By: astronomer

astronomer — Mon, 06 Nov 2006 12:07:21 +0000

Have you opened GRE, (protocol 47)? This is required for PPTP to get through the firewall.
For debugging purposes can you set up a client without going through the firewall? I use our DMZ just outside of the VPN server for testing. This is sometimes very helpful to narrow down the possible causes.
rt

By: mortree

mortree — Fri, 03 Nov 2006 22:49:20 +0000

Currently the Small Business Server wants to do RRAS authentication of the user before completing the VPN tunnel. Have you configure RRAS fully? Mobile users are allowed remote access by account and RRAS policies? What authentication methods are set in RRAS? When you say you opened port 1723 what do you mean — port forwarding?

My bet is on mobile user IPs. How are you doing that in a way that is compatible with your internal network firewalls and filters?

Alternatively consider.

Since you have a VPN firewall you should use your Small Business Server simply for RRAS services to approve logon (allowed remote access on account). Point the firewall to the SBS machines for RRAS services. Configure RRAS and user account for allowing Remote Access.

To complete VPN tunnels you might need to set certificates or shared secrets on the firewall to pair with mobile users — capabilities vary with firewall. Certificates are superior but distribution mechanics vary. Ultimately mobile need access to certificates generated for the firewall and firewall need access to certificates for mobile users.

This will end the VPN tunnel at the firewall. The firewall will decrypt and route IP whereever it needs to go in your network. Those users will be able to communciate anywhere in your network AD allows them without passing through and taxing your SBS machine.

If you want to across a firewall L2TP is supposed to be easier to get to work especially is any NAT is in play.

Comments on: VPN setup

By: astronomer

By: mortree