locked
NAP on SBS2011: cannot get resource access through VPN RRS feed

  • Question

  • I recently migrated my 2003Server to SBS2011, and everythign seems to be running OK. I have a problem using network resources when I connect my Win7 Pro laptop via VPN to the server.

    I have set the server up as  RAS server, and I have no problems connecting to the server via VPN. I do have access to the server's resources (at least I can browse the server's folders). I do NOT have access to other resources on the network (my old serer, which has been demoted to BDC and hosts some shared folders, a NAS, or my desktop). I have tried now for a week to troubleshoot this, and I am nowhere. When I open the Remote Access Clients in the Serer manager, I can see my laptop as a remote client with the status "Not NAP-capable". As a Win7/64 PC, it should be NAP capable. I have followed a number of allegedly "step-by-step" instructions, but they tend to lose themselves in the nitty-gritty, and invariably I end up with a step that doesn't seem to work on my system. The last one was that I was supposed to request a "Computer" certificate from my certificate server, and that was not available. I have had to install hotfixes to fix some broken dialogs, etc.

    Is there a simple "step-by-step instruction how I can get this going? Or can I simply turn off the whole NAP thing?

    I should say that I don't want to join my laptop to the domain.

    Help, please.

    Monday, October 22, 2012 12:12 AM

Answers

  • Hi,

    Thanks for your update.

    Please manually configure the VPN server with the IP addresses of the appropriate DNS and WINS servers. By default, the VPN clients inherit the DNS and WINS server IP addresses configured on the VPN server. However, VPN clients that are capable of sending a DHCPINFORM message get their DNS and WINS server IP addresses from the DHCP server. If we cannot put the DNS/WINS options in DHCP request, you may consider use static IP Pool on VPN server. It will inherit the DNS and WINS server setting on all VPN clients.

    Configure the Way RRAS Assigns IP Addresses to VPN Clients

    http://technet.microsoft.com/en-us/library/dd469667.aspx

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Monday, November 5, 2012 2:01 AM
    • Marked as answer by Aiden_Cao Tuesday, November 6, 2012 6:04 AM
    Thursday, October 25, 2012 8:53 AM
  • Hi,

    Change WINS server setting, please follow the below steps:

    Network Adapter Properties ->Internet Protocol (TCP/IP) -> Advance -> WINS tab -> click Add button to add the WINS server IP address.

    For more detailed information, you may also refer to the following article. Hope it helps.

    How to change the WINS and the DNS addresses that are assigned by Routing and Remote Access in Windows 2000 and in Windows Server 2003

    http://support.microsoft.com/kb/842575

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Monday, November 5, 2012 2:01 AM
    • Marked as answer by Aiden_Cao Tuesday, November 6, 2012 6:04 AM
    Monday, October 29, 2012 2:24 AM

All replies

  • Follow-up:

    I followed a few more documents dealing with the issue and I am somewhat more confused. When I look at the server console at the remotely connected clients, I see that my laptop is connected as "NAP non-compliant". However, when I look at the NAP log, I find that my laptop is connected with "full access". Not sure how that works together.

    I am also not sure how the server has to be configured as a RADIUS server so it can provide the correct health certificates.

    and third, playing around I found that I cannot access to another server if I try it's name as it shows up in the network environment ("server2003"). I get an error message that computer cannot be found. However, when I user the IP addres (\\x.x.x.106), I DO get access to the resources. I wonder if that has to to with the DHCP settings. the DHCP in my system is provided by the firewall, not the SBS2011. Does the SBS2011 have to be the DHCP server? If not, why would the names not be resolved.

    Monday, October 22, 2012 5:24 AM
  • Hi,

    Thanks for your post.

    Beside the NAP for VPN connection, have you tried to only setup Network policy for VPN? This will not valid the heath of the Remote Client. If this is available, you need to remove all NAP for VPN policies. And rerun the wizard to configure NPS for VPN. Click NPS, on the right side, select RADIUS server for Dial-Up or VPN Connections. Then, finish the wizard. To verify if the issue still persists. However, if you preferred to troubleshoot with the NAP issue, you may refer to the following article.

    Tools for Troubleshooting NAP

    http://technet.microsoft.com/en-us/library/dd348461(v=ws.10).aspx

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Tuesday, October 23, 2012 6:40 AM
  • I think I have gotten a bit closer, but no real solution yet. I have my network set up on 192.168.0.x with the firewall as the DHCP server. I also have a WAP on the network that has it's own DHCP for a 192.168.1.x subnet. I had done this to make the internet access possible for visitors without exposing my computer network. In the past I would simply connect to the WAP, then VPN into my 192.168.0.x network, and I had access to all resources. That didn't work anymore, unless I used the IPs of the resources or  name.domain.local for the resource.

    so I installed WINS on the 2003 server, and now I can vpn in to the network via the WAP, and everything works fine. So far so good.

    When I vpn into the network through a different network (I am now trying this from a local wireless hotspot), WINS has not made a difference. I can VPN in, but to access the resources, I still need to either enter the IP address of the resource, or I have to use name.domain.local. And there are some devices on the network (NAS) for which ONLY the IP address works. Now, I could of course use fixed IP addresses and keep a list somewhere, but that pretty much defeats the purpose.

    I then tried to use this method: http://nicholas.piasecki.name/blog/2009/06/getting-wins-like-computer-name-resolution-over-vpn-in-sbs-2008/, but since the DHCP is done by my firewall, I can't use it. (At the point where this suggests to "add a new routing protocol" I get an error message that says that no protocols can be added. That is probably because the firewall is the DHCP server, not my SBS.

    So, on the plus side I think this whole issue is a name resolution issue which I hope to resolve at some point.

    1) Does anybody have some suggestions what else I can try?

    2) Can I install DHCP on my SBS, but not use it? Perhaps that would enable me to use the method described in the link above. Or does the SBS automatically assume the DHCP role when I install it? I don't mind if it does, but I would have to reprogram the static IPs that I DO have, and I'd like to avoid that.

    Tuesday, October 23, 2012 10:54 PM
  • Hi,

    Thanks for your update.

    Please manually configure the VPN server with the IP addresses of the appropriate DNS and WINS servers. By default, the VPN clients inherit the DNS and WINS server IP addresses configured on the VPN server. However, VPN clients that are capable of sending a DHCPINFORM message get their DNS and WINS server IP addresses from the DHCP server. If we cannot put the DNS/WINS options in DHCP request, you may consider use static IP Pool on VPN server. It will inherit the DNS and WINS server setting on all VPN clients.

    Configure the Way RRAS Assigns IP Addresses to VPN Clients

    http://technet.microsoft.com/en-us/library/dd469667.aspx

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Monday, November 5, 2012 2:01 AM
    • Marked as answer by Aiden_Cao Tuesday, November 6, 2012 6:04 AM
    Thursday, October 25, 2012 8:53 AM
  • Hello Aiden,

    thank you for your reply. It seems to have helped somewhat.

    I set the VPN servers to static address pools (non-overlapping), and I can see resources on both servers now by simply clicking on the names of the servers or entering them into the address field of the the explorer. Thank you.

    However, If I try to access a Win7 PC that is a member of the domain, I can't see it. Not by name, not by name with the domain extension, and not by IP.

    I also have a NAS which I can only access by it's IP. Now, that one is not running a Windows OS, probably some Linux OS, and I don't know if that has anything to do with it.

    I'd like to try your first suggestion, configure the VPN server with the DNS and WINS server address. Where do I do that in 2003 Server and SBS2011? I could not find a place where I could enter those IP addresses.

    Friday, October 26, 2012 5:50 AM
  • Hi,

    Change WINS server setting, please follow the below steps:

    Network Adapter Properties ->Internet Protocol (TCP/IP) -> Advance -> WINS tab -> click Add button to add the WINS server IP address.

    For more detailed information, you may also refer to the following article. Hope it helps.

    How to change the WINS and the DNS addresses that are assigned by Routing and Remote Access in Windows 2000 and in Windows Server 2003

    http://support.microsoft.com/kb/842575

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    • Proposed as answer by Aiden_Cao Monday, November 5, 2012 2:01 AM
    • Marked as answer by Aiden_Cao Tuesday, November 6, 2012 6:04 AM
    Monday, October 29, 2012 2:24 AM
  • Hi,

    How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know.

    Best Regards,
    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Wednesday, October 31, 2012 1:37 AM