Microsoft
Software
Hardware
Network
Question : Problem: Windows Server 2003 Inconsistent VPN Logon Failure VPN Error 721
HI I have a NAT DSL router Netopia 4562-T series with a Windows Server 2003 RRAS With Router and VPN enabled. I have Computer A with User A configured to connect to the network Via VPN. IF i try to connect from within the Subnet of the VPN server on the internal IP . I can connect 100% of the time. If I try to connect using the Public IP address I can connect 20% of the time. The other 80% of the time I get VPN ERROR 721 after it reached to the user and password portion of the conenction. I seem to have GRE and PPTP Filtered and forwarded. Any ideas as to what may cause this problem?
Answer : Problem: Windows Server 2003 Inconsistent VPN Logon Failure VPN Error 721
>>"what is the best way to configure a windows vpn server client, and a NAT router firewall to allow VPN to work ?"
Assuming you want to use the Windows server as the VPN server have a look at these links:
The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration:
http://www.onecomputerguy.
com/networ
king/w3k_v
pn_server.
htm
Windows XP client configuration:
http://www.onecomputerguy.
com/networ
king/xp_vp
n.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through (GRE protocol 47 -not port 47), and also forwarding port 1723 traffic to the server's IP. For details about that see the following link. Click your router make and model # which will take you to another page where you need to click on PPTP forwarding for details specific to your router:
http://www.portforward.com
/english/r
outers/por
t_forwardi
ng/
routeri
ndex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x (This is important)
Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name. Using the IP address is less problematic such as \\192.168.1.111\SharenName
. See below for name resolution solutions.
>>"Doess DNS need to be configured some way different for VPN to work"
Name resolution often does not work properly over a VPN.
You can resolve this in several ways:
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as; \\123.123.123.123\ShareNam
e or map a drive at a command prompt using
Net Use U: \\123.123.123.123\ShareNam
e
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Et
c\LMHosts.
sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101 CompName #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/r
esources/d
ocumentati
on/Windows
/
2000/serv
er/reskit/
en-us/Defa
ult.asp?ur
l=/resourc
es/
documen
tation/win
dows/2000/
server/res
kit/en-us/
cnet/
cnfd_
lmh_QXQQ.a
sp
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as \\ComputerName.domain.loca
l If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
Random Solutions
Problem: are all sata hard drives compatible?
Problem: Lenovo dual monitor problem
Problem: Full backup or Ghost Image of Call manager 6 ?
Problem: CISCO 1601R x.25 debugging
Problem: Getting Rid of Annoying "Welcome to Your New iPod" message in iTunes
Problem: Gigabit Ethernet - Dropping Packets - How to Minimize?
Problem: Intel & AMD, CPU, All Current, Operating Temperatures
Problem: How do I stop the Add Hardware Wizard?
Problem: Electrical Surge? Overload?
Problem: Blackberry won't activate - Invalid PIN