > > > > > > >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;314764
> > > > > > > > > >
> > > > > > > > > > HOW TO: Enable a Cisco IPSec VPN Client to Connect to a
> > Cisco
> > > > VPN
> > > > > > > > > > Concentrator Through ISA Server 2000
> > > > > > > > > >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;812076
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Merv Porter [SBS MVP]
> > > > > > > > > > ===================================
> > > > > > > > > > "Gary Karasik" <gkarasik2fea.net> wrote in message
> > > > > > > > > > news:uObob8UEEHA.3080@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > > The Netgear FVM318 is an inexpensive SPI firewall,
> router,
> > > and
> > > > > VPN
> > > > > > > > > > endpoint.
> > > > > > > > > > > I have placed it between the T1 modem and the 2-NIC,
> > SBS4.5
> > > > > > server.
> > > > > > > > The
> > > > > > > > > > > SBS's external NIC points at the Netgear, which has
been
> > > > > > configured
> > > > > > > > for
> > > > > > > > > > VPN
> > > > > > > > > > > passthrough, and (almost) everything is working. I can
> use
> > > the
> > > > > MS
> > > > > > > VPN
> > > > > > > > > > client
> > > > > > > > > > > to connect via RRAS to the SBS network and the
firewall
> is
> > > > > > stopping
> > > > > > > > all
> > > > > > > > > > > kinds of bad stuff. The SBS is providing DHCP to the
> > > internal
> > > > > > > network,
> > > > > > > > > and
> > > > > > > > > > > Proxy Server is successfully doling out internet
access
> to
> > > the
> > > > > > > > > > workstations
> > > > > > > > > > > hanging off the SBS.
> > > > > > > > > > >
> > > > > > > > > > > I can also (using the Netgear VPN client software)
> connect
> > > to
> > > > > the
> > > > > > > > > Netgear
> > > > > > > > > > > hardware VPN. BUT, using the Netgear VPN, I can't see
or
> > > > connect
> > > > > > to
> > > > > > > > any
> > > > > > > > > > > resources on the SBS network. The tunnel to the SBS
> > external
> > > > NIC
> > > > > > is
> > > > > > > > > there,
> > > > > > > > > > > but nothing will go through it. The Netgear guys are
> > > stumped.
> > > > > > We've
> > > > > > > > > tried
> > > > > > > > > > > configuring static routes on the Netgear, but no joy
> there
> > > > > either.
> > > > > > > As
> > > > > > > > a
> > > > > > > > > > test
> > > > > > > > > > > I tried disabling packet filtering, but that didn't
> help.
> > > > > > > > > > >
> > > > > > > > > > > I know I can solve this by bypassing the SBS external
> NIC
> > > and
> > > > > > Proxy
> > > > > > > > > > Server,
> > > > > > > > > > > but for a variety of reasons I can't just yet, and the
> > > upgrade
> > > > > to
> > > > > > > > SBS2K3
> > > > > > > > > > is
> > > > > > > > > > > some months off.
> > > > > > > > > > >
> > > > > > > > > > > Please help. Has anyone been able to make a similar
> > scenario
> > > > > work?
> > > > > > > > > > >
> > > > > > > > > > > GaryK
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: VPN drops
    ... we can try to set up several VPN connections ... hardware (DSL router) limitation. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: rasman 20209 vpn unable to authenticate
    ... to the router and had the same result. ... Do you know if there are any group policies that can impact VPN? ... your SBS WAN NIC is plugged in, give it a static IP in the same subnet as ... with the connection manager that was downloaded from the SBS. ...
    (microsoft.public.windows.server.sbs)
  • Re: NO VPN OR REMOTE DESKTOP
    ... be able to get their IP configuration from the SBS server through DHCP. ... D-Link VPN for the time being. ... remote computer you want to access with remote desktop. ... After resetting the router I'm no longer ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN, mapped drives
    ... Your SBS 2000 is in the good network structure, ... We do not support the VPN connection by router with double NICs SBS. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: Router as VPN endpoint
    ... Make the Router use SBS as DHCP server to assign IP address to VPN ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
Quantcast