Strategies to use if VPN clients cannot access resources on a VPN server that has one network adapter (217766)

INTRODUCTION

In certain situations, virtual private networking (VPN) clients may not be able access resources on a Microsoft Windows-based VPN server if the resources that you want to access are stored on a VPN server, and the server only has one network adapter. This article describes two strategies that you can use to configure a VPN server that is running Microsoft Windows Server 2003, Microsoft Windows 2000, or Microsoft Windows NT 4.0 so that VPN clients can gain access to NetBIOS resources across a Point-to-Point Tunneling Protocol (PPTP) VPN tunnel or a Layer 2 Tunneling Protocol (L2TP) VPN tunnel.

MORE INFORMATION

When a Windows-based VPN server has only one network adapter, VPN clients may not be able to access resources on the VPN server in certain situations. Typically, VPN clients may experience this issue if the VPN connection is made to the actual IP address of the VPN server. The following is an example of a scenario that demonstrates this issue:

The network adapter on a VPN server is connected to the Internet and the network adapter is assigned an IP address of 157.57.2.5.
The VPN client connects to the VPN server at 157.57.2.5 by using either PPTP or L2TP.

In this situation, you may not be able to ping the server or view or open shared folders on the server. This issue occurs because of the way that the routing table on a VPN client is processed after a VPN connection is made to the VPN server.

Strategies to gain access to a VPN server that has one network adapter

Strategy 1: Publish the VPN server behind a firewall

When you publish the VPN server behind a firewall, the VPN client can make a VPN connection to the public IP address of the firewall. However, when the VPN client tries to access resources on the internal network that is behind the firewall, the VPN client will try to access the private IP address of the VPN server instead of the IP address that the VPN client used to make the VPN connection.

For example, if the public IP address of the firewall is 157.57.5.5, the VPN client can make a VPN connection to that IP address. However, if the VPN client wants to access resources on the VPN server that is behind the firewall, the VPN client connects to the server at 10.10.0.5 or at 192.168.1.3 instead of at 157.57.5.5.

Strategy 2: Install a second network card and make the VPN server an edge server

Most of the documentation that discusses the configuration and administration of Microsoft Windows-based VPN servers assumes that you have a VPN server that has two network adapters. If you configure the VPN server so that the second network adapter is connected to the private LAN and the other network adapter is connected to the Internet and uses a public IP address, you let VPN clients to communicate to the IP address that is assigned to the network adapter on the private LAN. VPN clients can access resources on the VPN server.

Note Adding a second IP address to the network adapter on a VPN server that has only one network adapter is not the same thing as adding a second network adapter. NETBIOS binds only to the first IP address that is assigned to a network interface. Therefore, adding a second IP address to the network adapter does not resolve the issue.

REFERENCES

For additional information about how to configure a Virtual Private Networking in Windows Server 2003 and Windows 2000, click the following article numbers to view the articles in the Microsoft Knowledge Base:

323441 How to install and configure a virtual private network server in Windows Server 2003

810761 White papers: Microsoft VPN white papers

818754 White Paper: Virtual Private Networking with Windows Server 2003: Overview

818751 White Paper: Virtual Private Networking with Windows Server 2003: Interoperability

810761 White papers: Microsoft VPN white papers