VPN question for network gurus

[warhorse]

I set up a VPN server for a small network but whenever one of the computer connects to the server it can't see the internet. I have found a way around this by disabling the "use default gateway on remote network" checkbox on the VPN connections properties box. However I beleive that there should be a way to route the internet traffic through the router on the remote network while logged in to the VPN server. So basically I'm pretty sure I screwed something up on the NAT or IP addressing when I set up the VPN server, someone please help!

 

[Kaiser]

I set up a VPN server for a small network but whenever one of the computer connects to the server it can't see the internet. I have found a way around this by disabling the "use default gateway on remote network" checkbox on the VPN connections properties box. However I beleive that there should be a way to route the internet traffic through the router on the remote network while logged in to the VPN server. So basically I'm pretty sure I screwed something up on the NAT or IP addressing when I set up the VPN server, someone please help!

From your PM, you will need to turn the option on that stops all other networks on the IP stack. My guess is you are trying to not create a bridge, which would be a serious security breech am I correct? This should be a setting on your VPN router itself. You can usually test it by doing a "route print" in a cmd prompt before and after the connection to the VPN server to confirm it. It will force all IP packets on the stack to one route. There are other ways to do it, but that is the one I am familiar with on Nortel and Cisco. I am a systems engineer, but what you want is a network engineer. The horizon is to broad to know everything about everything in IT so the better companies have specialists. If this doesn't help, please ellaborate a little more.

 

[warhorse]

I don't think thats the answer I'm looking for it may be if so your way out of my league!! Heres what I have: windows 2003 server with VPN service and a application that holds client data on the server so everyone must log in to server to process loans and such (mortgage company), 8 computers on the LAN all including server with non internet IP's (10.1.1etc) the gateway which performs the NAT forthis network is a cisco router with a static IP on the internet. The router forwards certain ports to the server (so remote users can log in and work) in default config if you are connected to internet and you establish a VPN connection to server you get a error message like local area connection not connected, or something to that effect and you cannot access the internet but you can access server. Disconnect from VPN and bam internet is back. The server assigns IP's to the VPN clients from within the pool that the cisco router should recognize as non internet IP's and translate them but thats not happening, make sense?? I'm not terribly familer with cisco or NAT so I may not be describing this in a efficient manner.....

 

[Kaiser]

I don't think thats the answer I'm looking for it may be if so your way out of my league!! Heres what I have: windows 2003 server with VPN service and a application that holds client data on the server so everyone must log in to server to process loans and such (mortgage company), 8 computers on the LAN all including server with non internet IP's (10.1.1etc) the gateway which performs the NAT forthis network is a cisco router with a static IP on the internet. The router forwards certain ports to the server (so remote users can log in and work) in default config if you are connected to internet and you establish a VPN connection to server you get a error message like local area connection not connected, or something to that effect and you cannot access the internet but you can access server. Disconnect from VPN and bam internet is back. The server assigns IP's to the VPN clients from within the pool that the cisco router should recognize as non internet IP's and translate them but thats not happening, make sense?? I'm not terribly familer with cisco or NAT so I may not be describing this in a efficient manner.....

Well, actually it is doing exactly what I mentioned from this recent post. The VPN client is cutting off all traffic besides the VPN tunnel as to not create a bridge, which of course would be a hole. This is configured correctly. You now need to make the VPN server give the correct IP scheme to the external workstations upon connect. You will need to push the interal default internet gateway/router address to the clients once the connection is made. What it seems like is happenning is you are only getting partion IP information when connecting the VPN takes over the stack. Do me a favor. On a client machine that is external, give me an ipconfig /all before the VPN connection, then give me one after. Pipe it to a text file by issuing both times:

ipconfig /all >> %SYSTEMDRIVE%\ip.txt
route print >> %SYSTEMDRIVE%\route.txt

Send me the ip.txt and the route.txt file

Anyway, you may be stuck setting up an autoconfiguration script within IE to allow for this. It is hard to tell every setting and every entity on a network via text communication like this.

As a side note, if you are using mortgage origination software most pipe it through Citrix Presentation Server which makes it much easier and no VPN is needed due to the SSL 443 tunnel. This works well with Calix Point, Genesis 2000, Contour, and of course Encompass. Genesis 2000 is at the end of it's life as one of my clients were notified last month so they are either going with Contour or Encompass. My vote would be Encompass. I am just starting to look into their newer products now, and from what I heard they have a built in web interface that allows for native webserver connections over SSL 443.

Let me know if any of these ideas ring a bell or we'll ust continue trying to nip away at it. Like I saiid without me on site, it is sometimes hard to decypher what is going on and what is needed. But we'll keep trying. The main thing we are trying to accomplish is that the VPN server, once authenticated creates a vitrual adapter and gives the gate way that the people use interally to get to the internet. But like I said, if they are using a internally, or a firewall you may have to configure an automatic configuration script for the external users to utilize. We'll get it.

 

[warhorse]

They are using encompass! Wow your pretty good, however when I configured port forwarding on the router to the server using the ports I got from encompass it still wouldn't connect, is there something else I would have to do? If I could eliminate the whole vpn thing that would be great!
edit
where do you want me to send those files, for obvious reasons I'm not going to post them

 

[Kaiser]

So looks like what we are down to is Encompass will not work over the wire right? OR is it just that ePass will not come up within Encompass? These would be 2 different issues. Encompass being the application, and ePass being Ellie Mae's website within Encompass to run DU (Desktop Undewriter) or pull credit.

 

[warhorse]

Users were unable to connect to encompass by using the static IP of the router I may have the wrong ports configured? From reading about the ssl 443 is that something I would have to set up a website for, cause I have zero exp with that and IIS. Is there a way I can find out/map whatever Port encompass is trying to use when connecting to server, for example if I log on to the server and connect to encompass there must be a way to tell what ports its using correct?

 

[sup]

you could google to see what ports encompass is trying to use..or call their tech's.

have you checked to see if your firewall rules are allowing the traffic?

 

[Kaiser]

Users were unable to connect to encompass by using the static IP of the router I may have the wrong ports configured? From reading about the ssl 443 is that something I would have to set up a website for, cause I have zero exp with that and IIS. Is there a way I can find out/map whatever Port encompass is trying to use when connecting to server, for example if I log on to the server and connect to encompass there must be a way to tell what ports its using correct?

Easiest way to tell what port you are using is just a simple utility like "Active Ports". It's free just google it.

Don't forget your cert for 443. You'll need a valid one from a CA.

 

[Kaiser]

Also, which way is Encompass set up? Is it set up as a service or is it set up to run over IIS?
If it is service based, the default port is 11091. If it is IIS, it is the default port you have on the virtual directory from within IIS manager which is 443 if you have a valid cert.

 

[warhorse]

I finally got it all sorted out it is set up as a service so the port you gave me is correct thanks kais I even got that stupid mac to connect LOL.. thanks for the help man I would still like to know how to write a script for the VPN thing not that I need it anymore but I always like learning new stuff!

 

[Kaiser]

I finally got it all sorted out it is set up as a service so the port you gave me is correct thanks kais I even got that stupid mac to connect LOL.. thanks for the help man I would still like to know how to write a script for the VPN thing not that I need it anymore but I always like learning new stuff!

I was wondering why you did not set it up under IIS, use a cert and forget about the VPN. What made you decide on that? That would allow net branches to connect in easily with the client, or they could do a "work offline" and it would sync up when connected. Anyway, glad to hear it worked out for you. I am interested in your comments about the service verses IIS solution.

Incidentally I did a bulk import the other day from Genesis of 3600 loans. The fugger took an hour and a half to pull in and that was on a box running SQL 2005 Enterprise. If you ever want to convert from MSDE to SQL Server let me know, I'll walk you through it because you'll end up with an emdbuser orphan.

 

[warhorse]

well we actually set up all the users with the no stand alone option. The reason for this was all the files and such would stay on the server, reducing "customer transfer" should a broker leave the company. I've never used IIS and although I'm sure I could figure it out I'm acually not employed by this company and work in a unrelated field. (I was once an MCSE in NT 4.0 LOL) So it was easier for me to show the owner how to keep the service running and such, if IIS is a better solution I"m all ears! But I thought as long as port forwarding was set up correctly I wouldn't need the VPN anyway?

 

[Kaiser]

well we actually set up all the users with the no stand alone option. The reason for this was all the files and such would stay on the server, reducing "customer transfer" should a broker leave the company. I've never used IIS and although I'm sure I could figure it out I'm acually not employed by this company and work in a unrelated field. (I was once an MCSE in NT 4.0 LOL) So it was easier for me to show the owner how to keep the service running and such, if IIS is a better solution I"m all ears! But I thought as long as port forwarding was set up correctly I wouldn't need the VPN anyway?

Well, what it allows you to do is exactly what you are looking for. Instead of VPN, you just use a cert and it pipes all information through 443. This also keeps all files on the server as you mentioned. It is not a web page mind you, you actually install the client as normal "stand alone". They will then automatically connect to the server and sync up when in "online" mode. No VPN, no special ports. All they would need to do is by a cert from a trusted root like Verisign. You can actually run it without a cert and just make it run over 80, but that is obviously not recommended. To try it out, just do a default install of IIS on Server 2003. Then run the Server Reconfigure Wizard in Encompass to chage it from Service mode to IIS mode. It will not show the option unless IIS is installed prior to running the wizard.

 

[warhorse]

oh boy

Ok so today I had to move encompass from one partition to another (the owner originally installed it on wrong one) so I copyed everything to the other partition edited the registry to point to e instead of c and everything was fine. (I renamed the old dir's on c: ) I could log on remote users could log on everything was working the owner installed a previously downloaded update and now you can't even log on to encompass or restart the service if you try to restart through encompass you get an error, if you try through services.msc you get a file not found error for encompass any suggestions?

 

[Kaiser]

You shouldn't just move the database from one volume to another without dismounting it's SQL handles, and reconnecting them once it is moved. Your problem probably resides in SQL. Once you move it you might find that you have to run a couple lines of code to remove any orphaned users, but not always, you will know. I know how to do it with full SQL Server 2000 and 2005, but have not done it with SQL Express or MSDE which are both the free desktop version. It should be still the same however. You might find the connection in ODBC, but again I usually only deal with the full SQL Server instead of the desktop version because of the size of my clients' infrastructure. Let me know if you dismounted and remounted the database correctly. You also might find the connection path in the Encompass Admin tools.

 

[warhorse]

that is something I didn't do, however I found the value in the registry for the service path and changed it the service is now running but I still can't get encompass to login I get an ahg error, I think I may have to reinstall is there anyway to do so without losing all the settings and files (I copied the dir.)

 

[Kaiser]

that is something I didn't do, however I found the value in the registry for the service path and changed it the service is now running but I still can't get encompass to login I get an ahg error, I think I may have to reinstall is there anyway to do so without losing all the settings and files (I copied the dir.)

You should not need to reinstall. As I mentioned I am not used to the desktop version of SQL, but there should be a console to run commands. Here is some information:

http://www.fileformat.info/tip/microsoft/sql_orphan_user.htm
**broken link removed**
**broken link removed**
**broken link removed**


You can also just call EllieMae and they'll assist you. You really should take the time to learn how to fix this problem if you are going to continue to service their organization. This will be a good lesson for you on database management and not saying that in a bad or negative way. Some of the above commands are what is needed to migrate the database off of MSDE and into a full fledged SQL Server environment.

You can also change the reg entries that you made, move the database back to SystemDrive and correctly dismount and remount the database which would probably be your best bet. (I am pretty sure you can do that with MSDE) Just make sure it is functional again once you move it back to SystemDrive before you try a dismount and remount. If you would have done that from the beginning, you would have been fine. You can also do a backup and resotre it to the other drive and MSDE should automatically notice it.

 

[warhorse]

I actually was on the phone with ellie mae yesterday for about an hour, they have escalated it to the next level, they beleive it is a issue with the update (from 2.9 to 3.0) not installing correctly (it defaults to the c drive and thats where encompass was when the update was downloaded, he installed it after I moved everything) where can I find the proper procedure to dismount/mount a database I searched the microsoft site and only found instructions for removable media thank you for your help kais....

 

[Kaiser]

I actually was on the phone with ellie mae yesterday for about an hour, they have escalated it to the next level, they beleive it is a issue with the update (from 2.9 to 3.0) not installing correctly (it defaults to the c drive and thats where encompass was when the update was downloaded, he installed it after I moved everything) where can I find the proper procedure to dismount/mount a database I searched the microsoft site and only found instructions for removable media thank you for your help kais....

Then I would reset the reg entries and move it back for now. When it asks to overwrite newer files because of the update from 2.9 to 3.0, select no. Then once you have it running again simply do a backup and restore to the other drive of just the ldf and mdf. You can also use a 3rd party trial ware like this:

http://www.softpedia.com/get/Internet/Servers/Database-Utils/MSDE-Manager.shtml

Remember, you should actually leave the application where it was originally installed as it is tied not only to the database but to the OS which is why the update failed.

Second solution would be to backup the mdf & ldf. Then uninstall Encompass all together. Reinstall Encompass to the directory of your choice on whatever volume you want. Then do a restore of the mdf & ldf to overwrite the current ones. At that point you should be up and running.

More than one way to skin this cat just be safe and make sure you have the mdf and ldf (database and transaction log files) as that is your actual database.