SharePoint via VPN in a hosting environment
Hello everybody,
today I come across with a question regarding infrastructure design. Beforehand you have to know, I am not an architect, until now I was just an Sharepoint admin :)
We have a scenario, that one of my customers want us to host a sharepoint 2013 in our datacenter. They also want to use their already existing active directory infrstructure, so they can use all their AD properties for mysite and profiles.
My question is, what could be a supported or feasible configuration?
My first consideration is to connect the customer site via VPN to our DATACENTER with a 50 meg internet connection, placing a RODC in our datacenter which is replicating the AD structure from the customer site via VPN to our DATACENTER, so that the
sharepoint machines can join their domain, replicate all the profile data and also authenticate the users against the active directory in a performant way!
In my opinion, this is the only option because building up an own Active Directory and create an ADFS trust between the brand new active directory and the already existing active directory from the customer, will end up in trouble to replicate the user profiles,
I guess! Not to mention that there will possibly be some performance issues in authenticating the user aganst the sharepoint.
Until now I have no experince in scenarios like this, where technology is spanning via DATACENTERS. In former configurations we had everything (including Active Directory) in our datacenter!
Are there any caveats to do it like I mentioned?
Every hint or thought will be valuable.
Greetings Andre
Hello,
as I recently figured out, there has to be a read/write DC to be reachable for several reasons.
Creating a new sitecollection, people search with people picker and running the farm configuration wirzard are just a few of them.
Here is a KB article I triped over:
http://support.microsoft.com/kb/970612/de
Is there a configuration with ADFS possible, has anybody experience with this?
Regards
AR-Oldenburg
Similar Messages
-
Can connect via VPN, but can't access AFP server on same Xserve
Hi:
I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
--Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
--Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
--NAT is not running. The ISP is responding with public IPs for the servers.
--The firewall for the 10.5.2 server is not running (but will be once I get this all working).
--The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
--Any user can access any service.
--No network routing definitions have been set up.
--In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
What simple step am I missing?
TIA,
mm"I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
I suspect you mean UDP ports and you might need UDP port 1701 open too.
You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
"Unsupported protocol 0x8057 received"
This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
Try your settings at http://www.jodies.de/ipcalc to see what I mean.
"...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
Yes. The VPN server is the VPN gw/router.
"The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
If you already have a firewall in front of your servers that is a bit redundant.
"--No network routing definitions have been set up."
"I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet). -
Unable to access secondary subnet via VPN
I am having a problem with clients accessing a secondary subnet via VPN.
Clients on VPN are given the address on the 192.168.15.0 subnet. Once connected they can access 192.168.16.0 (Production subnet) fine, but are unable to access the 192.168.8.0 secondary subnet. If you are on the 192.168.16.0 subnet in the office you can access 192.168.8.0 subnet fine. The traffic is coming in via an ASA 5510 then traverses a Juniper firewall and a MPLS router to the secondary subnet. I'm not sure if it's a nat issue or not. Any help would be helpful.
Below is the config of the ASA. Thank you in advance
ASA Version 8.2(5)
hostname charlotte
domain-name tg.local
enable password v4DuEgO1ZTlkUiaA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.254.0 Peak10 description Peak10
name 192.168.116.0 Charlotte_Phones description Charlotte_Phones
name 192.168.15.0 Charlotte_SSL_VPN_Clients description Charlotte_SSL_VPN_Client s
name 192.168.17.0 Charlotte_Wireless_Data description Charlotte_Wireless_Data
name 192.168.117.0 Charlotte_Wireless_Phones description Charlotte_Wireless_Phon es
name 192.168.5.0 Huntersville description Huntersville
name 192.168.16.1 SRX_Gateway description Juniper_SRX
name 192.168.108.0 Canton_Data description Canton_Data
name 192.168.8.0 Canton_Phones description Canton_Phones
name 192.168.9.0 Canton_Wireless_Data description Canton_Wireless_Data
name 192.168.109.0 Canton_Wireless_Phones description Canton_Wireless_Phones
name 192.168.16.4 TEST_IP description TEST_IP
name 192.168.16.2 CantonGW description Canton GW 192.168.16.2
name 192.168.5.1 HuntersvilleGW
name 10.176.0.0 RS_Cloud description 10.176.0.0/12
name 172.16.8.0 RS_172.16.8.0
name 172.16.48.0 RS_172.16.48.0
name 172.16.52.0 RS_172.16.52.0
name 10.208.0.0 RS_Cloud_New
name 10.178.0.0 RS_10.178.0.0 description Rackspace DEV servers
name 10.178.0.6 RS_10.178.0.6
name 172.16.20.0 RS_172.16.20.0
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.63.165.219 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.16.202 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
banner login ASA Login - Unauthorized access is prohibited
banner login ASA Login - Unauthorized access is prohibited
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.16.122
name-server 8.8.8.8
domain-name tg.local
dns server-group defaultdns
name-server 192.168.16.122
domain-name tg.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_2
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object Huntersville 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.48.0 255.255.240.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_8
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_9
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
object-group network DM_INLINE_NETWORK_11
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_12
network-object RS_Cloud 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_13
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_14
network-object RS_Cloud 255.240.0.0
network-object RS_172.16.48.0 255.255.252.0
network-object RS_172.16.52.0 255.255.252.0
network-object RS_Cloud_New 255.240.0.0
network-object RS_10.178.0.0 255.255.0.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object 172.16.0.0 255.255.252.0
object-group network DM_INLINE_NETWORK_5
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
network-object 192.168.16.0 255.255.255.0
network-object Charlotte_Wireless_Data 255.255.255.0
network-object Canton_Phones 255.255.255.0
network-object Canton_Data 255.255.255.0
network-object Canton_Wireless_Data 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object RS_Cloud 255.240.0.0
network-object RS_Cloud_New 255.240.0.0
network-object 172.16.0.0 255.255.252.0
network-object RS_172.16.8.0 255.255.252.0
network-object RS_172.16.20.0 255.255.252.0
network-object 172.16.0.0 255.255.0.0
network-object Canton_Phones 255.255.255.0
object-group network tgnc074.tg.local
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq https
object-group icmp-type DM_INLINE_ICMP_2
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp echo
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object Charlotte_SSL_VPN_Clients 255.255.255.0
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_5
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group network DM_INLINE_NETWORK_15
network-object Canton_Data 255.255.255.0
network-object host CantonGW
object-group service DM_INLINE_SERVICE_6
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_2 Ch arlotte_SSL_VPN_Clients 255.255.255.0 any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_5 ho st SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_7 Ch arlotte_SSL_VPN_Clients 255.255.255.0 host SRX_Gateway
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE _ICMP_1
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 ob ject-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list Inside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.25 5.255.0 any
access-list Inside_access_in remark Permit all in Char_ORD_VPN
access-list Inside_access_in remark Permit all out Char_ORD_VPN
access-list Inside_access_in extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 log disable
access-list Tunneled_Network_List standard permit 192.168.16.0 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Data 255.25 5.255.0
access-list Tunneled_Network_List standard permit Charlotte_Wireless_Phones 255. 255.255.0
access-list Tunneled_Network_List standard permit Peak10 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Data 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Phones 255.255.255.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Data 255.255.2 55.0
access-list Tunneled_Network_List standard permit Canton_Wireless_Phones 255.255 .255.0
access-list Tunneled_Network_List standard permit Huntersville 255.255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_172.16.8.0 255.255.252.0
access-list Tunneled_Network_List standard permit RS_Cloud 255.240.0.0
access-list Tunneled_Network_List standard permit RS_Cloud_New 255.240.0.0
access-list Tunneled_Network_List standard permit RS_172.16.20.0 255.255.252.0
access-list Tunneled_Network_List standard permit Charlotte_SSL_VPN_Clients 255. 255.255.0
access-list Tunneled_Network_List standard permit 172.16.0.0 255.255.0.0
access-list Inside_nat0_outbound extended permit ip Charlotte_SSL_VPN_Clients 25 5.255.255.0 object-group DM_INLINE_NETWORK_2
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_11 object-group DM_INLINE_NETWORK_12
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_5 object-group DM_INLINE_NETWORK_6
access-list Inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWO RK_1 object-group DM_INLINE_NETWORK_2
access-list Limited_Access extended permit ip Charlotte_SSL_VPN_Clients 255.255. 255.0 host TEST_IP
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.123
access-list Limited__VPN_Acccess_List standard permit Huntersville 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 192.168.16.124
access-list Limited__VPN_Acccess_List standard permit 192.168.16.0 255.255.255.0
access-list Limited__VPN_Acccess_List standard permit host 172.16.8.52
access-list Limited__VPN_Acccess_List standard permit Canton_Phones 255.255.255. 0
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV1
access-list Limited__VPN_Acccess_List standard permit host RS_10.178.0.6
access-list Limited__VPN_Acccess_List remark ORD-VM-DEV2
access-list Limited__VPN_Acccess_List standard permit host 10.178.192.103
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.10
access-list Limited__VPN_Acccess_List standard permit RS_172.16.8.0 255.255.252. 0
access-list Limited__VPN_Acccess_List standard permit 172.16.0.0 255.255.0.0
access-list Limited__VPN_Acccess_List standard permit host 10.178.133.26
access-list Limited__VPN_Acccess_List standard permit RS_Cloud_New 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit host CantonGW
access-list Limited__VPN_Acccess_List standard permit host SRX_Gateway
access-list Limited__VPN_Acccess_List standard permit host 192.168.8.1
access-list Limited__VPN_Acccess_List standard permit RS_Cloud 255.240.0.0
access-list Limited__VPN_Acccess_List standard permit any
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Limited__VPN_Acccess_List remark TGTFS
access-list Limited__VPN_Acccess_List remark TGDEV
access-list Outside_cryptomap extended permit ip 192.168.16.0 255.255.255.0 Huntersville 255.255.255.0
access-list Outside_cryptomap extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Huntersville 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Huntersville 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Canton_Phones 255.255.255.0 Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Huntersville_nat_outbound extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 Canton_Phones 255.255.255.0
access-list Outside_2_cryptomap extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_3 any Charlotte_SSL_VPN_Clients 255.255.255.0
access-list Outside_access_in extended permit ip Huntersville 255.255.255.0 any log disable
access-list Outside_access_in extended permit ip Charlotte_SSL_VPN_Clients 255.255.255.0 any log disable
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_4 host SRX_Gateway Charlotte_SSL_VPN_Clients 255.255.255.0 inactive
access-list Outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6
access-list Outside_cryptomap_2 extended permit ip 192.168.16.0 255.255.255.0 RS_172.16.20.0 255.255.252.0
access-list Canton_nat_outbound extended permit object-group DM_INLINE_SERVICE_6 Charlotte_SSL_VPN_Clients 255.255.255.0 object-group DM_INLINE_NETWORK_15
access-list splitacl standard permit 192.168.16.0 255.255.255.0
pager lines 24
logging enable
logging console emergencies
logging monitor informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool SSL_VPN_Pool 192.168.15.10-192.168.15.254 mask 255.255.255.0
ip local pool New_VPN_Pool 192.168.16.50-192.168.16.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
nat (Outside) 0 access-list Huntersville_nat_outbound
nat (Inside) 0 access-list Inside_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 70.63.165.217 1
route Inside Canton_Phones 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Data 255.255.255.0 CantonGW 1
route Inside Charlotte_SSL_VPN_Clients 255.255.255.0 SRX_Gateway 1
route Inside Charlotte_Wireless_Data 255.255.255.0 SRX_Gateway 1
route Inside Canton_Data 255.255.255.0 CantonGW 1
route Inside Canton_Wireless_Phones 255.255.255.0 CantonGW 1
route Inside Charlotte_Phones 255.255.255.0 SRX_Gateway 1
route Inside 192.168.116.219 255.255.255.255 CantonGW 1
route Inside Charlotte_Wireless_Phones 255.255.255.0 SRX_Gateway 1
route Inside Peak10 255.255.255.0 SRX_Gateway 1
timeout xlate 3:00:00
timeout conn 8:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record TGAD_AccessPolicy
aaa-server TGAD protocol ldap
aaa-server TGAD (Inside) host 192.168.16.122
ldap-base-dn DC=tg,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=vpn user,CN=Users,DC=tg,DC=local
server-type microsoft
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.16.0 255.255.255.0 Inside
http Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 1 match address Outside_cryptomap
crypto map Outside_map0 1 set pfs
crypto map Outside_map0 1 set peer 74.218.175.168
crypto map Outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 2 match address Outside_cryptomap_2
crypto map Outside_map0 2 set peer 192.237.229.119
crypto map Outside_map0 2 set transform-set ESP-3DES-MD5
crypto map Outside_map0 3 match address Outside_cryptomap_1
crypto map Outside_map0 3 set peer 174.143.192.65
crypto map Outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map0 interface Outside
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=charlotte
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=charlotte
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 48676150
3082024c 308201b5 a0030201 02020448 67615030 0d06092a 864886f7 0d010105
05003038 31123010 06035504 03130963 6861726c 6f747465 31223020 06092a86
4886f70d 01090216 13636861 726c6f74 74652e74 68696e6b 67617465 301e170d
31323039 32353038 31373333 5a170d32 32303932 33303831 3733335a 30383112
30100603 55040313 09636861 726c6f74 74653122 30200609 2a864886 f70d0109
02161363 6861726c 6f747465 2e746869 6e6b6761 74653081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 8181008e d3e1ac63 a8a39dab 02170491
2bf104d2 732c7fd7 7065758b 03bb9772 c8ab9faf 0e5e9e93 bfb57eea a849c875
7899d261 8d426c37 9749d3d7 c86ca8e0 1d978069 3d43e7c5 569bb738 37e9bb31
0ebd5065 01eb7a05 87933d2d 786a722e 8eee16e7 3207510b f5e7e704 cbddbda2
a6b9ae45 efaba898 b8c921b6 2b05c0fb 1b0a9b02 03010001 a3633061 300f0603
551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
03551d23 04183016 8014fb93 35da7dd5 15d8e2ad 8e05ccf7 b5c333cc 95ac301d
0603551d 0e041604 14fb9335 da7dd515 d8e2ad8e 05ccf7b5 c333cc95 ac300d06
092a8648 86f70d01 01050500 03818100 6851ae52 5383c6f6 9e3ea714 85b2c5a0
fd720959 a0b91899 806bad7a 08e2208e de22cad0 6692b09a 7152b21e 3bbfce68
cc9f1391 8c460a04 a15e1a9e b18f829d 6d42d9bd ed5346bd 73a402f7 21e0c746
02757fb6 b60405a9 ac3b9070 8c0f2fba d12f157b 85dd0a8b 2e9cf830 90a19412
c7af1667 37b5ed8e c023ea4d 0c434609
quit
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 172.221.228.164 255.255.255.255 Outside
ssh Charlotte_SSL_VPN_Clients 255.255.255.0 Inside
ssh 192.168.16.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint1 Outside
webvpn
enable Outside
enable Inside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
svc enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.16.122 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value tg.local
split-dns value tg.local
group-policy LimitedAccessGroupPolicy internal
group-policy LimitedAccessGroupPolicy attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Limited__VPN_Acccess_List
default-domain value thinkgate.local
split-tunnel-all-dns disable
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 192.168.16.122 8.8.8.8
vpn-tunnel-protocol svc
default-domain value tg.local
group-policy Site-to-Site_Policy internal
group-policy Site-to-Site_Policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy LimitedAccessGroupPolicy
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL_VPN_Pool
tunnel-group LimitedAccessTunnelGroup type remote-access
tunnel-group LimitedAccessTunnelGroup general-attributes
address-pool SSL_VPN_Pool
default-group-policy LimitedAccessGroupPolicy
tunnel-group 208.104.76.178 type ipsec-l2l
tunnel-group 208.104.76.178 ipsec-attributes
pre-shared-key *****
tunnel-group 74.218.175.168 type ipsec-l2l
tunnel-group 74.218.175.168 ipsec-attributes
pre-shared-key *****
tunnel-group TGAD_ConnectionProfile type remote-access
tunnel-group TGAD_ConnectionProfile general-attributes
authentication-server-group TGAD
default-group-policy GroupPolicy1
tunnel-group 174.143.192.65 type ipsec-l2l
tunnel-group 174.143.192.65 general-attributes
default-group-policy GroupPolicy2
tunnel-group 174.143.192.65 ipsec-attributes
pre-shared-key *****
tunnel-group 192.237.229.119 type ipsec-l2l
tunnel-group 192.237.229.119 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ef741b4905b43dc36d0f621e06508840
: end
charlotte#What does the packet-tracer say, what does the IPsec associations say (packets encrypted/decrypted)?
This might be faster that going through your hundreds of lines of config. -
I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise
Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
If u r using an external server for validating the incoming users, u must go for aaa server externally.
For a complete detail of deploying vpn with ipsec,
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493 -
Accessing a subnet via VPN session
Hi everybody.
I have not to much experience configuring and managing VPN´s and at this moment I am facing a bit issue. I've got a remote site which is connected to the headquarters via VPN site to site IP Sec tunnel. When I am in my office I have no problem to reach the remote network, but, when I try to connect to the remote network via VPN client, I can't reach it.
in the remote office I've hot a Router 3800 (Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(13c), RELEASE SOFTWARE (fc2)) in the headquarters I've got an ASA 5520 Version 8.0(3) I've chequed access-list, and network objects and it seems everythink ok.
local network: 10.30.0.0 0.0.0.0
remote network 10.31.0.0 0.0.0.0
ASA
object-group network remote-network
network-object 172.16.27.0 255.255.255.0
network-object 10.31.0.0 255.255.0.0
object-group network network-local
network-object 0.0.0.0 0.0.0.0
access-list VPN_Remote_Access_splitTunnelAcl standard permit 10.31.0.0 255.255.0.0
Router 3800
ip access-list extended vpn
permit ip 10.31.0.0 0.0.255.255 any
Can someone guide me about what is missing in the config? no problem if you need more "sho run" lines.
Regards and Thanks very much!!Hi Ankur, thanks very much for your reply!
this is the "sho run" in my remote router:
I do not undesrtand well your first question, but if it is usefull, I loggin to headquerters "headquerters public ip address"
this is a simple diagram of where I want to connect to:
REMOTE_SITE --------------------------( vpn site to site IP sec tunnel )-------------------------HEADQUERTERS
(10.31.0.0/24 network) (10.30.0.0/16network)
|
|
|
|
REMOTE USER
(10.30.23.130/25)
REMOTESITE#sho run
Building configuration...
Current configuration : 10834 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname PYASU1ROU01
boot-start-marker
boot-end-marker
logging buffered 64000 debugging
no logging console
aaa new-model
aaa authentication login default group tac-auth local
aaa authentication enable default group tac-auth enable
aaa authorization console
aaa authorization exec default group tac-auth local if-authenticated
aaa authorization network default local
aaa accounting exec default start-stop group tac-auth
aaa session-id common
clock timezone PR -3
ip cef
voice-card 0
no dspfarm
crypto pki trustpoint TP-self-signed-4112391703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4112391703
revocation-check none
rsakeypair TP-self-signed-4112391703
crypto pki certificate chain TP-self-signed-4112391703
certificate self-signed 01
30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313132 33393137 3033301E 170D3131 31313234 30323430
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313233
39313730 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A09B 8740E68A 0C5BB452 D4D26D1B C91E4B5A 71FF0E11 411D70DB ED09EE4C
95C67911 0DFB9557 EB17CE79 9A3AF1C8 3B4DC1C0 75F6B938 F3431C4D 6DEAB793
A560C0AE 88007146 4312FBDF F979476B AB55CACD 9EE00DAC B3227CD6 9861DE87
DD462212 6E8FDA90 7BEA7967 26FCF6B6 6DDDBD5A A6E3D7F8 12AE4F5E 71BDDEE3
D5130203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
551D1104 0F300D82 0B505941 53553152 4F553031 301F0603 551D2304 18301680
14C86D3D 3AF1854B 977D5BD8 A9ABAF33 4E7483BC 3B301D06 03551D0E 04160414
C86D3D3A F1854B97 7D5BD8A9 ABAF334E 7483BC3B 300D0609 2A864886 F70D0101
04050003 8181005A 5A20ACB9 EE50A66C 054B5449 62A98E5F B42E5193 6D3D71A8
B0949BE2 70BE6F3C 2FAD7E2D AA0FCF6C 4D8E8344 035A33D6 6538EF32 33F8C746
31119E9C F08091A2 9F8DCF8F 1B779D90 82F3366C D0F84D6B AB7E3248 E532E224
91E404E9 608ECF11 5525D52B A02C3D9C 7BC1C1EF 496D1246 1125086B 54EEF4A2
94350AFF EA7CB2
quit
username admin privilege 15 secret 5 $1$P3xv$e99l3YcRWgFPEp/m6uXZg1
username cwuser privilege 15 secret 5 $1$Ir9X$CZgLaFy7XKsmT9avFHTTk/
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
crypto keyring apex
pre-shared-key address "headquerters public ip address"
key apex
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp profile companyname
keyring apex
match identity address "headquerters public ip address"
crypto ipsec transform-set esp-aes256-sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac
crypto map outside 10 ipsec-isakmp
set peer "headquerters public ip address"
set transform-set 3DES
set isakmp-profile companyname
match address vpn-companyname
interface Loopback1
description monitoreo
ip address 10.31.21.255 255.255.255.255
interface GigabitEthernet0/0
description Teysa
ip address public ip address
ip nat outside
no ip virtual-reassembly
load-interval 30
duplex auto
speed auto
media-type rj45
crypto map outside
interface GigabitEthernet0/1
description TO CORE-SW
ip address 192.168.255.249 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
switchport access vlan 2
duplex full
speed 100
interface FastEthernet0/0/1
switchport access vlan 10
shutdown
duplex full
speed 100
interface FastEthernet0/0/2
switchport mode trunk
shutdown
interface FastEthernet0/0/3
switchport access vlan 10
shutdown
duplex full
speed 100
interface Vlan1
no ip address
no ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nat interface GigabitEthernet0/0 overload
ip access-list extended nat
deny ip host 172.16.27.236 10.0.0.0 0.255.255.255
deny ip 10.31.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 172.16.27.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.31.11.0 0.0.0.255 any
permit ip 10.31.13.0 0.0.0.255 any
permit ip 172.16.27.0 0.0.0.255 host 209.59.188.93
permit ip 172.16.27.0 0.0.0.255 host 190.180.145.46
permit ip 172.16.27.0 0.0.0.255 host 46.51.171.127
permit ip 172.16.27.224 0.0.0.31 any
ip access-list extended vpn-apex
permit ip 10.50.20.0 0.0.1.255 any
permit ip 172.16.27.0 0.0.0.255 any
permit ip 10.31.0.0 0.0.255.255 any
permit ip 10.30.0.0 0.0.255.255 any
route-map nat permit 10
match ip address nat
control-plane
line con 0
password 7 xxxxxxxxxx
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxx
scheduler allocate 20000 1000
ntp server 10.30.5.38
end
REMOTESITE#
Regards! -
Transfer files from mac to company drives via VPN?
I have several files that I design/update on my mac which I want to write to a company network drive.
On my PC I go through the installed VPN (I have host address, passwords etc). I am new to mac's and wondered if a similar method is available?
Any step by step instructions would be very much appreciated.
Al
iMac 2006 Mac OS X (10.4.5)It depends on the VPN system being used by the office.
If it uses PPTP or L2TP, just open /Application/Utilities/Internet Connect and create a new VPN connection profile.
Fill in the blanks and click connect. With luck you'll be connected to the office network via VPN and can do whatever you would normally do while in the office.
If the office VPN uses IPSec as its VPN protocol, or doesn't work with the built-in client then you may need to install a separate VPN client. You should be able to get this from the network administrators, or you can try one of the third-party clients such as VPNTracker or DigiTunnel. -
Unable to connect to the UCCX via VPN
Hello, i have an issue,
when i am trying to login to the supervisor desktop agent via VPN, an error occurred
"unable to create connection with web-server. Chech the server with address *.*.*.*:80"
thankx in advanceWith the script editor, the login prompt requires username/password/IP address of CRS server. So one would think that name resolution would not be required - yet the application references Call Manager by name and my VPN client could not resolve the name until I created a host file entry.
But this doesn't appear to be related to your issue. From your VPN client, are you able to ping your server IP address? -
Hi, does BO support AD SSO against vintela via VPN? Does user can under a SSO environment through VPN from outside of the office.
Thanks.
Regards,
DanielHi Keith,
BI4 users Kerberos authentication. There is no specific tests performed using vendors VPN to support their platform.
Without logs or kerberos events logged, I can only presume what is happening:
- The user logs in the computer with a non-valid DOMAIN\account and then connect to the domain. If he opens the browser in the client computer, is sending the wrong credentials
- When the client computer connects to InfoView, it is not considered "Intranet zone" and therefore is not sending credentials.
- Other problems: Kerberos using UDP, etc. Requires to capture network traffic.
In order to have a realistic test, you should connect a laptop to the network and use a valid domain user, then disconnect from the network and use another network (WIFI for guests or similar) + VPN and test the SSO.
Regards,
Julian -
Hello,
I have a RD farm using 3 Win 2012 servers (1 broker and 2 session host), for internal use only, have not
configured gateway for internet access.
Users are able to connect to RD farm website and remote into terminal server, within office
but can only connect to RD farm website and cannot remote into terminal server , when connected via VPN
Its takes long time at securing connection and fails.
ThanksHi,
Thank you for your posting in Windows Server Forum.
First of all I would suggest you to configure RD gateway role on your server and pass all the connection through it because it’s a best practice to use RD Gateway in RDS Farm.
Apart from this, if you are not using RD Gateway then you must check that you have successfully forwarded port 3389 for RDS to access via VPN. Also check that you have made configuration under IIS Manager to enable Forms Authentication. Please check
this link.
In addition, please refer beneath article for additional details.
1. How to Access Windows Remote Desktop Over the Internet
2. Remote Desktop Services in Windows 2008 R2 – Part 3 – RD Web Access & RemoteApp
(For reference)
Hope it helps!
Thanks,
Dharmesh -
Can I use domain name to access local web (& other) services via VPN?
I've just set up a VPN service for our office but, when connected via VPN, I can't seem to access our Wiki Server via our domain (http://example.private/groups/). Instead it will only let me access it via IP (http://192.168.1.2/groups/)
Is it possible to access it via http://example.private/groups/ and if so what do I need to do?
EDIT: actually, same goes with the local iChat and iCal services too.
Message was edited by: ChristiaanOkay, it's sorted. I phone Apple Support.
The solution is to open Server Admin. Go to VPN Settings, then click on the Client Information tab, then add your local DNS server to the DNS Servers list (in our case 192.168.1.2).
I would have expected the Standard configuration of Leopard Server setup to have added this by default, so I'll submit a bug report when I get a chance. -
Financial Reports Client - 11.1.2.1 - Won't connect via VPN only?
When I try and connect via VPN only. I get: You are not authorized to use this functionality. Contact your administrator.
Here's the log from client. We have ensured the client version matches the server version exactly. Funny as when I'm directly on their network I can connect just fine. Hoping this log will point to solution.
Log:
[2012-06-01T10:31:45.196-04:00] [EPMFR] [ERROR] [] [oracle.EPMFR.core] [tid: main] [ecid: 0000JUcTOpZD4io5KVt1ie1FmD9H000000,0] [SRC_CLASS: com.hyperion.reporting.registry.FRSystem] [SRC_METHOD: lookupHsServer] [[
com.hyperion.reporting.util.HyperionReportException: Could not connect to the server.
Please make sure that the server is running as specified in the logon dialog (including port number if not default).
at com.hyperion.reporting.registry.FRSystem.lookupHsServer(Unknown Source)
at com.hyperion.reporting.javacom.HsServer.getServer(Unknown Source)
at com.hyperion.reporting.javacom.HsHelper.getServer(Unknown Source)
[2012-06-01T10:31:45.273-04:00] [EPMFR] [ERROR] [] [oracle.EPMFR.core] [tid: main] [ecid: 0000JUcTOpZD4io5KVt1ie1FmD9H000000,0] [SRC_CLASS: com.hyperion.reporting.javacom.HsServer] [SRC_METHOD: getServer] [[
java.lang.NullPointerException
at com.hyperion.reporting.javacom.HsServer.getServer(Unknown Source)
at com.hyperion.reporting.javacom.HsHelper.getServer(Unknown Source)
]]I think you have already posted this problem on another post, I said it is possible it could be a ports issue.
Have a look at the following http://www.oracle.com/technetwork/middleware/bi-foundation/epm-component-communications-11121-354680.xls
Select FR studio as the client and it should give indication to the ports that need to be opened.
Cheers
John
http://john-goodwin.blogspot.com/ -
Do I need to run DNS on a colo server being accessed remotely via VPN?
My Mac Mini Server is located in a colo site. We generally use it for Web, email and a couple of application-specific services. It has a dedicated IP address. We have a separate DNS service we use to point to the domains on the server located remotely from the server. Forward and reverse lookups work fine from the server, even though the local DNS service is turned off.
However, we now have a couple of things we want to access remotely on the server via VPN (for example, some files via AFP). The firewall blocks remote AFP requests (using the built-in firewall, not a separate box). We can connect via VPN without problems. However, AFP does not work. If I allow AFP in the firewall and try to connect, no problems at all.
Since the Mini is located by itself and will never likely have anything connected to a "local network" (never running DHCP, etc.), there generally doesn't seem to be a need to run DNS on the server.
I suspect the problem is that when you VPN into the server you are on its "local network", whatever that means, so the DNS does not resolve since the local DNS service is not running. However, I am not positive of this.
Must we run local DNS? Does it have to mirror the remote DNS that we currently reference? Can we somehow "reference" the local DNS from VPN clients trying to access local services?
I hope this question makes some sense.Bear with me please....
The Mac Mini is in a data center on a shelf, getting a direct connection to the Internet via ethernet with a fixed IP address (under the covers, I suspect that the data center is using some sort of router or switch, but I am not paying for a hardware firewall or other gateway). There is no local network for the Mini. It is not running DHCP, not handing out NAT addresses, etc. DNS is currently off. Rather than using the local DNS, the Mini is resolving its DNS needs with a DNS server located at another site, over the Internet. This seems to work fine (i.e., changeip confirms it is working and services seem to work).
I am currently using the software firewall built into SLS.
I want to turn on VPN so that remotely located computers can access services on the Mini without having to make the services visible through the firewall.
I am able to connect devices via VPN with little difficulty (iPhones, Macs, etc.). However, when I try to access services (let's use AFP as an example), I cannot access them UNLESS they are allowed through the firewall. This tells me that I am not seeing the services through the VPN, but rather through the Internet directly.
What I meant by "local network" is that the VPN allocates local IP addresses when devices log into the VPN service (10.0.x.x). There is no DHCP allocating these addresses, just VPN.
My question is: why can I not see the services on the Mini blocked by the firewall when successfully logged into VPN on the server? Isn't the whole point of the VPN to gain access to services behind the firewall?
I am guessing (with no particular information to support my thesis) that somehow without DNS running on the Mini, VPN clients are unable to access services on the Mini. I do not know for sure, however, if this is the problem. If it IS a problem, then the question is whether I should completely copy the DNS entries from the remote DNS server to the Mini and start the service. Will that solve the issue? Create conflicts with the DNS (since it is now located on both a remote service and on the Mini)? It certainly will create a maintenance headache since now I will have to maintain the DNS in both places.
I am hesitant to migrate all of my DNS services to the Mini (because I will also have to go to the domain registrars to change where they point, etc.) to eliminate the remote one. And I am not sure it will solve this problem anyway.
Sorry for all of the typing! -
Poor performance in remote site connect via VPN
Hello
we have site connected via VPN over the internet.
AVR ping time is less then 100ms.
EP perform well within local area network, but users at this site report 20-30 sec per new screen. we also use this line for R/3 connection with good responce time.
do you have any tips for EP tunning for WAN?
TNX
ErezErez,
Is the requests/packets encrypted for external user requests? You can analyze by using HTTPWatch to analyze where the bottleneck/delay is with the response times. Run internal request, and external request and compare reports.
http://www.httpwatch.com/
James -
Can only connect one user at a time via VPN?
Hi, long-term Mac user but new to OS X Server. Dug thru the forums quite a bit but couldn't find an answer to this one - hopefully I wasn't searching with the wrong keywords.
Installed OS X Server 10.6 on a MacBook (white, 1 generation back) at the office. Sits behind an Airport Extreme, which is connected to Comcast. Other machines at the office are NOT routed through the Server, but rather connect directly to the Airport Extreme for internet access. I've set up server.mydomainname.com to point to our Comcast address, and I am able to connect via VPN to the server without any problems, and access the server using the server.mydomainname.com address which I pointed to my Comcast IP address, as long as I check "Send all traffic over VPN connection" on my client.
However, when I'm logged in via VPN on one computer, and then log in via VPN on another computer (with the same UID or a different one), the first one loses all connectivity through the VPN - it's as if it had been logged off.
In Server Admin, under the Settings|Network tabs, I have Computer Name set up as "theserver", and Local Hostname as "theserver" (so I can access via theserver.private). VPN is set up to enable L2TP over IPsec, sharing ranges 10.0.1.200 thru 10.0.1.220; no load balancing, no PPTP. Client DNS servers is set to 10.0.1.29.
Any ideas as to why I can only connect with one client at a time?Thanks. I didn't see anything interesting, but then again I'm not up on VPN details. Here's the scenario:
First, I logged in as "user1", and I can use the VPN.
Then, I logged in as "user2", and I can use the VPN with user2, but user1 is no longer able to do anything over the VPN.
Then I hung up with user2, but user1 still can't see anything over the VPN.
Then I hung up and reconnected with user1, and user1 can use the VPN again.
Here's part of the log for this activity. I've replaced potentially identifying info with "XYZ" for safety. Appreciate any thoughts on this!
Tue Oct 19 07:33:08 2010 : L2TP received ICCN
Tue Oct 19 07:33:08 2010 : L2TP connection established.
Tue Oct 19 07:33:08 2010 : using link 1
Tue Oct 19 07:33:08 2010 : Using interface ppp1
Tue Oct 19 07:33:08 2010 : Connect: ppp1 <--> socket[34:18]
Tue Oct 19 07:33:08 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:08 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [CHAP Challenge id=0x18 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:08 2010 : rcvd [CHAP Response id=0x18 <XYZ>, name = "user2"]
Tue Oct 19 07:33:08 2010 : sent [CHAP Success id=0x18 "S=XYZ M=Access granted"]
Tue Oct 19 07:33:08 2010 : CHAP peer authentication succeeded for user2
Tue Oct 19 07:33:08 2010 : DSAccessControl plugin: User 'user2' authorized for access
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:33:08 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:33:08 2010 : sent [LCP ProtRej id=0x2 80 47 01 01 00 0f 01 0a 02 1b 63 ff fe a0 dd da]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x1 <ms-dns1 0.0.0.1> <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfRej id=0x1 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfAck id=0x1]
Tue Oct 19 07:33:08 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:33:08 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.213> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:33:08 2010 : ipcp: up
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : found interface en0 for proxy arp
Tue Oct 19 07:33:08 2010 : local IP address 10.0.1.29
Tue Oct 19 07:33:08 2010 : remote IP address 10.0.1.213
Tue Oct 19 07:33:08 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:08 2010 : rcvd [ACSCP ConfReq id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSCP ConfAck id=0x2 <ms-dns1 0.0.0.1>]
Tue Oct 19 07:33:08 2010 : sent [ACSP data <payload len 26, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>
<domain: name XYZ>]
Tue Oct 19 07:33:08 2010 : rcvd [IP data <src addr 10.0.1.213> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:33:08 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.213> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">]
Tue Oct 19 07:33:08 2010 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]
Tue Oct 19 07:33:34 2010 : rcvd [LCP TermReq id=0x2 "User request"]
Tue Oct 19 07:33:34 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:34 2010 : ipcp: down
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : sent [LCP TermAck id=0x2]
Tue Oct 19 07:33:34 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp1, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.213).
Tue Oct 19 07:33:34 2010 : L2TP received CDN
Tue Oct 19 07:33:34 2010 : Connection terminated.
Tue Oct 19 07:33:34 2010 : Connect time 0.5 minutes.
Tue Oct 19 07:33:34 2010 : Sent 777000 bytes, received 105388 bytes.
Tue Oct 19 07:33:34 2010 : L2TP disconnecting...
Tue Oct 19 07:33:34 2010 : L2TP disconnected
2010-10-19 07:33:34 PDT --> Client with address = 10.0.1.213 has hungup
Tue Oct 19 07:33:50 2010 : rcvd [LCP TermReq id=0x3 "User request"]
Tue Oct 19 07:33:50 2010 : LCP terminated by peer (User request)
Tue Oct 19 07:33:50 2010 : ipcp: down
Tue Oct 19 07:33:50 2010 : sent [LCP TermAck id=0x3]
Tue Oct 19 07:33:50 2010 : l2tpwaitinput: Address deleted. previous interface setting (name: en0, address: 10.0.1.29), deleted interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.214).
Tue Oct 19 07:33:50 2010 : L2TP received CDN
Tue Oct 19 07:33:50 2010 : Connection terminated.
Tue Oct 19 07:33:50 2010 : Connect time 3.5 minutes.
Tue Oct 19 07:33:50 2010 : Sent 625383 bytes, received 225586 bytes.
Tue Oct 19 07:33:50 2010 : L2TP disconnecting...
Tue Oct 19 07:33:50 2010 : L2TP disconnected
2010-10-19 07:33:50 PDT --> Client with address = 10.0.1.214 has hungup
2010-10-19 07:33:59 PDT Incoming call... Address given to client = 10.0.1.216
Tue Oct 19 07:33:59 2010 : Directory Services Authentication plugin initialized
Tue Oct 19 07:33:59 2010 : Directory Services Authorization plugin initialized
Tue Oct 19 07:33:59 2010 : L2TP incoming call in progress from 'XYZ'...
Tue Oct 19 07:33:59 2010 : L2TP received SCCRQ
Tue Oct 19 07:33:59 2010 : L2TP sent SCCRP
Tue Oct 19 07:33:59 2010 : L2TP received SCCCN
Tue Oct 19 07:33:59 2010 : L2TP received ICRQ
Tue Oct 19 07:33:59 2010 : L2TP sent ICRP
Tue Oct 19 07:33:59 2010 : L2TP received ICCN
Tue Oct 19 07:33:59 2010 : L2TP connection established.
Tue Oct 19 07:33:59 2010 : using link 0
Tue Oct 19 07:33:59 2010 : Using interface ppp0
Tue Oct 19 07:33:59 2010 : Connect: ppp0 <--> socket[34:18]
Tue Oct 19 07:33:59 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : lcp_reqci: returning CONFACK.
Tue Oct 19 07:33:59 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic XYZ> <pcomp> <accomp>]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [CHAP Challenge id=0xf1 <XYZ>, name = "myserver.private"]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoReq id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : sent [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [LCP EchoRep id=0x0 magic=XYZ]
Tue Oct 19 07:33:59 2010 : rcvd [CHAP Response id=0xf1 <XYZ>, name = "user1"]
Tue Oct 19 07:34:00 2010 : sent [CHAP Success id=0xf1 "S=XYZ M=Access granted"]
Tue Oct 19 07:34:00 2010 : CHAP peer authentication succeeded for user1
Tue Oct 19 07:34:00 2010 : DSAccessControl plugin: User 'user1' authorized for access
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfReq id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : sent [ACSCP ConfReq id=0x1]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-NAK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfNak id=0x1 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPV6CP ConfReq id=0x1 <addr XYZ>]
Tue Oct 19 07:34:00 2010 : Unsupported protocol 0x8057 received
Tue Oct 19 07:34:00 2010 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 02 1b 63 ff fe 99 35 cb]
Tue Oct 19 07:34:00 2010 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfAck id=0x1 <addr 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: returning Configure-ACK
Tue Oct 19 07:34:00 2010 : sent [IPCP ConfAck id=0x2 <addr 10.0.1.216> <ms-dns1 10.0.1.29> <ms-dns3 10.0.1.29>]
Tue Oct 19 07:34:00 2010 : ipcp: up
Tue Oct 19 07:34:00 2010 : found interface en0 for proxy arp
Tue Oct 19 07:34:00 2010 : local IP address 10.0.1.29
Tue Oct 19 07:34:00 2010 : remote IP address 10.0.1.216
Tue Oct 19 07:34:00 2010 : l2tpwaitinput: Address added. previous interface setting (name: en0, address: 10.0.1.29), current interface setting (name: ppp0, family: PPP, address: 10.0.1.29, subnet: 255.0.0.0, destination: 10.0.1.216).
Tue Oct 19 07:34:00 2010 : rcvd [IP data <src addr 10.0.1.216> <dst addr 255.255.255.255> <BOOTP Request> <type INFORM> <client id 0x08000000010000> <parameters = 0x6 0x2c 0x2b 0x1 0xf9 0xf>]
Tue Oct 19 07:34:00 2010 : sent [IP data <src addr 10.0.1.29> <dst addr 10.0.1.216> <BOOTP Reply> <type ACK> <server id 0x0a00011d> <domain name "XYZ">] -
Access AFP, email, Remote Desktop via VPN and local network but NOT web
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
How can I do this? Right now I can set up all these services where I can access them via VPN only, but not on the local network or via the web. If I want to access them via the local network I have to open up the ports in the firewall, however this opens up access via the web (not requiring VPN) which I do NOT want. How do I remedy this?
Maybe you are looking for
-
Can I get a straight forward answer on sending email on 800W
Yes I did the search, and I am not suprised that most of the post that comes up when I enter 800W keyword is regarding sending email out. I myself talked to tech department 5 times, the best they did is get it to work for about 2 weeks. So my last
-
Why windows 8 does not recognize ipod touch model A1367 4th Generation?
Why window 8 does not recognize ipod touch model A1367 4th generation? and of course iTunes either.
-
I can't find my box for the serial number. How can I start elements 11 on my new computer?
How can I activate my elements 11 on my new computer. I lost my box that has my serial numbers on it
-
Triggern mittels Diadem8.1 und Goldammer MultiChoice PCILight
Hallo, wir sind dabei eine Messung mit Diadem über die Goldammer Karte PCI Multichoice Light_DA zu erstellen und haben folgendes Problem: Da wir mit einer hohen Abtastrate von 200kHz arbeiten verwenden wir unter Diadem den Messmodus Diskmessung. In d
-
Screen Share Issues, Black Screen
I'm trying to have someone share something in the Adobe Connect room as either a Host or a Presenter. There's a particular program that they're trying to share that is only available on full screen mode on their computer. Whenever it is being shared