Tag Archives: Network

RDP -> Gateway -> VPN -> Corporate

One of the frustrating things about VPN is that it kills active RDP sessions on the client once the VPN connection is established.  Sure, this isn’t the typical approach in the use of VPN and RDP, but in my case I wanted to RDP to a single machine at home that itself has a VPN connection to a secured network.  I found the answer on Google Groups, and decided to repost here for my own reference:

The scenario is as follows:

 Home Computer –> RDP Office Computer
 Office Computer –> VPN –> Corporate Headquarters

 XP pro is running on both home and office computer.

 Office Computer is a stand-alone computer.  (No Domain Controller; Static IP
 on Broadband Connection)

 Connecting through RDP to Office works fine.

 From office computer VPN connection to Corporate works fine from the office.

 What is trying to be achieved is having VPN connect once an RDP session is
 established.
 Home Computer –> RDP Office Computer –> VPN –> Corporate Headquarters

Solution is straight forward for those wanting to know.

On the office Machine to be connected via VPN to the corporate Network:

Create a VPN connection to the corporate network.  Under the properties for
this connection, select the General tab.  Select TCP/IP properties; Select
advanced options.  Under the General tab remove the check mark in front of
“Use Default Gateway on Remote Network.”

This will allow for the VPN connection to be established without crashing
the session.  One can now run scripts mapping network drives.  

For applications needing to connect to a server one final step needs to be
completed and that is modification of the Host file.  In this case there were
two servers I needed to connect to; Exchange and a Corporate Database.  In
the host file I entered the server FQDN and IP address.


Curiosity killed the Network

Secure Network Technologies Inc is a company responsible for providing many business related security services.  One of those services includes security auditing of participating organizations.  I had to laugh as I read a report submitted to Dark Reading, by Steve Stasiukonis, in which SNTI infiltrated a credit union by scattering USB drives containing Trojan software in the parking lot for employees to find.

I made my way to the credit union at about 6 a.m. to
make sure no employees saw us. I then proceeded to scatter the drives
in the parking lot, smoking areas, and other areas employees
frequented.

Once I seeded the USB drives, I decided to grab some coffee and
watch the employees show up for work. Surveillance of the facility was
worth the time involved. It was really amusing to watch the reaction of
the employees who found a USB drive. You know they plugged them into
their computers the minute they got to their desks
.

The credit union probably utilizes all sorts of expensive security mechanisms, only to be infected by a pure disregard for security by curious employees. 

Now I know why the federal government makes their employees participate in countless security briefings – at least if you infect their computer network you cannot say you didn’t know, and they can nail you to the wall for it.

http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

Active Directory, Domain Controller and DNS

Anyone who has ever installed Exchange Server 2000 on a Windows 2000 Domain Controller will tell you that it can be a real pain in the rump when something goes wrong.  You see, the SMTP service, Exchange services, DNS service and active directory services are all intertwined like grandma’s spaghetti on your dinner plate (sans the tomato sauce). God forbid that anyone of them should go out to lunch one day, and the whole server comes crashing down to it’s knees. 

I happen to find out yesterday that none of my outgoing mails were leaving the Exchange outbound message queues.  After taking a quick peek at the event log I saw a long list of red messages – Event ID 5774 Net Logon DNS failed access errors.  Somehow, my DNS forward lookup zones were messed up, and Active Directory was in a tizzy over it.  This caused Exchange to sulk and thus no mail was leaving the server. Naturally, I checked Google and found an article about reinstalling DNS zones in Active Directory (link). 

I do not confess to being an AD nor an Exchange 2000 guru, so I followed the instructions as best as I could, and eventually fixed my problem (well it at least appears that way for now).  Below is a synopsis of the steps I followed.  Be sure that you know what you’re doing before following these instructions, they worked for me, but not every situation is the same and there is a possibility that you might toast your server.  If possible backup the server first. Also, I only tried these steps on a Windows 2000 server domain controller with Exchange 2000 on the same box – there is no saying how these steps will behave in a different configuration.

Haven’t scared you off? Good, here we go…

1. Open up Administrative Tools in the Control panel (If I’ve lost you already then I would suggest calling in an expert).
2. Double click the DNS applet to view the currently installed forward lookup zones and reverse look up zones.
3. Right click each zone, click properties and change active directory zones types to “Standard Primary”.
    (Before making and changes, make a note of the zone settings for later).
4. Double click the services applet, find the DNS Server service and stop it.
5. Stop the Net Logon service too.
6. In %SystemRoot%System32DNS remove the “.dns” files corresponding to the zones you just changed in step #3.
7. Double click the Active Directory Users and Computers applet.
8. Click the view menu and make sure that Advanced Features is checked.
9. In the treeview on the left navigate to SystemMicrosoftDNS
10. Remove the zones (note: ignore the scary dialog about removing entries from Exchange if you have Exchange installed, it didn’t seem to break anything).
11. Remove the zones from the DNS server applet.
12. From a command prompt execute ipconfig /flushdns.

The article, I read, mentioned removing and reinstalling the DNS server service at one point, which cannot hurt (unless you have custom configured your DNS entries).  I’ll not document these steps because if you’ve got this far then you should know how to do this already.  The DNS service can be uninstalled from “Add Remove Windows Components” in the control panel.

12. With a fresh install of the DNS server continue with the following steps.
13. Make sure the DHCP client is running.
14. Remove all DNS IP addresses from the active network TCP/IP settings, and set the main DNS server address to the IP address of this domain controller.

NOTE : The Dynamic Host Configuration Protocol (DHCP) client service needs to be running on each of these computers to register the records in Dynamic DNS. It is not relevant if the computer is a DHCP client or not. You must have this service set to “start” and the “Start up” type set to “automatic.” The DHCP client service is what registers records in Dynamic DNS. (Refer to the description in the Computer Management snap-in.) – Yes this one perplexed me at first, but it seems to make sense.

15. If not already started, start the DNS Server service and Net Logon service.
16. Open the DNS server applet again and add the forward zones and reverse zones back from step #3, their type should be AD integrated.
17. From the command line execute ipconfig /flushdns followed by ipconfig /registerdns.
18. Make sure that you can still access the Active Directory Users and Computers applet.
19. Reboot the server for kicks, and all may be good again.

After I had completed the above I no longer received Net Logon errors, and pending mail in the Exchange SMTP queues started to leave the server.  I’ll check back in a few hours to see if I see anymore problems listed in the event log, but for now the outlook appears sunny.