We have a user that connects to the network over a VPN tunnel. They cannot access the NSS2000. The gateway is correct. Disable WAN access is not checked. Default network policy is allow traffic with no filters.
Anyone have any ideas?
I assume that the user has been created on the NSS200 correct? Also, what access method are they trying FTP, CIFS? Just trying pin-down some possible configuration issues.
Has anyone found a solution to this?
I have a NSS6000 connected to a MS SBS2003 AD.
The AD users show up in the NSS6000.
The AD users can access the NSS6000 when they are on the internal network.
When they try to connect via VPN, they are asked for another login and password. No login and/or password works, access is denied.
Is the VPN connection to a router or to your SBS box? When asked to login are they specifying domain; such as "mydomain\username"?
The MS SBS2003 is behind a combo router/firewall.
The VPN connect to the router/firewall first, gets forwarded to the SBS2003.
The VPN user has full access on the SBS2003 server, everything works.
They just can't connect to the NSS6000.
In the NSS6000, I checked the users and the domain users show up properly. So does the Domain Groups.
We've tried login using: user
We are able to ping the nss6000 (from the vpn user), it responds with no issue.
It just won't let us get access to it.
------Update on problem------
The share is setup as a CIFS and users are AD users.
So for further testing, I created a local user and group and assigned them to the share. (Still no go)
I then modified the share and made it CIFS, NFS and FTP. I enabled both NFS and FTP. (Still no go)
However, I've been able to FTP into the nss 6000. (This is forward movement)
Both as the domain\user and the local\user.
Since I can ping and ftp into the nss6000, I know it is not hidden to the vpn users.
So the question becomes this: Why does the NSS 6000 refuse to give access to the CIFS share to my domain users that have valid access?
What is wrong with this Equipment?
Message was edited by: email@example.com Oct-10-2009; 9:30am Atlantic time
Have the users dial the VPN connection before they log into their computers so the computer is authenticated on the domain prior to connecting to the NSS. The problem is that the NSS is not seing the computer as an authenticated device (not sure why). Once they do, the NSS should allow connections as expected. Please let us know if this works or not.
We've tried that also. We did both method, connect to internet first, vpn after, that didn't work. So we tried the "Dial a connection" first using the VPN and we got the same result.
As for the "NSS not seeing the computer as an authenticated device", I beleive you are partially correct.
I beleive it also doesn't see the user as an authenticated user and no matter how we try to log in, it will NOT let us log in.
I beleive there is a security issue with the NSS. Our users don't log into the NSS, we log into the MSSBS 2003 and we get authenticated there.
From that point the NSS should not be trying to figure out if we are authenticated.
For testing, I also turned on ftp and NFS. As for the NFS, it did not allow us any further/better connections/communication.
With ftp, we were able to connect to the NSS (once our vpn connection was established) and access the ftp folders. We were able to login to the FTP using the domain\user access. It authenticated us in, no issue. However, the user only had access to local user account folder and files, not the domain\user account folder and files.
I do have a call and case id in with LinkSys (as of Friday morning - Oct-9th) as we need to resolve this asap.
However we have not heard back from LinkSys yet on anything.
So, unless someone figures out if we have a bad setting on the NSS. (Which I would be happy to correct)
We may need to return this device for a full refund as it is not able to provided the proper services required and expected.
Working with Michel currently and Cisco Small Business Support Center.
I have been able to set up a lab environment simulating his network and as of today I have not been able to duplicate the problem. At the moment I feel that this may be raleted to DNS or configuration setting within RRAS. Once we discuss this further we will post results of outcome or workaround.
Working with Michel we were able to resolve the problem with VPN access to the NSS6000.
We changed the way the VPN connection was being created from using IC to RRAS, then we created a host A record within the DNS server (Domain Controller).
Once we completed these steps we were able to access the NSS with full domain rights as expected.
Just wanted to say thank you, best tech support I've had in a long time.
You guys know your equipment and your stuff!!