Vpn issue's with windows 7 (professional help needed)


#1

so i’m a low level systems administrator (AS in computer network systems). and i manage a vpn server for my office among other duties, anyways i am encountering intermitent problems between a windows 7 machine and our vpn server. it gets error 800 fairly often (multiple times per day) on that machine only.

so the setup is this:

the vpn is setup pptp behind a netgear firewall, no problems occur when vpn’ing from outside the office. inside the office i have a wireless router attached to the network via our switch, and 2 employee’s work on their laptops through this wireless network. now idk if this is good practice but they connect to the wireless network. but then to access network resources they need to connect to our vpn server. the 2 os’s connecting are windows 7 and mac os 10 but the problem only occurs for the windows 7 machine.

so i was told port forwarding could help but i’m not entirely sure on how i need to set it up in this instance. i know vpn’s port is 1732 (or something like that) but what i read said i’m supposed to forward that port to the vpn servers internal address which i can’t find for the life of me, any assistance with this even stuff that seems extremely obvious would be appreciated (i ussually miss the most obviouse answers to questions).


#2

Internal address? As in, the server’s IP address? That’s all I’m drawing here. That would be as easy as adding the server’s IP addy into the Port Forward list. That’s how I would interpret it, anyway.

Also, do you have access to the user’s profiles in Active Directory? Make sure their Dial-In tab is set to Allowed. Otherwise VPN will not function. I hope that helps a little!


#3

hmmm i didn’t even think about it being that simple… i assumed it had to be something more than that… but now that your saying it that actually sounds incredibly reasonable.

and yeah i set up their active directory so i know the user is set to allow dial-in. man i’m gonna be annoyed with myself if it turns out to be that simple lol


#4

It’s all good man, the worst IT mistakes are the simplest kind, lol. Let me know if it works, I’m curious to see how it all turns out.


#5

the router wont let me enter in a custom ip address to forward the pptp service to, it’s locking me in at 192.168.1.? and only allowing me to change the final digit… which is annoying because our internal addressing is all 10.10.10 addresses…

nvm it was doing that because i put the wireless router on the 192.168 scheme and forgot about it… got port forwarding going now, just have to wait and see if the problem occurs still today. if this doesn’t work i’m going to try and put a exception in the windows 7 firewall because i’m fresh out of other idea’s lol


#6

Only thing I’m wondering is why are they VPNing while at the office? That seems flawed logic. Surely you’d just connect the AP to the rest of the network? That at least seems to make the most sense to me on resolving the issue.


#7

if i recall there was complications on getting the AP fully into the network… although your probably right and i simply need to step it up and figure out why the ap wasn’t wanting to connect normally (it was like /the/ first thing i did in the office (fresh out of school). i’m really not the greatest at this kind of thing and it’s made more difficult because it’s a small business so instead of working on cisco equipment where i can just input things command line style i have to use netgear’s stupid gui to do everything. anyways i appreciate the advice ^^


#8

Wasn’t really advice so much as wondering but yeah that makes sense. I really do understand when things don’t work out how you want them, especially in terms of computers. I would take a guess it’s not the firewall like you said, though definitely give it a try. If it’s working externally then it should work fine at the office. I do have one question about the setup, where are they getting an internet connection from to use VPN if they aren’t actually connected to the network? Cheers buddy.


#9

The issue you’re hitting is that you’re using a netgear router for your wireless access onto your network - it is only aware of it’s own subnet which is 192.168.1.0/24.

Long story short you won’t be able to enter the address because the router thinks that the 10.10.0.0/16 network is, effectively, the internet as that’s where it’s getting it’s uplink from. The router may have the ability to act as a switch (i.e. disabling DHCP) however you probably won’t be able to use it as a wireless access point if you do that.

Looks like you were able to move past that but the explanation may be useful anyway. If you can make the connection at all port forwarding shouldn’t make any difference.

You should really invest in something like a Pix if you’re looking for a solid VPN solution, especially if the rest of your network is already on a Cisco solution.


#10

they are getting the internet connection from the office network, basically we have a netgear router that serves as our office’s gateway to the internet, it’s routed into a netgear? (not entirely sure on this parts manufacturer) switch and then sent out to our server and all of our computers, as well as connected to our wireless netgear router. the computer in question is a windows 7 laptop being used by an employee that connects to the wireless network. however when connecting this way the only way i could bring up network resources like the printers and file systems was to vpn in from the wireless to the main network.

unfortunately i don’t think any of our hardware is cisco as we are a small law firm (still in it’s infancy < 5 years old) and given the lack of revenue atm during the recession i don’t see myself having the option of upgrading hardware anytime soon. that makes so much more sense now about the wireless router and why i had to vpn in the first place though.

also using vpn allowed me to monitor which employee’s were using resources and allowed me to have a second layer of authentication.

update: just found a spare ethernet jack near the workstation in question so… i might just be saying F this problem and simply having him hook in directly. now this will be the first time i’ll be setting up a laptop to hook in by ethernet, is there any steps i need to take to get that laptop connected to network resources? like will i need to add his laptop to active directory? will i have to make a new user account on the laptop that’s on AD? thanks again for all the help and advice your giving it is making a frustrating issue much less so.


#11

Ah thought I had read you had Cisco hardware in the background.

He’ll just need to join his laptop to the domain and provide domain credentials to do so. Once the laptop is joined to the domain he should be able to log in as any domain user without needing to manually create the users on the machine.

Assuming you’ve got permissions set up for groups he’s a member of already you shouldn’t need to change anything for him to access resources.


#12

I would assume the laptop is part of the domain already due to various things highulu has said about the situation already. I don’t quite understand how if this ap is connected to the network how he can’t just connect to the stuff normally but this is the problem I guess. I say take it out, reset it, reconfigure it a fresh, do the same with his laptop (just network settings wise) see if you can actually get this working properly instead of trying to resolve the workaround you have in place :slight_smile: Now would be the best time.

As for your question. If you want to use the laptop with wired, just make sure he has a manual IP set or give him a reservation in DHCP. If the machine is part of the domain, it should be in AD somewhere… Check it is in the correct place. I guess this guy has his own user account? He should just be able to login using that. Man, I’m still kinda confused at the situation lol.

So… Is this machine on the domain? In the correct place in AD? Does he have a username to login with? (actual network username, not a local one on the laptop). Still trying to fully understand your situation to help you out more buddy.


#13

the machine is not yet on the domain so he’s not on AD yet and he only has a local user name for it so far. so yeah i’ll try and reserve a spot in our DHCP and add the machine to the domain. i’m assuming i don’t have to take any extra steps for windows 7…

oh and if i make his machine part of the domain will that affect his ability to use his machine at home for personal use? i don’t see why it should, but i want to cover all my bases right now.


#14

He’ll still be able to access the internet, I believe. Unless he has some kind of home network setup in which he needs to log in in order to access anything, then he should be fine. The worst thing that could happen is, he’ll get an error message stating the domain is unavailable. If that happens, he just needs to log on to the local profile like he has been doing, and he ought to be fine.


#15

Hi, I was searching for establishing connection through my window vpn and you know I searched many threads for the setting but I found it here. I am glad that now I can connect to usa server for watching special tv programs…