Our Blog

[This post comes to us courtesy of Sabir Chandwale, Harshal Charde, Ajay Sarkaria and Rituraj Choudhary from Global Business Support]

In our previous post, we covered steps involved in configuring VPN on Windows Server Essentials. In this post, we will cover common problems that could result in failure of VPN functionality in your Windows Server Essentials environment.

In Windows Server 2012 R2 Essentials, VPN is deployed in a way that there is little requirement of manual configurations on the server or a client. Considering correct TCP Ports are open on the firewall and forwarded to the server, and VPN was enabled while running Anywhere Access wizard, VPN should work right out of the box. Also, on the VPN client, make sure the VPN dialer has proper protocols selected.

To be able to access the Remote Access management tools, you should first install Remote Access GUI and Command-Line Tools using the following command:

Add-WindowsFeature –Name RSAT-RemoteAccess-MGMT

Let us now discuss some common issues with VPN connection.

Error 850: The Extensible Authentication Protocol type required for authentication of the remote access connection is not installed on your computer.

clip_image001

If you have set up the VPN connection manually, you may encounter this error. This error indicates that none of the protocols are chosen in the VPN Connection Properties. The fix is to select Allow these protocols on the Security tab of the VPN connectoid. Microsoft CHAP Version 2 (MS-CHAP v2) would get selected automatically when you click this option. Hit OK to apply the changes.

clip_image002

You may also face internet or network resource access issues. It could be that you are using the default gateway of the remote network. On the Networking tab of the VPN connectoid, open the properties of Internet Protocol Version 4 (TCP/IPv4) and click Advanced.

clip_image003

Now, on the Advanced TCP/IP Settings window, clear the check for Use default gateway on remote network.

image

That should ensure that the network and internet connection are up and running.

Let’s look at another error.

Error 800: The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

clip_image005

The reason for this connection failure could be either because 443 is not allowed on the firewall or there is a mismatch of certificate in RRAS and IIS (Default Web Site). To fix it, ensure that 443 is allowed and forwarded to the Windows Server 2012 R2 Essentials, and that correct SSL certificate is bound to the Default Web Site for port 443, and the same is associated with SSTP port.

You can easily figure out if SSL port 443 is blocked. If you are able to browse RWA from outside, it is open, otherwise it is not.

To verify certificates, open Internet Information Services (IIS) Manager on the Server Essentials, and click to open Bindings for the Default Web Site.

clip_image006

On the Site Bindings page, choose the binding for the port 443 with blank host name, and click Edit.

clip_image007

On the Edit Site Binding page, click View.

clip_image008

On the Certificate window, chose Details and make a note of the Thumbprint of the certificate.

clip_image009

Alternatively, you could use the following PowerShell command to display the thumbprint of the certificate active on the Default Web Site:

Get-WebBinding | Where-Object {$_.bindinginformation -eq "*:443:"} | fl certificateHash

Now, open Routing and Remote Access Management console. Right-click the server name, open its properties and click on the Security tab. Click View next to the Certificate. You should have the same certificate thumbprint here as well.

image

If this is a different certificate, change the certificate to match the one on the IIS. Alternatively, you may use this command to modify the thumbprint of this certificate for the Secure Socket Tunneling Protocol (SSTP) Service:

reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSstpSvcParameters /v SHA1CertificateHash /t REG_BINARY /<thumbprint recorded from previous step> /f

Once you ensure that the certificate on the Default Web Site and SSTP are same, this issue should have been taken care of.

Let’s look at the next error.

Error 720: A connection to the remote computer could not be established. You might need to change the network settings for this connection.

clip_image011

If VPN client is unable to obtain an IP address from the VPN server, you may see this error.

In Server Essentials, usually the DHCP is hosted on a different device. To workaround this error, open Routing and Remote Access console and open the server Properties.

clip_image012

On the server properties, assign a valid static IPv4 address pool for the VPN clients, and exclude it from DHCP server scope.

clip_image013

On certain occasions we have seen that the on premise client would show connected to the hosted Windows Server 2012 R2 Essentials, however there may not be any connectivity the between the VPN client and the Server Essentials. In such scenarios, enable and analyze additional Routing and Remote Access information logs at the %windir%tracing directory.

clip_image014

Additionally, you may want to check the events for RemoteAccess-MgmtClient and RemoteAccess-RemoteAccessServer on the Event Viewer.

clip_image015

These were some common VPN issues we see with Windows Server 2012 R2 Essentials, and they usually show up when VPN server settings or VPN client connectoid has been configured manually. If you enable VPN through the Anywhere Access wizard, you may not see these errors.

[This post comes to us courtesy of Harshal Charde, Kriti Thakral and Sandeep Biswas from Global Business Support]

In this post we will discuss about configuring Health Report email notification using O365 in Windows Server 2012 R2 Essentials.

The Health Report for Windows Server 2012 R2 Essentials provides you with consolidated information about the Windows Server Essentials network and enables you to distribute this information to intended recipients via emails. This information can be viewed on the Health Reports tab of the Dashboard on Windows Server 2012R2 Essentials. We can generate a report on demand or on schedule, customize the content of the report and send them through emails.

Reading the Health Reports on the Windows Server Essentials Dashboard may be time consuming. With the email feature, after a report is generated, an email will be sent to a list of specified email addresses with the content of the report. The administrator can easily view this report from any device or any client application, and ensure that the server is running at its best state.

In the following example we have used an Office 365 account to configure Health Report email notifications. You may log in and view the SMTP server details of O365 account as follows:

1. Click Outlook tab, click Settings icon image  and then click Options.

image

2. On the next page click account and then click Settings for POP or IMAP access

image

3. Make a note of the SMTP setting and then click close.

image

To configure the health report on the Window Server 2012 R2 Essentials, open the Windows Server Essentials Dashboard, click the Health Report page on the HOME tab and click Customize Health Report settings.

image

Click the Schedule and Email tab, click to select Generate a health report as its scheduled time check box (customize the recurrence as per your preference) and then click Enable.

image

Type the email address of your O365 mail account, the SMTP server name and the SMTP port. Click to select This server requires a secure connection (SSL) and This server requires authentication check boxes and type the username & password of your O365 account and click OK.

image

On the next page, type the email address of the person that you would like to receive alert notification by email and click OK. If you wish to add multiple email addresses ensure that you separate each email address with a semicolon (;).

image

Alternatively, if you prefer commands over the GUI, there are PowerShell commands built-in to the WssCmdlets module to configure the Health Report:

Set-WssReportEmailSetting -Enable -From "healthreport@mysbs.onmicrosoft.com" -SMTPServer "smtp.office365.com" -Port 587 -UseSsl -To MyEssentials@outlook.com -UseAuthentication –Credential (Get-Credential)
Set-WssReportSchedule -Enable -Daily -At 16:00

The above commands would take care of the email account configuration and the schedule of the health report.

There are additional commands to generate a new report (New-WssReport), and send an email with the health report (Send-WssReport) that you can utilize too. You can find a list of all the commands of the WssCmdlets module here.

Once the configuration is completed, you can click Generate a health report which will automatically send an email notification to the external user mailbox. You can also send an existing report by selecting it and clicking Email the health report.

image

Here is a sample of the email received:

image

You are now ready to receive the Health Report notifications on email. Logon to the subscribed user’s mailbox to verify the receipt of email.

Contact

mattdubois.com Contact Form

Name
Email
Message

Yay! Message sent.
Error! Please validate your fields.
Updated August 2016 - Matt Dubois