Topic: Logging into Domain via PPTP

[Mark Farey]

I have set up my e-smith server as a PPTP gateway and can connect from outside using Windows. However, I am unable to join a domain. The Domain Server is not the e-smith box (192.168.1.1 internal IP) but another system on the internal network (192.168.1.2). Any pointers please?

Mark
Ottawa, Canada.

[Gabriel Requito]

Hi Mark,

   From mine understanding you won't be able to join the domain in the other machine, unless you access the other machine directly.
   You aren't very clear about your system, but I'm assuming that your SME box is doing Server/Gateway to the internet and that the other machine is a W2K Server. What you can do is use port-forwarding in your SME box to redirect the trafic on your public NIC to your W2K Server local IP. The port you must forward is:1723.
   Hope this helped. Contact again if my suposing is not right.

   Cheers

   Gabriel

[Mark Farey]

Hi Gabriel

   From mine understanding you won't be able to join the domain in the other
machine, unless you access the other machine directly.
   You aren't very clear about your system, but I'm assuming that your SME
box is doing Server/Gateway to the internet and that the other machine is a
W2K Server.

> Yes, that is exactly right

What you can do is use port-forwarding in your SME box to
redirect the trafic on your public NIC to your W2K Server local IP. The port
you must forward is:1723.

> I type:
> /sbin/e-smith/db configuration setprop masq TCPForwards 1723,192.168.1.2
> /sbin/e-smith/signal-event remoteaccess-update
> Is that correct?
> Should I then be able to join the domain through the System Properties control panel?
> Any security risks?

   Hope this helped. Contact again if my suposing is not right.

> Many thanks!
> Mark.

[Gabriel Requito]

Hi Mark,

   I'm not using port-forwarding on mine SME box, because I have a software routter doing that, but if you search the forum for port-forwarding there are many posts about it. I know that there is a contributtion program that will install an extra line in your server-manager that you can use to easely configure port-forwarding in it.
   About the security, it depends on the security level of your W2K Server. But I also think that is prefereble have the W2K Server in your local LAN with only one port forwarded to it, than having him direct connected to the internet.
   You'll have to configure your W2K Server to accept remote access in START MENU - ADMINISTRATIVE TOOLS - ROUTTING AND REMOTE ACCESS and follow the wizard.

   Cheers,

   Gabriel

[Bill Talcott]

I have an SME acting as a gateway/mail/web server for our LAN. We also have an NT4 PDC on the LAN. I assure you that you can log onto a domain via PPTP through the SME.

Are you using the PDC for most functions, and the SME for internet stuff, as I am?

[Mark Farey]

Yes, that's exactly my situation except the PDC is running on a Win 2K server. When I attempt to join a domain I get an error message saying that no Domain Server is available.

I was suggested that I open port 1723. Did you not find that necessary?

Regards,
Mark

[Gabriel Requito]

Hi Mark,

   If your W2K Server is only for your domain controller and all the other services are running at the SME box, why don't you promote your SME box and quit the W2K Server?

   Cheers

   Gabriel

[Mark Farey]

The Win 2K box is a lot more than just a Domain Server and I need to access a variety of Windows-based services there and elsewhere within the domain (e.g. Terminal Services). The e-smith box is just my Internet gateway.

[Bill Talcott]

It sounds like we have very similar situations. We had an NT domain on our LAN performing a variety of functions, and added the SME for internet stuff once broadband became available.

I made absolutely no changes on the NT4 server, other than reserving a block out of the DHCP range for PPTP connections (so that the PDC didn't assign an IP that was in use for PPTP).

The SME takes the specified number of PPTP clients (in Server Manager) and statically assigns that many IPs from the top of the DHCP range for PPTP connections. If you're using the PDC for DHCP, you'll need to set the SME to use the same DHCP range. The easiest way I found is to run the config and enable it, change the settings, then run config again and disable it. I set the SME to use the exact same range of IPs as the PDC, but you could do a subset of that as well. If you specify 192.168.1.100 through 192.168.1.199 with 10 PPTP connections, it will use 192.168.1.190-192.168.1.199 for PPTP (in which case you might as well just use 192.168.1.190-192.168.1.199 as the entire DHCP range). You'll want to reserve this out of the PDC's DHCP range, so it doesn't try to give those IPs to anything else.

You'll also want to specify the PDC to the SME if you're using it as a WINS server.
# /sbin/e-smith/db configuration setprop smb WINSServer 192.168.20.1
# /sbin/e-smith/expand-template /etc/smb.conf
# service smb restart

The PPTP client should now get an IP just like plugging another PC into the LAN. If you have the client specified to "logon to network" in the PPTP connection, it should give you a domain logon just like any other LAN PC would. Basically, the PDC shouldn't be able to tell the difference between LAN and PPTP clients...

This works on an NT4 domain. I assume it'd work exactly the same on a Win2k PDC. I think I recall reading that Active Directory requires other stuff, and won't work over the PPTP connection.

[Mark Farey]

Bill,

Many thanks for a clear and comprehensive reply. I liked everything I read until the final comment about Active Directory not working over PPTP. Too bad. I poked around on the MS website and it seems it might be made to work but you have to open a variety of ports and change other settings on the server.

Thanks again,
Mark.

[Bill Talcott]

I'm honestly not sure if AD works or not. I thought I read a post here that it didn't work over PPTP, and maybe the MS stuff you read confirmed that. I don't know much about the technical side of PPTP to know what will and won't pass over it. Essentially though, to anything that can be passed over the PPTP connection, the remote client looks exactly like a LAN client.

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20170816.html came up in a Google search. Looks like with AD you're validating against the PPTP server only, as opposed to NT4 and validating against the domain directly. Looks like you might have to forward the VPN requests to the AD controller. I posted a question here a while back asking how to forward GRE so that I could use the NT4 PDC for PPTP, when I couldn't get it to work through the SME. That should get you set up to have the AD controller do the PPTP, and thus the validating...