locked
VPN network folder issue RRS feed

  • Question

  • Hello,

    I currently have an external firewall appliance which also handles the vpn connections set up in the network together with a sbs 2008 at my company. The issue we have is that we cannot access the network folders while were are at home. VPN connection works fine and e-mail does also. Except for the network folders, it asks for the credentials but with normal users it does not work. It only works when I enter the administrator account. This should not be used in any case so does anyone know which group the users have to be part of in order to make this work? I tried a lot of things already. Also another question why can't I access the server through it's logical name, through ip it works? I use the SBS as a DNS on my appliance when making vpn.

    Kind regards
    Davy

    Thursday, November 25, 2010 7:11 PM

Answers

  • You have to specify your internal domain controller in your VPN network connection settings if you want to use domain level addressing. The NETBIOS name will not always work.
    • Marked as answer by dcrijns Friday, July 5, 2019 9:35 AM
    Thursday, February 24, 2011 3:43 PM

All replies

  • In article <2c035edd-8eaa-4dd6-8db3-
    892ea5e1ff3c@communitybridge.codeplex.com>, dcrijns says...


    Hello,

    I currently have an external firewall appliance which also handles the vpn connections set up in the network together with a sbs 2008 at my company. The issue we have is that we cannot access the network folders while were are at home. VPN connection works fine and e-mail does also. Except for the network folders, it asks for the credentials but with normal users it does not work. It only works when I enter the administrator account. This should not be used in any case

    so does anyone know which group the users have to be part of in order to make this work? I tried a lot of things already. Also another question why can't I access the server through it's logical name, through ip it works? I use the SBS as a DNS on my appliance when making vpn.


    Kind regards
    Davy

    I build a lot of VPN connections for clients - the way we do it is as follows:

    On the firewall:

    Create a group - we might call it VPN_Users_Server_only
    (this group will have the VPN limited to the IP of the server, only, they can't browse the rest of the network - never create a blanket (Open) VPN unless you really need it)

    We then create Firewall VPN users - these are not Windows users, they are only known to the firewall - this provides the first layer of logon security.

    So, Jim Bob, Dave Smith, are added to group VPN_Users_Server_Only

    Now we setup the PPTP or other Firewall Service on the Firewall.

    Now we create a rule (in this case we'll use an ANY port rule) - I don't normally do ANY port, just the ones that are needed:

    VPN_ANY_IN_Server_Only
    Source = group "VPN_Users_Server_only"
    Destination = 192.168.10.10 (IP of server)
    Ports: ANY

    Now, when they VPN into the network from outside, they first authenticate with the firewall and create the secure tunnel, then the firewall rule (you need one in most firewalls) lets them access the internal network as you specify.

    Now, Windows authentication comes into play

    Jim Bob opens his home computer, and types the folloing into the MY Computer address bar:

    \\servername\sharename

    Unless Jim Bob's home computer user ACCOUNT and password match his work user ACCOUNT and password he's going to be prompted for a user/password that has permission to access the share.

    One other thing - if your VPN doesn't provide DNS to the LAN, you/he may have to access the share by typing \\192.168.10.10\sharename

    Hope that helps.


    You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that.  Trust yourself.
    spam999free@rrohio.com (remove 999 for proper email address)

    Thursday, November 25, 2010 11:48 PM
  • Hello Leythos,

    thanks for the reply. I think you misunderstood my situation. I have also setup VPN connection like you did on my firewall and this works fine. I can ping the server and can connect to it but only with administrator credentials and not via the normal user credentials. Is there a special group in sbs of which they need to be part of?

    The other issue is that I can only use connection via ip to the server. Via \\SBServer\Public it does not work. I have not tried it's FQN yet maybe that works better.

    kind regards
    Davy

    Friday, November 26, 2010 6:13 AM
  • Hi

    can you check your both gateway address is please

    if your home GW/address is :  192.168.0.1

    and your work GW/address is:  192.168.0.1

    you will connect to vpn and but cannot access to server resorces.

    please check your home router address please and work router address please and if both are same please change one your home one

    thanks

     


    Naeem Bhatti MCITP EA, MCITP, MCTS Exchange 2007 MCSE security,MCSE AD, MCSE in Messaging, MCDST SBS2003 and SBS2008 Specialist
    Friday, November 26, 2010 9:59 AM
  • Hello nbhatti,

    some info:
    VNC dhcp is 192.168.250.240 till 250 DNS is 192.168.6.2 which is the SBS 2008.
    Home network GW usually is 192.168.1.1 or 192.168.0.1 around here.

    Kind regards
    Davy

    Friday, November 26, 2010 6:50 PM
  • Hello dcrijns,

    Can you explain your network a little more please. Mainly the following details.
    SBS 2008 ip address:
    Gateway on SBS208 network:
    DHCP Server ip:
    DNS Server iP:

    Also could you also answer the following.
    Are the machines that are using vpn joined to the sbs2008 domain?
    What O/S are these machines using?

    Friday, November 26, 2010 7:05 PM
  • Hello lwmicha35,

    I tested yesterday with it's FQN and it seems to work now with using the credentials of the normal user. \\SBServer.domain.local\Public
    I'll let you know if it works in production.
    To answer your question:
    SBS 2008: 192.168.6.2
    Gateway which is the firewall/vpn appliance: 192.168.6.254
    DHCP server via VPN is same as gateway: 192.168.6.254
    DHCP server on local network is SBS 2008: 192.168.6.2
    DNS server is SBS 2008: 192.168.6.2

    Clients use Windows 7 Pro and are joined to the local domain.

    Saturday, November 27, 2010 9:38 AM
  • I thought they were Win 7

    In windows 7 and vista if you try and access a resource over vpn it will pass the vpn username and password to that resource to try and access it by default. To get round this go into the TCP/IPv4 settings on the vpn and the advanced settings. In there tick the two boxes in the box regarding the dns suffix. This will solve that problem most of the time, sometimes however it still doesn't work. It depends on the format of the FQDN for some reason.

    • Proposed as answer by nbhatti Friday, December 17, 2010 2:09 PM
    Saturday, November 27, 2010 10:33 AM
  • I got it working through the FQN name in production now. Did not have any issues yet.
    Thanks for the info lwmicha35 I'll make sure I'll test it next time. Case can be closed. Thanks.

    Kind regards
    D

    Friday, December 3, 2010 8:06 PM
  • You have to specify your internal domain controller in your VPN network connection settings if you want to use domain level addressing. The NETBIOS name will not always work.
    • Marked as answer by dcrijns Friday, July 5, 2019 9:35 AM
    Thursday, February 24, 2011 3:43 PM