Microsoft KB Archive/247247

= Troubleshooting Steps for DOD Over RRAS with Proxy Server =

PSS ID Number: 247247

Article Last Modified on 12/17/2003

-

The information in this article applies to:


 * Microsoft Windows NT Server, Enterprise Edition 4.0
 * Microsoft Windows NT Server, Enterprise Edition 4.0 SP4
 * Microsoft Windows NT Server, Enterprise Edition 4.0 SP5
 * Microsoft Windows NT Server, Enterprise Edition 4.0 SP6
 * Microsoft Windows NT Server, Enterprise Edition 4.0 SP6a
 * Microsoft Proxy Server 2.0

-



This article was previously published under Q247247



SUMMARY
This article describes some basic troubleshooting steps for users that do not have previous experience with Microsoft Routing and Remote Access Service (RRAS) and Microsoft Proxy Server.



MORE INFORMATION
These troubleshooting steps can help you if you are having problems getting Dial on Demand (DOD) to work over RRAS with Proxy Server on the same computer, and can assist you in finding most major problems (or at least help in ruling out the most common causes).

To verify basic connectivity, you can check the following items for RRAS issues.

Internet Protocol (IP) Forwarding
To verify that IP forwarding is enabled on both RRAS servers:
 * 1) Click Start, point to Settings, click Control Panel, and then double-click Network.
 * 2) Click Protocols, click Properties, and then click Routing.
 * 3) Make sure that the Enable IP Forwarding check box is selected.
 * 4) Click OK, and then click Close.
 * 5) Restart the computer.

Routing
You only need to have one default gateway on the computer that is connected to the Internet. On each of your wide area network (WAN) interfaces, only two routes are required. To check this configuration:

 Click Start, point to Programs, point to Administrative Tools, and then click Routing and RAS Admin. Double-click IP Routing, right-click Static Routes, and then click View IP routing table. Verify that your default gateway is set for the interface connecting to the Internet. If this route is not listed in the IP routing table dialog box, add the route using the following steps:  Right-click Static Routes, and then click Add Static Route. Type the appropriate values for your default gateway in the Destination, Network Mask, and Gateway boxes. Select the interface for your network card that is connected to the Internet, and then click OK.</ol> </li> Verify that a route exists in the IP routing table dialog box with a path to the other network segment that you want to communicate with the Internet. If this route does not exist, add the route using the following steps: <ol style="list-style-type: lower-alpha;"> Right-click Static Routes, and the click Add Static Route.</li> Type the appropriate values for the network segment in the Destination, Network Mask, and Gateway boxes.</li> Select the interface for your network card that is connected to the network segment (this may include multiple DOD virtual private networking connections), and then click OK.</li></ol> </li></ol>

NOTE: You need to delete any other routes that exist.

Credentials
To set up an easy-to-understand configuration for your virtual private networking (VPN) DOD interface on both RRAS servers, create duplicate users with the same name in User Manager for Domains for the interface on both WAN segments. When each side connects, make sure it is authenticating with the correct credentials (using the correct domain if the interface has the same name). If this does not work, you can create a new VPN dial-up connection. For example, on segment A, name your user and DOD interface "DOD," and on segment B, name the user and DOD interface "DOD."

Access Control
Disable access control on the Web Proxy and Winsock Proxy services if possible. If you are having a problem with access control, verify that all Web Proxy users have local logon permissions and make sure all Winsock proxy users are logged on to a trusted domain.

More Access Control
Verify the authentication methods (if any) that are enabled in the WWW service. To do this:
 * 1) Click Start, point to Programs, point to Administrative Tools, point to Microsoft Proxy Server, and then click Microsoft Management Console.
 * 2) Double-click Internet Information Server, double-click the server name you want to check, right-click Default Web Site, and then click Properties.
 * 3) Click Directory Security, and then click Edit to view the current authentication settings.

Packet Filtering
If packet filtering is enabled, be sure to disable this function when performing your troubleshooting tasks. If packet filtering must remain enabled, make sure dynamic packet filtering is enabled. To disable packet filtering:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Routing and RAS Admin.
 * 2) Double-click IP Routing, click Summary, right-click the interface on which you want to disable packet filtering, click Configure IP parameters, and then click to clear the Enable packet filtering check box.

If Packet Filtering is not enabled on the Proxy server which has RRAS running, then it should be enabled and the following two predefined filters need to be added:

PPTP Call

PPTP Receive

In addition to these two filters make sure that Dynamic Packet filtering is enabled so that none of the clients behind the Proxy server have any issues accessing the internet through the Proxy server.

Local Address Table (LAT)
The LAT should contain all internal TCP/IP addresses; it should not contain any external Internet addresses. If you make changes to the LAT, refresh the proxy clients' configuration. To check the LAT:
 * 1) Click Start, point to Programs, point to Administrative Tools, point to Microsoft Proxy Server, and then click Microsoft Management Console.
 * 2) Right-click Web Proxy, click Properties, and then click Local Address Table.

Trusts
Verify that any trust using a DOD, VPN, or other dial-up connection is still valid. If a connection is lost for more than 15 minutes, the trust may be broken. Make sure that someone with Administrator rights at each site knows how to re-create a broken trust. RRAS is not a recommended environment for maintaining a trust relationship.

Browsing Over RRAS
You can check the following items when you are attempting to troubleshoot RRAS browsing issues: <ul> Check the load order of the services running on the computer.

For information about how to this, click the article number below to view the article in the Microsoft Knowledge Base:

183537 Coexistence of RRAS, Internet Explorer, Option Pack, andProxy

</li> Verify the entries in the Lmhosts file for all network segments and add #DOM entries for both sides of the WAN.

For additional information about this subject, click the article numbers below to view the articles in the Microsoft Knowledge Base:

180094 How to Write an LMHOSTS File for Domain Validation

150800 Domain Browsing with TCP/IP and LMHOSTS Files

</li></ul>

If the problem persists after you verify the above information, use the nbtstat -r and nbtstat -c commands to display the NetBIOS Remote Cache Name Table. The output you receive looks similar to the following example: <pre class="fixed_text">  Node IpAddress: [120.120.100.1] Scope Id: [] NetBIOS Remote Cache Name Table

Name              Type        Host Address      Life [sec] ---  Program      <00>  UNIQUE      120.120.100.10      420 Domain.com  <1E>  GROUP       0.0.0.0             480 Domain.com  <1B>  UNIQUE      120.120.100.242     480 Domain.com  <1C>  UNIQUE      120.120.120.1       -1 Domain.com  <1B>  UNIQUE      120.120.120.1       -1 Domain      <03>  UNIQUE      120.120.120.1       -1 Domain      <00>  UNIQUE      120.120.120.1       -1 Domain      <20>  UNIQUE      120.120.120.1       -1 Note the two
 * 1) Click Start, point to Settings, click Control Panel, double-click Network, and then click Bindings.
 * 2) In the Show Bindings for box, click all protocols.
 * 3) Double-click WINS Client(TCP/IP), click the first Remote Access WAN Wrapper entry, and then click Disable. Repeat this process for all Remote Access WAN wrapper entries.

Dial-Up Permissions
In User Manager for Domains, verify that each RRAS DOD account has the correct permissions on both network segments. To do this:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains.
 * 2) Double-click the account you want to verify, click Dialin, click Grant dialin permission to user (if necessary), and then click OK.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

177335 How to Create a Demand Dial PPTP Interface

178993 How to Use Static Routes with Routing and Remote Access Service

Keywords: kbinfo kbinterop kbnetwork KB247247

Technology: kbAudDeveloper kbProxyServ200 kbProxyServSearch kbWinNT400search kbWinNTS400search kbWinNTsearch kbWinNTSEnt400 kbWinNTSEnt400sp4 kbWinNTSEnt400sp5 kbWinNTSEnt400sp6 kbWinNTSEnt400SP6a kbWinNTSEntSearch kbWinNTSsearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.