Re: VPN/Remote Desktop/Internet problem

Tech-Archive recommends: Fix windows errors by optimizing your registry

Thanks Bill for continuing education.

It looks as though I can configure the VPN clients to use split tunnel by
revising the setup of the Pix, which will configure their routing when they
connect. This should give them local ISP Internet access.

I will also shut down VPN server on my PDC.
--
Newell White


"Bill Grant" wrote:

If the remote clients are connecting to the PIX using the Cisco VPN
client, they are not connecting to the Windows machine by VPN, so you do not
need the Windows machine to be a VPN server. The clients connect to the
Windows server by RDP on top of the VPN connection to your LAN
firewall/router.

The remotes may be authenticating their VPN connection against AD though.
The Cisco could be offloading that to the DC using RADIUS.

Trying to make an Internet connection through RDP over VPN certainly
doesn't sound like a good idea to me. It would be very slow even if you
could make it work.

Newell White wrote:
Sorry for delay in replying, but here in UK business hours have had
great difficulty connecting to this group after logging in. 'Page not
available'

First reply to Bob:
Don't have a policy prohibiting Internet Access.
Pinging routable IP address times out.
Pinging same address by name leaves blank DOS window which disappears
after several minutes.

Now to Bill:
I inherited this set-up (previous admin left before I joined to do a
different job, I have had to self-educate to keep network running -
small firm!).
Yes our roaming users use Cisco VPN client, and tunnel terminates in
our Cisco Pix.
Does that mean inherited W2k3 VPN server role is redundant, and I can
close it down?

Further question:
To ease restricted upload speed on our ADSL connection, I have to
configure users to access Internet by their local ISP - plan was to
disable 'Use Remote Gateway' on their Windows XP VPN connection.
But if the Cisco Pix is the tunnel end, it must be doing some sort of
routing to reach Remote Desktop on the DC. Do I have to configure
split-tunnel on the Pix?

Thanks to all

I basically agree with Bob. The PDC emulator is the worst choice
for the VPN server. The PIX is the best choice. If you must use a
Windows server, don't use the PDC emulator for a remote access
server. Even if you use the other W2k3 for RRAS you may have probems
if it is a DNS server or is a master browser for the LAN. See KB
292822 and 830063 .

Robert L [MS-MVP] wrote:
First of all, it is not recommended to enable RRAS on a DC. Since
you have Cisco PIX, I would use Cisco VPN.

Secondly, I would setup a group policy to restrict TS/RDP users to
access the Internet if they access to the DC. So, do you have group
policy to block internet access?

Can you ping a public IP after RDC to the DC?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Newell White" <NewellWhite@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:A7D3D7B8-1589-434C-926E-17894BCDDEE3@xxxxxxxxxxxxxxxx
We have a single subnet LAN, 192.168.1.0, with 2 W2k3 servers
running AD and
DNS/WINS/DCHP. The PDC also hosts our database and RRAS/VPN
server. We have about 40 XP workstations on the LAN, and 10 VPN
clients running XP
or 2000.

VPN client access is configured via the public IP address of our
Cisco Pix
firewall (only route from ADSL connection to the LAN), and they
login to
Remote Desktop on the PDC to access the database and file-shares
only.

The only detectable problem with this set-up is - VPN users can't
access the
Internet from the PDC remote desktop. They get 'cannot find server
or DNS
error' - sounds like a clue!
Can anyone point me to a CLEAR article which explains why this
problem
arises and how it can be solved? I don't want the security and
support
headache of configuring the VPN clients (world-wide) for
split-tunnel to get
Internet from their ISP.

Are there any other potential problems I am ignorant of?

TIA,
--
Newell White



.

Relevant Pages