Re: PPTP misery

Thanks - very grateful for your help. So, in order to clarify to date &
answer your additional question:

1. Domain PCs away from domain will not VPN (see earlier notes). They all
definitely did via the "Connect To Small Business Server" and a separate VPN
connection via the standard wizard (the latter being done to replicate the
"look" of what they had before - don't ask, just a silly cosmetic thing).
Both worked on all notebooks - no question.
2. VPN definitely works on any non-domain PC you care to set up and use.
3. I am going to do what you ask re Firewall & Policy because I value your
judgement BUT do remember that I've already taken a PC off the domain, logged
on as local administrator, turned off Firewall completely and problem still
occurs with new VPN connection that otherwise works on any other PC. I think
you're still right about Policy (but probably only with regard to registry)
and I was also convinced about Firewall but now not so sure of latter because
of aforementioned test.

I'll come back to you after Policy/Firewall changes. I'm going to try to do
so remotely now with a machine they've left running on the LAN for me.

"MSR Consulting SBS Support" wrote:


So, to clarify regardless of all the other content and suspicions...

VPN (PPTP) to the SBS server *will* work from machines that are *not*
members of the SBS domain. It will *not* work if the machine is a
member of the SBS domain. Correct?

If that's true then we know there are no configuration issues on the
server or network as far as its 'ability' to facilitate these
connections.

The only real difference between the domain workstations and the
non-domain workstations in regards to VPN would be A) NTLM
authentication pass-thru processing B) effect of any SBS policies that
could be taking place (both on the server side and workstation side)
and C) Configuration of VPN client if only using the pre-configured
"Connect To Small Business Server" client on domain workstations.

For the moment we're assuming no changes have taken place on external
dns host names, and since you don't know much about group policies
we're assuming you haven't made many changes there that aren't applied
by wizards. So I'd start with the firewall settings via policy.

Since the firewall is greyed out, but is the most likely culprit, then
we know group policy is effecting it, but we need to know if it's
actually blocking it. To start with lets turn it off entirely.

Go into the Server Management Console > Advanced Management > Group
Policy Management > Forest: YourDomain.local > Domains >
YourDomain.local > Group Policy Objects. (note, don't just try and be
intelligent here and type gpedit.msc)

There should be two GPO's there that are related to the XP Firewall,
one for PreSP2 and one that is PostSP2. Right click on GPO Status
and select All Settings Disabled.

You then need to force the new Group Policy to refresh... open up a
command prompt and enter

C:\>gpupdate /force

You'll get a prompt to log off, do so. You can force the group policy
update from the workstation as well if you wish, but you still want to
log off and back on no matter what. (make sure the workstation is on
the lan at this point of course).

That should take care of your firewall issue on the workstation if I've
remembered everything right. So give that a shot and see if it makes a
difference with connecting via vpn and let us know.


Question: Do the domain workstations have the automatically installed
"Connect To Small Business Server" shorctut on the desktop? If so are
you using that to try and connect? If it's not there then you didn't
connect the workstations properly to the SBS domain and/or the wrong
template was chosen when setting up the user/workstation from the
wizard which would also explain why it's blocked. (I tend to lean
towards the fact that it's just the enhanced security after the service
pack installations though since it used to work supposedly).

Matt Ridings - MSR Consulting


--
admin
------------------------------------------------------------------------
admin's Profile: http://forums.msrportal.com/member.php?userid=1
View this thread: http://forums.msrportal.com/showthread.php?t=13955

MSR Consulting SBS Support - support (at) msrportal.com


.