Safenet VPN to domain 1

[SQLScholar]

Hey all,

I have a Safenet connection to our network fine - even the DNS is resolving. Only problem is that if i go to \\ourDCsrv\ it asks for the username and password.

Now for me, this wouldnt be an issue - for the end users it might. I am abit confused now, to as how we join the domain via VPN.

On logon to the PC - we would have no domain connectivity, so would also presume we couldnt log onto the domain. Then we would need to log on, once the connectivity is up. How does this work?

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[SQLScholar]

Sorry i have that wrong.

We can logon to the domain without connectivity to it, but then we cant access any of the servers on the VPN as it says "there are no servers available to authenicate your logon".

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

Hi Dan,

I'm not sure if you remember me or not, we spoke (briefly) a long time ago and I haven't been on since!!

See thread608-1057943 ...

Anyway, in asnwer to your questions before, I do use Netpilots regularly and have fairly regular (though not as much at the moment) dealings with Mike DaCova from Equiinet. How are you finding your netpilots (apart from the issues, opbviously ).

It is a very small world, I imagine we're both sitting in ipswich right now, scary!!

What domain are you using, is it AD or NT?

Look forward to your reply, and hopefully chatting more in the near future.



Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

Michael,

The netpilots i have really not been very happy with at all. They seem to regually lock, and not allow us any access (other then via putty) - and generally find the configuration not detailed enough. Also there are quite a few missing features in my mind.

Also we had an external party install our NP+. We havent really wanted to deal with them after the installation, and Equiinet refuse to support us direct (only through the reseller). Its really annoying.

In terms of what we use, we are using AD.

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

That is really spooky, we've kind of had the same problems (particularly where I used to work)....

We dealt with Total Solutions of Ipswich, they were ok but not really needed for support etc, and like you said Equiinet just don't want to know do they?! It's ridiculous.

Apparently the best company for Netpilot support (and i'm only told this) is "Kerridge" who are a big national company, supposedly very good.

Out Enterprise at Notcutts (last place of work) used to lock up about once every three days, they thought they'd fixed it on numerous occasions but to no avail, we ended up keeping the loan one they sent...

But then touch wood, we haven't had any problems like that at the college, we use an Enterprise for about 8 VPN links and it seems reliable.

Have you tried the 4.0.1 code out yet? it has a much better firewall that you can tweak apparently.

If you consider swapping out your NP's a VERY good alternative are Juniper Netscreens....(they have more functionality but do the same things, and they even have teh ADSL router built in)...

Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[firthm]

If they are logging on as though on to the domain (in essence just without the ethernet plugged in) then when you connect you should in theory be able to access things.

There is some really ugly way that you can use the "Log on using dial-up networking" feature and have Safenet connect you before logging in, but it's a registry bodging excercise which I never wanted the pain of supporting when it went wrong....

Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

Ah.

See i am getting "there are no servers available to authenicate your logon" kind of thing.

That seems odd. I dont know if its the server not allowing externals to authenticate, or its looking in the wrong place.

HMMMM....

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

Ahhh...of course hang on a second.

Static routes.

Have you provided a static route on the servers or the gateway so that they reply to the correct gateway? (I.e. Set a static route so that the server replies to the VPN gateway)...


Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

How would i go about that? Sorry the networking stuff is not really my day job.

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

It depends, are these clients connecting via the Netpilot, road warrior tunnel?

Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

yes

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

Ok....

I am assuming that your Netpilot isn't the default gateway specified on your servers?

If not, you will need to associate the Netpilot as the "thing to contact" for your dial-up users.

Firstly, you need to work out the IP range from which they connect to your network, assuming they all use the same ISP this should be easy....

Once you know the range of addresses they are assigned from the ISP, in a command prompt on your DC(s) type the following:

route add 62.253.5.0 mask 255.255.255.0 10.10.10.100 -p

^ISP Range ^ SubMask ^Netpilots Address
( and -p makes this permanent, so not lost on a reboot)

Once done, all this does is tell your server that if it needs to reply to 62.253.5.x then send the request to your Netpilot (10.10.10.100)...

Also changing your default gateway to the netpilot does the same thing, but you can't always do this....

To remove the static route just type route delete 62.253.5.0.

(Obviously i've substituted 62.253... for whatever your ISP's range is, and 10.10.... for your netpilots INTERNAL address)



Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

Once you know the range of addresses they are assigned from the ISP, in a command prompt on your DC(s) type the following:

Ah that makes sense. I will have to try and see if wanadoo will give me there range?
If not do you know any providers that will?

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

You should be able to work this out yourself fairly easily...

If you dial-up to Wanadoo, then run an IP config, you should see that you always get addresses assigned from a particular range, such as 60.123.0.0...

The third octet will most likely change on Wandoo, as they're a huge ISP, but you can just add the route as 60.123.0.0 so it covers anything in the 60.123 range...

The alternative to this, is to add a second gateway to your domain controller, which would be your Netpilot, I think it would need to be the first gateway though, so it is queried first, and then the next one second. This would prove or dis-prove quickly whether it will work and is a tidier solution come to think of it...

If you do need to dial-up to an ISP with a static IP range however, dial up to 0845 234 9890...this is a KeConnect number, and you just use any username/pass you like, it's isn't authenticated....I'm sure their range is something like 62.253.51.0 then 52.0 etc so you could just add 62.253.0.0...

Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

SOrry to be thick - how do i add a second gateway to my domain controller?

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault

 

[firthm]

If you right click on My network places/Network neighbourhood and select properties.

Then go in to the properties of your network connection...

Properties of TCPIP...

Then Advanced....

Under the IP settings tab you have a gateways section, you should have your standard default gateway listed here...

Press the Add button and type in the address of your netpilot, and make sure that the metric is set to "1".

The metric is basically the order in which each gateway is queried, so the Netpilot will be queried first...

Hit OK on all the properties pages, and then your servers will be querying the Netpilot first.

Also, you know your default gateway currently...what is it? Is it a connection out to the web, or a router etc?

Michael Firth
Network Infrastructure Officer

~If it's not broke, break it and LEARN~

 

[SQLScholar]

Oh - doh. I see what you mean now - i was still thinking of on our DC. I see what you mean.

I will give it a go in a bit.

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault