Topic: connecting shares thru VPN

[jysse]

Hi,

My client is using a dedicated firewall box with possibility to use VPN. Sme Server is in local network with ip 192.168.1.3 and server only mode.
VPN connection goes ok and client gets it's ip between 10.10.10.20-10.10.10.200, subnet mask 255.255.255.255 and gateway is same as client's ip.
How can enable connection to server's shares ?
If I understood it ok you can add a local network from Sme's server-manager but I'm not sure about settings there. What shall add to network address (10.10.10.0 ?), subnet mask and router ?
I did not quite get it when trying to understand this...Maybe somebody can help me with this ?

Thanks, Jysse

[mmccarn]

When adding a 'local network':

Network address is the address of the network you are adding (10.10.10.0 in your case)

Subnet mask is the subnet mask of the network you are adding (usually 255.255.255.0)

Router is the address of the device that knows how to get traffic to the specified network - probably the network firewall/vpn device in your case. 

That is, if a packet arrives at your SME server addressed to 10.10.10.x, where is the SME supposed to send it? 

In a 'server only' configuration, this is likely to be the same as the default gateway.

Many firewall devices also want you to configure a separate set of access rules to control traffic between the VPN and the LAN - you may want to do some testing by trying to use the VPN to access a share on a windows box on the LAN just to make sure the firewall is behaving as you expect before putting lots of time into your SME configuration.

[jysse]

Thanks for the info !

However I got some more details about this. At this moment when client connects thru VPN ( and get an ip 10.10.10.x) server answers to ping command.
It is also possible to connect with ssh to the server. And this works without adding "local networks" in server manager. Only problem is that shares can't be mapped at all.
Is this a firewall problem ? If so, could you tell me how to change settings concerning this ?
I will try to read more from wiki but I'm afraid this kind of changes might be difficult for me.
Silliest thing in this matter is that I can't test it myself... There are changes in company's ownership which causes this.

jysse

[mercyh]

If you can go to http://your.servers.ip.address/server-manager in a browser and login through the vpn connection, your network has been added correctly.

Sme will only allow server-manager to be accessed from a network that has been added as local.

Once you get the above working you can start working with the network shares. If you are accustom to browsing for the the computer name in network neighborhood and then clicking on it to find the shares, you will probably find that this will not work over VPN as in most cases it is difficult to get wins data to propagate correctly across the tunnel. This should not stop you from mapping shares. In Windows XP you should be able to go to Start-Run and type in \\your.server.ip.address\ hit enter and get the login box for your server user name. After supplying correct credentials you should see the shares on the server.

[jysse]

Hello,

If I understood it correctly from mercyh's answer there are no specific firewall rules that will prevent mapping shares ? And it has nothing to do with server-manager's "local networks" ? In other words if I correctly add local networks it will open server-manager pages for me but mapping shares should work in any case.

Further testing was done and result from \\server-ip\ command was "Network path not found". Same thing if tried with a full share name like \\server-ip\share
At the same time it is ok to ping server or connect with ssh.

Any ideas what to try next ?

Thanks ,

jysse

[jysse]

...and about this VPN. It's done with Clavister firewall.

jysse

[mercyh]

I am sorry I did not make myself clear.

You will NOT be able to map shares until you have your network added in local networks in server manager. Until you are able to login to server manager from the VPNed subnet there is no reason to even try mapping shares. Logging into server-manager is the test that will tell you if you have the local network added correctly. Once this is done you can start working with shares.

[Stefano]

jysse: is SME the dns server for the remote lan?
what kind of vpn are we talking about? if pptp AND SME is the dns server, modify connection parameter adding SME's private ip as dns..

[mercyh]

Stefano,

did you notice this?

...and about this VPN. It's done with Clavister firewall.

jysse

[Stefano]

mercyh, yes, I read it, but I don't know what kind of vpn clavister permit..

in any case, even if a custom client sw is required, I'm pretty sure that an internal dns server can be used.

[mercyh]

I guess your right, I had interpreted this to mean that the VPN terminated on the "clavister firewall", however it could just as well be a passthrough VPN to the SME server.

There is a good possibility that if the SME is managing the dns on it's subnet and he sets it as his dns server when he is connected to the VPN, he will be able to browse that subnet. I have found that it does not always work though and that does not necessarily mean that the connection cannot be made to the server share.

[CharlieBrady]

...and about this VPN. It's done with Clavister firewall.

Then you should ask your questions of the admin of the Clavister firewall. From the SME server's point of view, your client should be just another system on the local network.

[CharlieBrady]

VPN connection goes ok and client gets it's ip between 10.10.10.20-10.10.10.200, subnet mask 255.255.255.255 and gateway is same as client's ip.

The netmask appears wrong.

If I understood it ok you can add a local network from Sme's server-manager but I'm not sure about settings there. What shall add to network address (10.10.10.0 ?), subnet mask and router ?

mmccarn's answers seem right to me.

You will also  probably need to modify the client system configuration after VPN is connected so that 192.168.1.x network is routed via the VPN. That would happen, e.g. if default route is passed via the VPN.

[jysse]

Thanks guys for directing for the right direction !

I am not familiar with Clavister but at this moment I think that it's passthrue VPN.

Also we can reach shares now   

mercyh's suggestion was right.

- add network to server-manager's local networks
- test http://server/server-manager
- try to map a share

jysse