VPN connection to SBS 2003 network

[Zucarita9000]

I want to enable VPN access for our mobile users, so they can access local shares and resources while on the road.
For that, I’ve followed the steps in the Small Business Server admin guide, but I still have some problems. The configuration is as follows:

Server is Windows Small Business Server 2003. This is the Domain Controller, DHCP server, DNS server and Certificate Authority.
Server names is Serverhp, domain is EKAYMM

Problems:
1. The connection doesn’t take place. I get a timeout.
2. Don’t know how to configure VPN in OSX (10.6). I’ve already installed the User certificate, but don’t know how to request a computer certificate.

I have completed these steps:

Installed and configured IAS. Disabled MS-CHAP and enabled Strongest Encryption (128 bit)
Installed and configured Certificate Services. Enterprise root CA (EK roboter Certificate Authority)
Created a Local Computer and Current User Certificate Console (using the Certificates Snap-Ins)
Requested a Certificate for the Windows Small Business Server computer. Certificate Type: Domain Controller
Configured the Remote Access Policy to use EAP authentication.
Open ports TCP 1723 (PPTP), UDP 500 (IPSec) and UDP 1701 (L2TP), forwarding them to the server’s IP.

On the client side, I used the Certificate Console to request User and Computer certificates, which both install correctly.
The VPN connection is configured as follows:

http://emberapp.com/guille779/images/client/sizes/l.png

Here are some other screenshots from the server configuration, which might be useful:
http://emberapp.com/guille779/images/server-ek-dominio-6/sizes/l.png
http://emberapp.com/guille779/images/server-ek-dominio-5/sizes/l.png
http://emberapp.com/guille779/images/server-ek-dominio-4/sizes/l.png
http://emberapp.com/guille779/images/server-ek-dominio-3/sizes/l.png
http://emberapp.com/guille779/images/server-ek-dominio-2/sizes/l.png
http://emberapp.com/guille779/images/server-ek-dominio-1/sizes/lpng
http://emberapp.com/guille779/images/server-ek-dominio/sizes/l.png

OS X VPN configuration:
http://emberapp.com/guille779/images/user/sizes/l.png
http://emberapp.com/guille779/images/choose-an-identity/sizes/l.png
http://emberapp.com/guille779/images/computer/sizes/l.png


UPDATE: I can connect using PPTP from both Windows and OS X. L2TP still gives me problems.

UPDATE 2: L2TP works from inside the LAN, so I think it's a firewall issue. Are there any ports besides those I already forwarded that need to be enabled?

 

[RebateMonger]

Believe it or not, setting up a Windows Server 2003 VPN is really simple. Following the instructions should work fine. That's not to say that making a working VPN is always easy. Thre are definitely things that can turn it into a frustrating experience.

One thing you need to decide is what type of VPN you are creating. PPTP? L2TP? There are differences in the TCP Ports and protocols that must be forwarded through any front-end router/firewall.

If you follow MS' instructions and it won't work, the problem may be a router or firewall problem. To see if that's the problem, hook up a client PC directly in front of the SBS server, inside your network. See if the VPN works. If it works internally, but not from the Internet, then the problem is the router. If it still doesn't work, take a look at any other firewalls that are running.

 

[Zucarita9000]

Believe it or not, setting up a Windows Server 2003 VPN is really simple. Following the instructions should work fine. That's not to say that making a working VPN is always easy. Thre are definitely things that can turn it into a frustrating experience.

One thing you need to decide is what type of VPN you are creating. PPTP? L2TP? There are differences in the TCP Ports and protocols that must be forwarded through any front-end router/firewall.

If you follow MS' instructions and it won't work, the problem may be a router or firewall problem. To see if that's the problem, hook up a client PC directly in front of the SBS server, inside your network. See if the VPN works. If it works internally, but not from the Internet, then the problem is the router. If it still doesn't work, take a look at any other firewalls that are running.

I was able to connect via PPTP from home without problems. I'll give L2TP a second try today and see what happens. I used PPTP with EAP, User Certificates and 128-encryption. Mac and Windows PCs both connected to the network ok.

However, in the Windows PC Network Places is empty. Shouldn't it be populated by the servers and PCs in the LAN as if I'd be locally in the network? I don't see any computers in Network Places, but if I do a \\computername\share I can open it without problems.

I get an IP from the server, DNS is running... but I only see myself. Any ideas?

 

[Emulex]

are you using netbios or dns?

 

[Zucarita9000]

are you using netbios or dns?

dns

BTW, L2TP works from inside the LAN. I believe it's a port forwarding issue.

 

[Zucarita9000]

Anyone?

 

[Emulex]

protocol forwarding? my router has two options for allowing vpn passthrough. i'm just going to run a vm to do vpn/firewall

 

[RebateMonger]

What's the client OS? Is the client joined to a Domain?

Do you have a WINS server available? I've seen WINS give name resolution across a VPN with a Vista client when DNS name resolution would fail because Vista won't remember appended DNS suffixes (XP works fine).

 

[Zucarita9000]

What's the client OS? Is the client joined to a Domain?

Do you have a WINS server available? I've seen WINS give name resolution across a VPN with a Vista client when DNS name resolution would fail because Vista won't remember appended DNS suffixes (XP works fine).

Windows XP. Haven't tried with Vista yet.
WINS is not configured.

It is installed, however when I try to enable it it gives an error with the code 536870911. The services won't start :S

 

[Zucarita9000]

UPDATE: I fixed WINS (reinstalled) and it's now working.
I haven't tried the VPN since I'm inside the LAN now, will try it later today.

I noticed that some Windows Vista machines still don't show up in Network Places. Is there something that I need to configure in Vista?

 

[Zucarita9000]

Well, apparently there's something that eludes me. I got DHCP, DNS, WINS an RRAS configured, yet still VPN client can't see the computer list in Network Places. I don't know what else to do, I've tried pretty much everything I could find. Any ideas? If you some screenshots of my configurations and options I'll be glad to post them.

 

[rasczak]

http://support.microsoft.com/kb/180094

try this. i think the same rules still apply.

also, if i remember correctly, don't you also need port 53 open for DNS?