none
How to set up a Server 2008 VPN / DHCP server under specific circumstances?

    問題

  • I'm setting up a Windows Server 2008 SP1 Enterprise Server just for kicks. I'm a real computer junkie, but networking beyond troubleshooting was never my thing (of course, I know what DHCP is, VPN, standard DNS etc). I'm trying to set up a VPN server with the hopes I can access my file shares from outside my network, but really I just want the learning experience. Here's my problem: I have set up the VPN server on the Server in a way that I can connect while connected to my local network (of course, pointless) and I've tested the connection and it works. What doesn't work is internet access through the VPN tunnel. My server won't hand out IPs through DHCP in any way, shape or form. And so when I connect my laptop to the VPN server, and I do ipconfig /all, I get the information that the server is NOT enabling DHCP, that my laptop has not been assigned an IP and that I cannot connect to the internet.

    Here is my network setup:

    I have a DLink DIR-655 running the show. It has a DHCP reservation for my Windows Server 2008 (called OPTIPLEX-SERVER) for the local IP 192.168.0.100. The DIR-655 has the built-in DHCP server enabled for handing out IPs to all of its clients. Most of the computers, iPads and phones connected to the router are wireless, but I have a home office where I use an 8-port Gigabit switch connected to four different computers minus my Mac, which is plugged directly into the router.

    The Windows Server computer is running on a VMware VM under Windows 7 Ultimate on a Dell OptiPlex GX270 with 2 GB Ram and an Intel Pentium Single-Core x86 CPU with a 2.66 GHz clock speed. The VM has a bridged network to the physical network (if you're familiar with vmWare, the checkbox under network that says 'replicate physical network state' is NOT checked, didn't know what that meant and didn't know if it was important) and the router recognizes the VM, obviously.

    The Optiplex has only ONE NIC card in it--the built-in one. I configured the Routing and Remote Access part of the 2008-named Network whatever role to use custom configuration, because Server 2008 AND Server 2003 won't let you configure VPN through the normal setup if you don't have more than one NIC. I checkmarked VPN in my custom configuration setup wizard (when you configure Routing and Remote Access) and I checkmarked NAT (Network Address Translation, and that's about all I know about NAT. I don't know if I need it, what it does or how it works with my VPN, so I check marked it just in case, if someone could explain NAT to me as well that'd be great). I had no choice to use my DHCP server scope that I had set up, and I'll get into my DHCP problems later on.

    Here's my DHCP server setup that I configured:

    I didn't know what I was doing, but I got a little confused on this part. My router has a DHCP server and it sends out IPs to the clients. Well, why would my server need a DHCP server enabled if I only had one client connecting through the VPN tunnel to the server 2008? What will the DHCP server enabled on 2008 do with my DHCP server enabled on my router? Will they conflict? Can they see each other, or is one local to the server and its connections and the other is just out there doing its normal job? Can someone explain this to me?

    I setup a scope, not knowing what I was doing. I simply put in the knowledge I knew and transferred it to the scope wizard. I made the IP address scope 192.168.13.1 to 192.168.13.254 (or something like that, does it matter the IP? Does it have something to do with my router? My router DHCP address scope is 192.168.0.100 to 192.168.0.254) and I made the subnet mask 255.255.255.0 (that was the only subnet mask I've ever known in the days of my old networking jobs, I don't know what subnet mask does.). it just made it, it didn't do anything but sit there.

    So when the time came to set up the VPN server, I was able to use the Dial-in tab underneath my username in AD Users to enable VPN access, and then I logged in. After a failed password attempt (stupid caps lock) I was able to connect to my VPN, but again, as I mentioned, under CMD and the ipconfig /all command I had no Ip address on my VPN client through the VPN tunnel, it said that DHCP was not enabled, but it saw the subnet mask as 255.255.255.0. Remember, since I have only one NIC card (ethernet, Intel PRO/1000 ethernet chip) I couldn't do normal setup for VPN in the RARA wizard. I assume that the computer got the subnet mask as an inheritance from the VPN server, or just had it, I don't know what the subnet mask does or how it works.

    As a sidenote, I have a DNS server enabled, and when I set up the pointless DHCP server on my 2008 Enterprise server it asked for a DNS server, and it automatically had 192.168.0.100 (the dhcp-reserved on the router IP for my server) in there, so I went with it. But what does DNS do for servers that are inside the network? I was under the assumption that DNS translates a hostname to the public IP that leads to the server, so what could it do for me here? Is it relevant?

    So basically, what I need to do is to figure out how I can get internet access through my VPN tunnel. And if I could know what all of these things actually do for my current situation (DHCP in my server AND my router? NAT? DNS?). I'm sorry I ask a lot of questions, but I have a lot of stuff wrong. If you need any more information let me know.

    thanks in advance,

    Hunter


    • 已編輯 Hunter Eisler 2012年5月5日 下午 01:38 Spelling error.
    2012年5月5日 下午 01:38

解答

  • Hi Hunter,

    Thanks for posting here.

    After reading you post I understand that we are currently unable to get an internal IP address through VPN tunnel for clients where outside after tunnel was been established . So this is the first issue we are facing and then we want VPN client are able to get internet access event after the tunnel be created. If I misunderstand please let me know.

    First at all RRAS has two ways to get internal addresses in order issue to incoming VPN connections . Static address pool or internal DHCP server . You can read that from the link below:

    IP Address Assignment

    http://technet.microsoft.com/en-us/library/dd469712(WS.10).aspx

    Meanwhile, we can also have singlehomed RRAS server to accept incoming VPN connection and route to internal network , we can also read it form the blog post below:

    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC

    http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

    > I setup a scope, not knowing what I was doing. I simply put in the knowledge I knew and transferred it to the scope wizard. I made the IP address scope 192.168.13.1 to 192.168.13.254 (or something like that, does it matter the IP? Does it have something to do with my router? My router DHCP address scope is 192.168.0.100 to 192.168.0.254) and I made the subnet mask 255.255.255.0 (that was the only subnet mask I've ever known in the days of my old networking jobs, I don't know what subnet mask does.). it just made it, it didn't do anything but sit there.

    So we were set DHCP scope on RRAS that issuing address range is not the same IP segment where the RRAS located . This is expected that why VPN clients would not get address cos we need DHCP relay to issue addresses across different subnets. Usually we suggest to use Windows DHCP server to issue addresses for internal network cos some services (like dynamic DNS update for clients) requires to have Windows based DHCP to work with it properly.

    If we are new to RRAS and VPN setting, I’d suggest to start form a series of blog posts that introduced the whole designing and configuration process in detail and that will give a better view on this service :

    Remote Access Design Guidelines – Part 1: Overview

    http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-1.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • 已提議為解答 Tiger Li 2012年5月10日 上午 09:38
    • 已標示為解答 Tiger Li 2012年5月14日 上午 08:25
    2012年5月9日 上午 11:11

所有回覆

  • I'm setting up a Windows Server 2008 SP1 Enterprise Server just for kicks. I'm a real computer junkie, but networking beyond troubleshooting was never my thing (of course, I know what DHCP is, VPN, standard DNS etc). I'm trying to set up a VPN server with the hopes I can access my file shares from outside my network, but really I just want the learning experience. Here's my problem: I have set up the VPN server on the Server in a way that I can connect while connected to my local network (of course, pointless) and I've tested the connection and it works. What doesn't work is internet access through the VPN tunnel. My server won't hand out IPs through DHCP in any way, shape or form. And so when I connect my laptop to the VPN server, and I do ipconfig /all, I get the information that the server is NOT enabling DHCP, that my laptop has not been assigned an IP and that I cannot connect to the internet.

    Here is my network setup:

    I have a DLink DIR-655 running the show. It has a DHCP reservation for my Windows Server 2008 (called OPTIPLEX-SERVER) for the local IP 192.168.0.100. The DIR-655 has the built-in DHCP server enabled for handing out IPs to all of its clients. Most of the computers, iPads and phones connected to the router are wireless, but I have a home office where I use an 8-port Gigabit switch connected to four different computers minus my Mac, which is plugged directly into the router.

    The Windows Server computer is running on a VMware VM under Windows 7 Ultimate on a Dell OptiPlex GX270 with 2 GB Ram and an Intel Pentium Single-Core x86 CPU with a 2.66 GHz clock speed. The VM has a bridged network to the physical network (if you're familiar with vmWare, the checkbox under network that says 'replicate physical network state' is NOT checked, didn't know what that meant and didn't know if it was important) and the router recognizes the VM, obviously.

    The Optiplex has only ONE NIC card in it--the built-in one. I configured the Routing and Remote Access part of the 2008-named Network whatever role to use custom configuration, because Server 2008 AND Server 2003 won't let you configure VPN through the normal setup if you don't have more than one NIC. I checkmarked VPN in my custom configuration setup wizard (when you configure Routing and Remote Access) and I checkmarked NAT (Network Address Translation, and that's about all I know about NAT. I don't know if I need it, what it does or how it works with my VPN, so I check marked it just in case, if someone could explain NAT to me as well that'd be great). I had no choice to use my DHCP server scope that I had set up, and I'll get into my DHCP problems later on.

    Here's my DHCP server setup that I configured:

    I didn't know what I was doing, but I got a little confused on this part. My router has a DHCP server and it sends out IPs to the clients. Well, why would my server need a DHCP server enabled if I only had one client connecting through the VPN tunnel to the server 2008? What will the DHCP server enabled on 2008 do with my DHCP server enabled on my router? Will they conflict? Can they see each other, or is one local to the server and its connections and the other is just out there doing its normal job? Can someone explain this to me?

    I setup a scope, not knowing what I was doing. I simply put in the knowledge I knew and transferred it to the scope wizard. I made the IP address scope 192.168.13.1 to 192.168.13.254 (or something like that, does it matter the IP? Does it have something to do with my router? My router DHCP address scope is 192.168.0.100 to 192.168.0.254) and I made the subnet mask 255.255.255.0 (that was the only subnet mask I've ever known in the days of my old networking jobs, I don't know what subnet mask does.). it just made it, it didn't do anything but sit there.

    So when the time came to set up the VPN server, I was able to use the Dial-in tab underneath my username in AD Users to enable VPN access, and then I logged in. After a failed password attempt (stupid caps lock) I was able to connect to my VPN, but again, as I mentioned, under CMD and the ipconfig /all command I had no Ip address on my VPN client through the VPN tunnel, it said that DHCP was not enabled, but it saw the subnet mask as 255.255.255.0. Remember, since I have only one NIC card (ethernet, Intel PRO/1000 ethernet chip) I couldn't do normal setup for VPN in the RARA wizard. I assume that the computer got the subnet mask as an inheritance from the VPN server, or just had it, I don't know what the subnet mask does or how it works.

    As a sidenote, I have a DNS server enabled, and when I set up the pointless DHCP server on my 2008 Enterprise server it asked for a DNS server, and it automatically had 192.168.0.100 (the dhcp-reserved on the router IP for my server) in there, so I went with it. But what does DNS do for servers that are inside the network? I was under the assumption that DNS translates a hostname to the public IP that leads to the server, so what could it do for me here? Is it relevant?

    So basically, what I need to do is to figure out how I can get internet access through my VPN tunnel. And if I could know what all of these things actually do for my current situation (DHCP in my server AND my router? NAT? DNS?). I'm sorry I ask a lot of questions, but I have a lot of stuff wrong. If you need any more information let me know.

    thanks in advance,

    Hunter

    • 已合併 Tiger Li 2012年5月8日 上午 08:13
    2012年5月5日 上午 03:29
    • 已編輯 MYousufAli 2012年5月5日 上午 05:28
    2012年5月5日 上午 05:24
  • Remote Access Deployment – Part 2: Configuring RRAS as a VPN server.

    How to Use DHCP to Provide Routing and Remote Access Clients with Additional DHCP Options.

    I would have ask here.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/threads


    Thanks

    OK, that helps a little, (and I posted a new thread in where you said, thanks) but I need it in a way like "explain it like I'm five" kind of way. The first link doesn't apply to me because I have only one NIC and I can't do normal setup configuration on the RRAS wizard. The second link--confusing.
    2012年5月5日 下午 01:41
  • Hi Hunter,

    Thanks for posting here.

    After reading you post I understand that we are currently unable to get an internal IP address through VPN tunnel for clients where outside after tunnel was been established . So this is the first issue we are facing and then we want VPN client are able to get internet access event after the tunnel be created. If I misunderstand please let me know.

    First at all RRAS has two ways to get internal addresses in order issue to incoming VPN connections . Static address pool or internal DHCP server . You can read that from the link below:

    IP Address Assignment

    http://technet.microsoft.com/en-us/library/dd469712(WS.10).aspx

    Meanwhile, we can also have singlehomed RRAS server to accept incoming VPN connection and route to internal network , we can also read it form the blog post below:

    VPN server deployment: IP Addressing, Routing/NAT, Single vs two NIC

    http://blogs.technet.com/b/rrasblog/archive/2006/09/20/vpn-server-deployment-ip-addressing-routing-nat-single-vs-two-nic.aspx

    > I setup a scope, not knowing what I was doing. I simply put in the knowledge I knew and transferred it to the scope wizard. I made the IP address scope 192.168.13.1 to 192.168.13.254 (or something like that, does it matter the IP? Does it have something to do with my router? My router DHCP address scope is 192.168.0.100 to 192.168.0.254) and I made the subnet mask 255.255.255.0 (that was the only subnet mask I've ever known in the days of my old networking jobs, I don't know what subnet mask does.). it just made it, it didn't do anything but sit there.

    So we were set DHCP scope on RRAS that issuing address range is not the same IP segment where the RRAS located . This is expected that why VPN clients would not get address cos we need DHCP relay to issue addresses across different subnets. Usually we suggest to use Windows DHCP server to issue addresses for internal network cos some services (like dynamic DNS update for clients) requires to have Windows based DHCP to work with it properly.

    If we are new to RRAS and VPN setting, I’d suggest to start form a series of blog posts that introduced the whole designing and configuration process in detail and that will give a better view on this service :

    Remote Access Design Guidelines – Part 1: Overview

    http://blogs.technet.com/b/rrasblog/archive/2009/03/17/remote-access-design-guidelines-part-1.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    • 已提議為解答 Tiger Li 2012年5月10日 上午 09:38
    • 已標示為解答 Tiger Li 2012年5月14日 上午 08:25
    2012年5月9日 上午 11:11