Re: Trouble Joining PCs to Domain from Branch Office through VPN

Hi Stephen,

I have been working with the Vigors most of the day and have just read
your post.

I finally figured out that I would need a static route at the HO and
added that static rout; when I finally discovered the more button on
the LAN to LAN config page I added the 192.168.11.x range at the BO.

When I checked the routing tables on both Vigors it seemed that we
were finally good to go.

I could ping 192.168.1.1 but not 192.168.1.2 from the BO, then I added
an access rule to ISA to allow inbound traffic from 192.168.11.x and
192.168.1.x (the later maybe not needed) and at long last I could ping
192.168.11.2, the internal NIC on the SBS box.

Ok so I seem toi have a BO to HO setup and I can telnet to port 25 on
either 192.168.1.2 or 192.168.11.2 and get the Exchange server
response, my next step was to change the DNS of the test client
machine at the BO to 192.168.11.2, this machine was not part of the
domain and I was logged on as the local Admin.

No joy with trying to access www.google.com from the client using the
SBS DNS server, I then tried to connect this client using
http://192.168.11.2/connectcomputer again no joy.

Ok went to IIS at the HO and added 192.168.25.x and granted it access
on the default website, thought that was the issue, again no joy.

I am sure it is now something to do with ISA 2004, how does
authentication take place with the LAN to LAN setup?

Am I missing a piece here, what further access rules or new networks
or network rules have to be setup to allow access to the internal
resources of the SBS box, like DNS, LDAP, SMTP etc....from the BO
clients.

Ultimately I want to put a DC in the BO and I want the usrrs their to
use Outlook with the HO Exchange server, I am 50% there but still
missing the other vital 50% !!

Thanks for your thoughts as this has been a hair pulling exercise !!

Kev



On Tue, 09 May 2006 10:27:50 +0100, stephen <stephen@xxxxxxxxxxxxxxx>
wrote:

I use 2800Gs for branch office VPN connectivity, but I use a single nic
sbs setup behind an OpenBSD/pf transparent bridging firewall, which
makes the network configuration simpler than going through ISA on 2 nics.

However, I was thinking about moving to a 2 nic setup and how the
draytek-draytek VPN would work with that. I think the key thing is that
the encryption domain in the (remote) vigor vpn setup needs to include
the internal network, 192.168.11/24. The main office vigor would then
need a static route to 192.168.11/24 pointing at the external nic
192.168.1.2. ISA would need to be configured to permit all (or a
judiciously chosen subset) inbound traffic from the remote lan
192.168.25/24. You should then be able to get from the branch office to
the main office internal lan directly and the traffic between the
192.168.25/24 192.168.11/24 subnets is encrypted by the vigors.

I am not sure if you would want your perimeter subnet (192.168.1/24)
included in the encryption domain, but you can specify multiple subnets
in the vigor configs.

-- stephen


Kev wrote:
Hi,

By way of explanation I purchased 2 Drayek Vigor 2800G routers as I
had heard Vigor Lan to Lan works well, after a few teething problems
with these boxes they seem stable and are performing well.

The objective is to have a Domain Controller in the branch office and
get DNS, mail and other services from the head office SBS box on
192.168.11.2, just like you seem to be doing. With the Vigor in the
branch office giving out IPs for 192.168.25.x.

Previously I used D-Link at the head office and the setup with a
single public IP was:
192.168.11.x 255.255.255.0 - Internal Network on internal NIC
Small Business Server 2003 with ISA 2004
212.28.25.21 255.255.255.252 - Public Network on external NIC
D-Link DSL504T
212.28.25.22 255.255.255.252 - Management IP
The ISP routed to 212.28.25.22 and I port forwarded from the D-Link to
212.28.25.21 to obtain services from the Small Business Server
remotely, such as RWW.

My first issue with the 2800G was that I could not mirror my D-Link
setup, I had to use a private IP of 192.168.1.1 and change the
external NIC of the server to 192.168.1.2. The only way I could then
get access to my public IP address of 212.28.25.21 was to use a WAN IP
Alias as the ISP was assigning a dynamic IP to the WAN interface.

I have setup a Lan to Lan VPN and I can get a connection for a virtual
Lan of 192.168.1.x/24 and am able to ping 192.168.1.1 and can telnet
to port 25 on 192.168.1.2 at the head office and get a response from
Exchange.

Do I have to in some way, maybe via a static route, have to get to the
internal SBS nic on 192.168.11.2 as I need to set that address as the
IP for AD replication and mail at the branch office? With AD
integrated DNS I should be able to point the clients to the branch DC
and get Domain DNS resolution with forwarders getting internet name
resolution?

If I had my public IP still on the SBS external interface would that
make life any easier? This all sounds a little confusing I know, but
information on head office and branch connectivity seems pretty
sparse.

Any thoughts or suggestions on the general concepts, or the specifics,
very gratefully received.

Thanks.

On Mon, 8 May 2006 23:02:45 -0400, "Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:



In news:94D36F6A-913D-4579-9643-60D795ED3285@xxxxxxxxxxxxx,
Don Dickerson <Don Dickerson@xxxxxxxxxxxxxxxxxxxxxxxxx> typed:

I have an SBS 2000 server at the home office, a 2000 member server at
the branch office, the branch office has about 4 PCs, and when I try
to join the PCs to the domain, I get the following message: "The
specified server cannot perform the requested action".
What is mystifying is that one of the PCs a laptop has already been
joined, and works ok with no problems.
Anybody got any ideas?
Thanks
Don

Check your DNS config in the remote office. If you don't have an
AD-integrated DNS server in each location, you need to point all the remote
servers/PCS at the SBS server's LAN IP for DNS. They shouldn't have any
external IPs specified at all - the external requests will be handled by the
forwarders/root hints used by your internal DNS server.

(I do recommend you make your member server a DC/DNS server...and set it up
in its own AD site/subnet)

Note - this group is mainly for SBS2003 issues; you might get more SBS2k
help in microsoft.public.backoffice.smallbiz2000.

.

Loading