RE: VPN & SQL Issue
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Thu, 08 Sep 2005 08:27:43 GMT
HI Joe,
Thanks for detailed updates.
After checking your description, I found that you have implemented a
hardware firewall on SBS domain, and the SBS 2000 and SBS 2003 locate in
the same switch.
Now let us describe the issue more clear, it seems to be problem of the VPN
name resolution.
First, when we establish VPN connections to SBS domain, we will go through
the hardware firewall then we get a IP address which should be in the same
subnet of SBS internal NIC, if not you need to configure the VPN connection
to correct this issue.
Let perform some tests below:
1. As we are not familiar with the firewall appliance you use, could you
tell us if the firewall appliance is also a router or not? From your
description, it seems your public IP address is set on SBS 2003 not on the
firewall's external side. (if I misunderstood your firewall, please explain
it to us)
2. Can you access the SQL 2000 database on SBS 2000 domain via internal
client on SBS domain.
3. By default, as I know if the external NIC of SBS 2003 is not in the same
subnet as the router's device, we should set the default gateway on SBS
side, so please clarify your device more clear, so we can check if the
package from VPN clients will be routed correctly.
4. If possible, could you remove the firewall temporally then rerun CEICW
wizard to configure incoming VPN and SBS network.
For further research, please kindly run ipconfig/all on both SBS 2000
server and SBS 2003 server also on the remote VPN clients, if possible
please paste the firewall's ip configuration to newsgroup.
Thanks for your effort in this issue. I will be here waiting for your
updates.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: Leythos <void@xxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: RE: VPN & SQL Issue
| Message-ID: <MPG.1d891580e4e90f59989f49@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <C5DBFA2E-0B53-4028-896A-7E04742EF8F4@xxxxxxxxxxxxx>
<SOO#r52sFHA.456@xxxxxxxxxxxxxxxxxxxxx>
<89D06AC2-810A-4113-A43B-CF891B8289D9@xxxxxxxxxxxxx>
<MPG.1d8902af7136521d989f3c@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
<0872A68D-5BDE-41A4-B3D6-BB43B6A8E423@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain; charset="iso-8859-15"
| Content-Transfer-Encoding: 7bit
| User-Agent: MicroPlanet-Gravity/2.60.2060
| X-Face:
A;M@wltH;y<_[X{sb87LCnwW0{GYN;Z<\@Q/T}aTqdjfj^J%XV3Om]F7_"(d:ajl~|a:@EF
| li/1j='OK"&W$2Z!)tCRWs}v2R*kIU,f~![aAN:!d(U"!VP7D74t`]z^ZlgC@b
| X-No-archive: yes
| Lines: 42
| Date: Wed, 07 Sep 2005 20:19:52 GMT
| NNTP-Posting-Host: 24.123.138.210
| X-Complaints-To: abuse@xxxxxx
| X-Trace: tornado.ohiordc.rr.com 1126124392 24.123.138.210 (Wed, 07 Sep
2005 16:19:52 EDT)
| NNTP-Posting-Date: Wed, 07 Sep 2005 16:19:52 EDT
| Organization: Road Runner High Speed Online http://www.rr.com
| Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!hwmnpeer01.lga!hwmedia!news-server.columbus.rr.com!torn
ado.ohiordc.rr.com.POSTED!53ab2750!not-for-mail
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:151611
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| In article <0872A68D-5BDE-41A4-B3D6-BB43B6A8E423@xxxxxxxxxxxxx>,
| Joel@xxxxxxxxxxxxxxxxxxxxxxxxx says...
| > I think you hit the nail on the head. We are going to implement either
ISA
| > or another monitoring utility in a few months. In order to audit
internet
| > usage. For now our firewall offers more than sufficient security.
| > As for "Drop in" mode, I don't believe our Firewall has that function.
But
| > out of curiosity why would you want your public ip on the lan & wan
| > simultaneously?
|
| Why you use a Dual NIC solution you have one NIC connected to the PUBLIC
| Network and one connected to the Private Network.
|
| When the firewall appliance is setup in a DROP-IN mode, nothing gets
| in/out until you create rules for it - so, like the mode you use now,
| you still have to create a rule to pass HTTPS from External to Trusted,
| etc... Ask yourself, what's the difference between allowing INBOUND HTTP
| from External to Trusted via NAT and allowing INBOUND HTTP from External
| to Trusted without NAT? Answer - nothing, the rules still apply, the
| HTTP Session Filtering still applies.... The only problem with Drop-In
| mode is that you can't create multiple HTTP rules based on internal IP
| addresses - so, if you have systems with DHCP Reservations in the
| 192.168.10.10~192.168.10.19 range (like servers), you can't create a
| HTTP unfiltered OUTBOUND rule while having the rest of the network use a
| Filtered HTTP rule to block Active-X and bad headers.
|
| The difference is that DROP-IP mode is transparent to the device inside
| the network - in many cases when you use DUAL NIC's you are doing one IP
| subnet on the outside and another on the inside (different range)....
|
| I don't use Dual NIC methods when I have a firewall appliance because I
| have more functions accessible when I use the firewall for what it was
| designed for and use it as a VPN End-Point and IPSec end-point for
| branch office to branch office connections. The nice thing about the
| single NIC solution is you don't have all of the configuration problems
| you see with the DUAL NIC solutions and external users.
|
| Which Firewall product do you have?
|
| --
|
| spam999free@xxxxxxxxxx
| remove 999 in order to email me
|
.
- Follow-Ups:
- RE: VPN & SQL Issue
- From: Joel
- RE: VPN & SQL Issue
- References:
- VPN & SQL Issue
- From: Joel
- RE: VPN & SQL Issue
- From: "Charles Yang [MSFT]"
- RE: VPN & SQL Issue
- From: Joel
- RE: VPN & SQL Issue
- From: Joel
- VPN & SQL Issue
- Prev by Date: RE: Remote Web Workplace Issue
- Next by Date: RE: File Sharing from Client to SBS2003 Problem
- Previous by thread: RE: VPN & SQL Issue
- Next by thread: RE: VPN & SQL Issue
- Index(es):
Relevant Pages
|
Loading
