Quantcast
Channel: Network Infrastructure Servers forum
Viewing all 5877 articles
Browse latest View live

Always ON VPN not connecting first times when launched - ok after 2nd / 3d connection attempt

June 3, 2020, 4:34 am
$
0
0
Hi,

We've configured an always on vpn environment with NPS proxies, NPS radius servers, and AOVPN servers.

We're connecting the AOVPN manually from our Win10 client machines (mix 1709/1909) >> will be upgraded to 1909 soon.

The strange thing is that the first time(s) we start the VPN connection after a reboot of the Win10, we're unable to connect :

Win10 :
The connection was prevented because of policy configured on your RAS/VPN server.
Specifically... the authentication method used by the server...

event 20227 :
CoId={C00A8050-6FBA-4AF5-8594-A13860D9842F}: The user domain\user1 dialed a connection named AlwaysOnVPN which has failed. The error code returned on failure is 812.

On the NPS Proxy we get :
event 6274
Network Policy Server discarded the request for a user.
Account Session Identifier:333031
Reason Code: 117
Reason: The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond.


On the RADIUS :
Account Session Identifier:333031
Reason Code: 96
Reason: Authentication failed due to an EAP session timeout; the EAP session with the access client was incomplete.



The strange thing is that this happens 1, 2 or max 3 times when manually connecting, and then connections are created correctly. Even disconnect/reconnect is working right away afterwards.

To be sure I already configured FRAMED-MTU : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771164(v=ws.10)?redirectedfrom=MSDN

I also raised the timeouts on the NPS (doubled the default values) 


But no luck..
Search

Group Policy Network Drive Mapping Fails When Connected to VPN

June 8, 2020, 10:34 pm
$
0
0

Hi All,

I've configured a vpn network using the always on vpn tutorial. I am able to connect to the VPN just fine, and connected manually.  From there I built the VPN profile powershell script from microsoft's guide (I can't post the link because my account still hasn't been verified). uninstalled the manual vpn, reran the script, and the vpn now automatically connects (cool!).

However, I ran into a weird hiccup when trying to apply a new group policy.  I set up a group policy to map a shared folder (\\server_name\shared_folder) to a network drive. If I'm connected to the corporate network, I can run gpupdate /force from the command line and it completes successfully. The network drive shows up, the correct folders are available, works great! However, if I then connect to an outside network and to my VPN, I lose my connection to the drive. If I delete the drive, and try to add it back, again via gpupdate /force, I get the following error:

"The processing of Group Policy failed. Windows attempted to read the file \\data.company.com\SysVol\data.company.com\Policies\{5C63434B-E0EB-44A7-B386-57843E0DA65C}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results."

If I connect to my corporate network and manually connect to the vpn (click "connect) I get the same error. But, when I connect back to the corporate network without any VPN connection, function is restored, and I can add the drive by executing gpupdate /force. 

Going into the event viewer, I can see that the gpupdate has failed with an event ID of 1058 (and curiously, an error code of 0 and an error description of "the operation completed successfully"). I tried seeing if I've got some issue where I can't reach my domain controller, but an nslookup of my domain controller by name returns the correct IP, nltest /dsgetdc:data.company.com shows I'm connected to the correct DC and gives the proper IP.

So I'm stumped... almost across the finish line on setting up my vpn, just need to figure out why I can't get this network drive to work.  Any advice is greatly appreciated!

How to setup a wifi network with Active Directory authentication in Win2012?

June 16, 2017, 1:38 am
$
0
0

Hi,

I'm a junior admin, still in training, and I decided to set up something I never worked before, in order to learn.

I want to create a wifi network with Active Directory authentication. In short, I want that when you bring your own laptop (which is NOT in the AD) and select the wifi SSID to which you want to connect, a popup asks you for your AD credentials and grants you access only if you insert an account with the right permission.

It shouldn't be that hard, but I'm actually having issues to understand how to set it up, following the tutorials on the Internet.

I know I need, other than a DC with AD, an NPS server and a Radius Client (as Radius Client I have both a Cisco and a Netgear access point). Some tutorial say I need also an AD CS (Active Directory Certificate Services), others say I don't. That's the first confusing point.

Do you know already if I need to use AD CS? I can't give certificates to computers that are not in the domain, so I thought I didn't need it.

And where could I find a good tutorial that helps me create this network?

Thank you in advance


Using Migrate DHCP Server roles (2003 R2 to 2008 R2) overwrites 2008 R2 server options?

February 3, 2010, 6:15 am
$
0
0

Hello,

Migration DHCP 2003 R2 server to 2008 R2 DHCP server;
I used the 'migration roles' to succesfully migrate a DHCP server.
Unfortunately, it seems that it also 'migrates' the Windows 2003 DHCP server options as well and overwrites the Windows 2008 R2 default server options.

On the 2003 R2 DHCP server option 249 is used and is migrated to the 2008 R2 DHCP server options.
But the option 249 has no nice GUI management (Hex codes). Windows 2008 R2 has the option 121 but was gone after the migration.

I 'reset' the 2008 R2 DHCP database by deleting it and restarting the DHCP server. Option 121 is now available.

Anyhow, can anyone confirm that a DHCP server migration also migrates and overwrites the 2008 R2 default options?
Subsequently I like to migrate DHCP servers but leave the current options on the server, only add extra options.

 

This server's clock is not synchronized with the primary domain controller's clock

September 2, 2009, 4:06 am
$
0
0
hi
      i am a beginner to the window administration. i am windows running server 2008 as domain controller. i added 7 xp machine to the domain controller. After adding the clients to the domain, the system time of the client domain not synch with the domain controller. i gave all the clients admin previledge and i enable the public file sharing. now no user can access the shared file from each other. when they try to access from the run by typing the //system name the following error is showed. \\systemname is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. This server's clock is not synchronized with the primary domain controller's clock. Please guide me to solve the issue.

How to configure wifi authentication process diagram with active directory

June 16, 2020, 6:54 am
$
0
0

Hi Team

Thanks

I want to configure wifi device (all smart phone) and RADIUS server authentication process diagram with active directory. please share authentication network diagram.

Parvez


Windows dns server primary zone question

January 1, 2010, 7:28 am
$
0
0

hello,

I have read and know that you can host a windows primary dns zone on only one dns server and all the other copies of the same zone ( on any other dns servers) has to be secondary. But i see something different with what i do here in my test domains.

Can anyone help me where am i wrong or is there some changes that happened recently? OR Is it that i can host a primary zone in a single dns server in a domain and i can host on another DNS server provided it is on another domain ? 

Thanks


http://www.4shared.com/file/185932068/d0644c66/Doc1.html

NPS communication to the DC/AD

March 19, 2020, 6:28 am
$
0
0

Hi,

How does it work? 

If the RADIUS NPS Services are running on a different server then the DC/AD, how many packages will be sent during an Authentication?
Will the number of policys affect the number of packets?
This question is origins from the question if the number of policys will impact the responce time to the NAS (RADIUS Client). The only answer I got so far is that the NPS will send one packet per Policy (until a hit) but when I wireshark the network traffic, it indicates a different approach.


Search

Always On VPN - VPN Server in DMZ without joining to domain

June 19, 2020, 8:46 am
$
0
0

Guys.

Posting my query here regarding Always on VPN Implementation.  Is it possible to have VPN Server hosted in DMZ without joining to domain and implement Always on VPN? 

Please suggest.. !!

Thanks,

Aditya

Best Regards, Aditya Kumar.

Windows Routing and Remote access server

June 21, 2020, 12:09 pm
$
0
0

Hello Everyone,

Let me start with explaining the environment we have in Azure:

In Azure:

  • We have 4-5 servers. (DC, FS, App, and Windows VPN server.)
  • I have one server at home (Application licensing)
  • All the users are connecting remotely from home.
  • All the users connects to the VPN using windows default VPN to connect to the VPN Server located in Azure.
  • The server at home connects to the VPN using windows default VPN to connect to the VPN Server located in Azure. Also, Always on VPN configuration is setup

Here is the what the issue is:

  • When users connect to the VPN, they are able to ping the servers located in Azure. However, they aren't able to ping the server located at home or other users connected to the VPN.
  • The server located at home on VPN, able to ping the servers located in Azure. However, home server is not able to ping or connect to the user's PC on VPN.
All the workstations are on domain. and i want all the devices (at Azure, home, and user's PC) should be able to ping, connect, RDP, file access, and etc to each other once they are connected to the VPN.

How do we achieve this?

AOVPN Client IP Pool from multiple Subnet

June 22, 2020, 2:33 am
$
0
0

Hi,

While configuring IP pool for VPN client, i am just worried to cover enough IP address in one single pool.

Is it possible to configure multiple subnet's/ multiple pool to allocate as VPN client IP?

Am sure single subnet may not be sufficient for most of the practical purposes.

We are using Windows 2016 as VPN and NPS Servers for Always On VPN solution.

Regards

Mahesh

Regards:Mahesh

NPS - Impossible configure EAP

June 22, 2020, 6:48 am
$
0
0

 

Hello all,

I'm trying to set up an NPS radius server, I currently find myself in a dead end where I can't change the authentication method whether it's EAP-PEAP or Smart Card or other certificate.

The message I get is: "Unable to configure EAP. Unable to find a certificate that can be used with EAP (Extensible Authentication Protocol)".

In the event logs, I find two EapHost errors 3026 and 1041. 
I have imported my certificates generated via AD CS by having copied the RAS IAS template. 

Thank you in advance for your answers

PPTP VPN not allowing traffic past VPN server

June 27, 2020, 6:43 pm
$
0
0

Hi All!

I am not a VPN person at all and need my hands held here. I've followed every guide I can find online to create a PPTP VPN server and have executed them to have only half of a solution. Clients can connect to my server but 1 - Can't access anything past the server and 2 - Can not access remote desktop sessions internally because they can't access anything beyond the VPN server

Here's my setup;

- External gateway has an external address of 1.2.3.4 and an internal address of 192.168.0.1 subnet 255.255.255.0 and is port forwarding 1723 to VPN server

- VPN server has routing and remote access installed and is at 192.168.0.75 subnet 255.255.255.0 running windows server 2016. Has 4 internally connected ethernet cards if needed but am only pushing VPN traffic through the gateway to 1 card. VPN server is set to give VPN clients DHCP addresses

- internal servers - dhcp and dns server - 192.168.0.117

- I am testing with an offsite laptop with and external address of 5.6.7.8 and an internal address of 192.168.1.10 subnet 255.255.255.0 with no firewall turned on

Questions - 1 - do I need static routing setup on the VPN server and if so, how does that look? 

2 - Should I have NAT setup on the VPN server and if so, how does that look?

3 - Do I need DHCP relay agent?

4 - Do I need the IGMP?

Thank you very much for any help you can lend and stay safe out there!

RRAS server not allowing traffic requests to endpoints

June 28, 2020, 9:37 pm
$
0
0

Hi TechNet community,

Does anyone know of a setting on Microsoft RRAS that would stop my corporate network seeing my endpoints? (ping & smb) 

The  RRAS server sitting in my DMZ, Cliente Machines are connecting over IKEV2 with machine certificate. All working

The RRAS server can see endpoints, and Endpoints can see the corporate network which is routing through the RAAS internal VPN GatewayIP.

and...  I don't think it is routing because.

I can also see the RAAS Server  internal IP gateway of the VPN from corporate. (The same gateway that the clients use to get through to the corporate network)

When I run a traceroute from corporate, they both hit the RRAS server IP in the DMZ. The RAAS internal gateway replies and the client IP's packets just drop. 


The only other thing I've discovered not talking is the client back the the RRAS DMZ IP to the client. 

Any new leads on what to troubleshoot next would be appreciated.

Hank



"Set-VPNAuthProtocol -rootcertificatenametoaccept $Cert1" sets a different certitficate than the one specified

June 25, 2018, 8:08 am
$
0
0

As per the "Important" note at the end of this documentation Configure VPN Device tunnels in Windows 10, I am using the Set-VPNAuthProtocol command to specify a single root CA that VPN client certificates should chain back to.  However, even though I select a specific certificate to use for this purpose, the resulting configuration is set to use a DIFFERENT (older, but still valid) certificate for the same root CA.  

PS C:\Users\myadminuser> $cert1 = (get-childitem -path cert:LocalMachine\root | ? Thumbprint -eq "09876543219AE3718A18EAD87E46D11234567890" | select -first 1)

PS C:\Users\myadminuser> $cert1 | fl


Subject      : CN=EnterpriseCA, DC=domain, DC=com
Issuer       : CN=EnterpriseCA, DC=domain, DC=com
Thumbprint   : 09876543219AE3718A18EAD87E46D11234567890
FriendlyName :
NotBefore    : 3/1/2018 1:00:00 AM
NotAfter     : 3/1/2028 1:00:00 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}


PS C:\Users\myadminuser> set-vpnauthprotocol -RootCertificateNameToAccept $cert1 -passthru

PS C:\Users\myadminuser> get-vpnauthprotocol


UserAuthProtocolAccepted      : {EAP, Certificate}
TunnelAuthProtocolsAdvertised : Certificates
RootCertificateNameToAccept   : [Subject]
                                  CN=EnterpriseCA, DC=domain, DC=com
                                [Issuer]
                                  CN=EnterpriseCA, DC=domain, DC=com
                                [Serial Number]
                                  ABCDEFFABCDEF0987654321ABCDEFABCD
                                [Not Before]
                                  6/6/2014 6:00:00 AM

                                [Not After]
                                  6/6/2019 6:00:00AM

                                [Thumbprint]
                                  ABCDEF0123456789ABCDEF9876543210ABCDEF99

CertificateAdvertised         :
CertificateEKUsToAccept       :

It seems as though this command may just look at the subject name of the supplied certificate, and use the first certificate it finds in the localmachine\root store which matches the subject name.  That would almost make sense, since the parameter is named "RootCertificateNameToAccept", except that the parameter doesn't accept just a string for the certificate name.  Since the parameter requires an X509Certificate2 object, I would expect it to use the actual certificate specified, not just randomly select one with the same subject name.

I also tried supplying multiple certificates for this parameter, in hopes that it would then accept client certs signed with any of the supplied root certs, but that just returns an error.   Looks like I'm not the first to try and fail at that, although the one reply in that thread seems like they possibly didn't understand the issue, and the links in the thread are dead.  

Is it the expected behavior for Set-VPNAuthProtocol to choose the first certificate it finds in localmachine\root which matches the Subject of the certificate supplied for the rootcertificatenametoaccept parameter, rather than actually using the supplied certificate?

How can I configure this option to accept client certificates signed by a specific (the current/most recently issued) certificate for our CA?

Search

Can't get a DHCP relay to work

July 1, 2020, 7:57 am
$
0
0

Hi,

For a few hours now I'm trying to get a DHCP Relay to work and I can't do it.

My setup is as follows:

- 2x Windows Server 2k16 servers with NLB, RRAS and DHCP server roles installed

- each server has 2 NICs - External and Internal

- each server has only one scope on the DHCP configured, which should be used by the remote Clients

What I am trying to accomplish:

- if the client connects to Server A, he should get relayed to Server B's DHCP service

- likewise, if the client connects to Server B, he should get relayed to Server A's DHCP service

External and Internal NICs are in different subnets. How should I configure the DHCP Relay agent?

- as the interface, do I set the External or Internal NICs?

- as the DHCP Server, should I specify the second server's Internal or External IP?

Does this even have a chance to work? Ideally I would have a dedicated DHCP server, but I'm just trying to test something.

Kind regards,

Wojciech

VPN clients can't do RDP to different subnets

July 1, 2020, 8:12 am
$
0
0

I have an office branch with a Cisco ASA 5508-X and 3 internal networks:

  • 192.168.150.0/24 (the RRAS server is 192.168.150.252/24)
  • 192.168.151.0/24
  • 192.168.152.0/24

I have deployed a VPN L2TP (which gives 192.168.150.0/24 address) with Windows Server 2012 R2 and RRAS so home users can access office branch resources, so far it's working as expected, users can access shared folders, internal Exchange email, printers but they can only do PING and RDP to computers on the 192.168.150.0/24 network.

I added 2 NICs to the RRAS (1 for 192.168.151.0/24 network and 1 for 192.168.152.0/24 network) and now users CAN PING resources on those networks but RDP to PC's on those networks still fails.

I have deployed the followings GPOs on all networks (image) with no effect:

  • Windows Defender Firewall: Allow inbound file and printer sharing exception "*"
  • Windows Defender Firewall: Allow inbound Remote Desktop exceptions "*"
  • Windows Defender Firewall: Define inbound port exceptions "3389:TCP:*:enabled:RDP

So, now I'm not sure how to follow

  • Do I need to forward TCP 3389 port to the VPN Server?
  • Do I need to add anything to my Cisco Firewall configuration?
  • Do I need to configure anything on RRAS?

Always On VPN + Windows Hello for Business

July 2, 2020, 11:58 pm
$
0
0

Hello,

Just a general question to see if anyone has successful done this and got it working together, Microsoft Docs indicate they can work together but in my lab I cannnot get AOVPN to authenticate with the WHB certificate. The user tunnel works fine when excluding Windows Hello. 

Any stories, care to share? 

Always On VPN trusted network detection not working on wired connection

November 6, 2019, 2:59 am
$
0
0

Hello,

At one of our customers we are using Always On VPN with force tunnel configuration and setup trusted network detection.
When we connect to the corporate WiFi, trusted network detection works fine.
When we connect wired to the corporate network, trusted network detection doesn't work and the VPN connection gets automatically connected which is not what we want.

I read on technet the following:

VPNv2/ProfileName/TrustedNetworkDetection
Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporatewireless network where protected resources are directly accessible to the device.

Does this mean it doesn't work on wired connections? And if so why?
If it should work on wired connection, I hope someone can help me out to figure out what goes wrong.

Devices are Azure AD joined and Always On VPN configuration has been pushed with Intune.

add route on windows ??

July 8, 2020, 7:49 am
$
0
0

Hi there, am new to this forum, and not so frequent admin but called upon to help when things aren't  going right. So as you might guess I normally ask help from those up to date with tech. My situation is that a colleagues has only one network point to LAN and is using a WIFI device sort of like a switch/router for the PC and the mobile (utilizing the WIFI) but would like to print from the PC to a network printer on the LAN. can adding a route on the pc access the printer and how. it was my first attempt and i did not get it right even to ping the printer. The Wifi device has the space 192.168.8.0, the LAN 192.168.151.0, so I tried the following

route add 192.168.151.0 mask 255.255.255.0 192.168.8.1 if 1

help, its my way of learning

Ngonyi

Viewing all 5877 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>