Server for small local business, which one to get?

[YeOldeStonecat]

I was told earlier in this thread to disable DHCP on the router once it was enabled and setup in Server 2012?

Yes..>I always say that....I see that mistake done way too many times...I see the mistake of DHCP running on the router, not the server. Proper way is..DHCP should be run on the server. DHCP from anything else other than the server will lead to active directory being broken down the road, causing problems, various things won't work correctly. Causing more headaches down the road. You need to resist the pizza tech approach of just caving in and letting DHCP run on the router.

Just a quick heads up...Windows DHCP service has a few steps to be done to get it going. Service should be on auto start...and in DNS management...it should be "authorized"...did you run through the DHCP setup wizard and complete it all properly? Check event logs, look at client leases. Plug in your own laptop and run ipconfig /all and ensure things look correct, look in DHCP management at leases.

Re: VPN on the router...Draytecs are not common over on my side of the pond...so I'm not familiar with them. But I will say that "most" biz level routers will have a VPN service that has either its own separate DHCP service just for the VPN clients...yet can have DHCP for the green zone (primary LAN) disabled. And a few others will allow you to setup "DHCP relay" to the Windows server...so the Windows Server will hand out leases for the VPN clients coming in from the routers VPN service.

 

[Moltuae]

Still cannot remote VPN to the damm router, tried following multiple guides, disabled router firewall ,ect...
I've enabled PPT traffic and opened several ports Draytek say are required for VPN on my home router than I'm trying to connect from to the draytek router in the office!

You would need to enable and configure PPTP VPN in the router to connect the way you're attempting to connect in the screenshot. Which should work if you do, but PPTP is generally not considered to be very secure.

Can you post screenshots of all of your VPN related settings. I've got this working on a few customer's Draytek routers that I can compare your settings against.

 

[Slaters Kustum Machines]

Any techs located near d3v? At this point it seems like it's time to call someone in to just get them functional.

 

[Markverhyden]

By default OS X does not enable firewall and even if it was it controls incoming connections to service ports. And that should have nothing to do with acquiring an IP via DHCP. It's rare but on occasion that service can go zombie so a reboot solves the problem. That being said OS X does have a feature where they can create network profiles. If that has been setup if could be causing issues if the DHCP scope (IP's being handed out) has changed.

As mentioned I would get VPN running on the router, not on the server. And I would use L2TP, much more secure than PPTP. This will give you complete access to all LAN devices if the server tanks. If the server goes south you can flip back to the router for DHCP and DNS, put the Sage database and other files on a workstation while dealing with the server.

Some things I do when dealing with a new server setup, etc. I never setup any roles until I have confirmed that ALL of the networked machines (this includes printers, NAS, etc) are connected, can talk to each other, and can surf using the simple DHCP and DNS on the router. If there is a separate router from the ISP then I start with the ISP router before configuring the edge device.

Also @d3v, have you created a block diagram of the network? This includes logical connections, such as IP's and names, as well as physical connections. This can be a huge asset in trouble shooting.

Back to the Mac's. You can bind an OS X machine to a domain. Given the site description I'd personally not bother. You should be able to just do normal SMB share mounts, making sure to save the credentials when you make the shares.

 

[Moltuae]

And I would use L2TP, much more secure than PPTP.

I think the arguments not to use PPTP any more are clear cut but what's your views on SSL VPN vs L2TP/IPsec?

I tend to use L2TP over IPsec for site-to-site tunnels but SSL for single remote client access. My understanding is that SSL is marginally more secure .... and that (rumour has it) IPsec may have been compromised/weakened by the NSA (*checks to see if tinfoil hat is firmly in place*).

 

[YeOldeStonecat]

I love SSL VPN simply because of ease of setup, and usually a super thin client for the road warriors (browser based, no thick clunky VPN client to install).

 

[Markverhyden]

Having SSL VPN is simpler being browser based. The problem is not everyone has it on the server side. Ubiquity and OS X Server do not have it and that is the two main ones I use now. So everyone is L2TP over IPSEC, whether it's site to site or client server.

As far as security differences. Having a cert is better than not. But that requires more effort than using a shared secret so I do not use if for L2TP. Also the problem with SSL is you need to have a FQDN to pair with it. And most of my customers do not have one.

 

[d3v]

Update,
@Moltaue kindly logged in to the Draytek and corrected a couple of settings I overlooked and result is I can now remote VPN in to the office LAN and remote desktop just like I'm sitting right there- incredible!


Two weeks ago I met a computer science graduate in my local co-op where he works and told him about the upcoming server setup job and that I may need his help, needless to say after the stress that comes with not being able to figure out what's wrong and disruption to the clients, yesterday I called him up and he went down to the office and whilst I wasn't with him, he emailed me later to tell me he had fixed the wifi issue with regards to the Macbooks and Windows laptop not being able to receive an IP address, his email said...

Right.
I've got their wireless sorted (DHCP wasn't setup to configure client's default route to the router or their DNS settings to the server).

He really helped get me over this hump and I offered him to take over the job entirely because I know full well this may only be the first hump of many yet to come, but I'm still going to be involved purely to learn from him!

You want remote access? Fire up the dashboard on the server itself (NOT the router) and find the link called something like 'Anywhere Access' then let the wizard do its stuff. It will - if you're lucky - make any necessary changes to the router config. See this walk-through for a better explanation: https://bennettbusinessconnections....012-server-essentials-anywhere-access-part-1/ The 'remote web access' option should be good enough for what you want.

@Mick I have installed Server Essentials and have the dashboard pinned to start menu for easy access, but the question is should I be setting up VPN for the two Macbook Pro's and two Windows laptops via the Lenovo TS140 server, or through the Draytek router?
Bearing in mind it's pretty much only one of those four laptops that's going to be regularly connecting to the LAN for Sage accounting work, the other three will seldomly connect!

 

[YeOldeStonecat]

Choices are:
*Use VPN...and then setup manual RDC (remote desktop client) profiles on the remote workers.
*Use the Essentials Remote Web Access. It's a BROWSER based portal. No VPN needed. Users can log in remotely, via a web browser, and get access to company share files (basically the big file share) on the server. Users also can click on a button to remote to their workstation...it will automatically launch, and "proxy", RDP. This is nice and easy to use...very easy to use for end users. No dealing with those people who can't wrap their head around how to use a VPN. No dealing with thick client VPN installs which frequently break on remote users and need uninstalling/reinstalling. For basic file access, most browsers work fine. For the remote desktop proxy to the users desktop...you need IE. All you need is port 443 open/forwarded on the browser.
*A third option (one you would use for the MAC users)...is, the Essentials role configures what is called TSGateway. This has been built into the remote portal of Small Business Server since 2008 version. You don't need to use the web browser interface, you can setup an RDP profile to use the TSGateway settings and get right in. So what I'm getting at, on the MACs...download and install the latest Microsoft Remote Desktop Client from the iTunes app store...and configure it to the TSGateway settings.

The remote web access portal is a cool feature that our clients love on their servers, very handy, gives them a great sense of value.

 

[Mick]

USER=15771]@Mick[/USER] I have installed Server Essentials and have the dashboard pinned to start menu for easy access, but the question is should I be setting up VPN for the two Macbook Pro's and two Windows laptops via the Lenovo TS140 server, or through the Draytek router?
Bearing in mind it's pretty much only one of those four laptops that's going to be regularly connecting to the LAN for Sage accounting work, the other three will seldomly connect!

I'm with Brian on this one. Try the Remote Web Access first. It's easier to set up and easier to use too. If it doesn't suit for some reason, then you can consider alternatives. You already have a VPN open on the router now (many thanks to m'learned friend Moltuae) so don't complicate things by trying to open another on the server - that has got 'trouble' written all over it. Given that these are laptops, we're not really bothered about access to individual workstations here, cos they are the workstations themselves, but if you do need to extend that facility to users of your desktops then it's worth repeating that they will need to use IE. There is some proprietary code needed (an ActiveX component, I think) which means Firefox et all won't cut it. I'm not even sure Edge will work - it hasn't when I've tried it.

 

[YeOldeStonecat]

If there are no workstations for the remote users to remote into ...they'd just remote into the web portal to access the Company Share folder on the server....get access to files to work on them. I'm not sure how the browser on the MAC works with the file access interface of the company portal...probably does work OK.
Won't be running (nor should you try) running MAS90 through the VPN. Unless both sides have at least 10 meg upload connections. Trying to run most accounting software through VPN tunnels can lead to corruption of the database. There are a lot of factors involved with running database apps through VPN tunnels...name resolution is a big thing...but just don't bother trying it.

 

[Mick]

I've only had a couple of MAcs running on Remote Web Access, but they seemed to do OK for general file access and so on.

 

[d3v]

Hi everyone, back at the office and will be staying till late as I have my own set of keys!
I've sorted out the active directory after realising both of the Dell workstations were using the "Computer" account entry and not the specific User accounts that I created for them in AD!
Trying to change one of the workstations to use the named account was a nightmare, I ended up nuke & paving after finding that I had no admin rights to do anything on the workstation, but I got smarter on the second Dell workstation and solved the problem by disconnecting the LAN cable, joining out the domain to a workgroup, reboot - connect LAN cable - join domain - login as desired ActiveDirectory user, then I was able to delete the previous account, but not before migrating all settings from AppData to the new one, now both Dell workstations are using proper named AD accounts, and are working great as a LAN domain setup!


Now using today to figure out Anywhere Access. I've created a microsoft account and also registered a domain name "tkwater@anywhereaccess.com" but during the setup I'm getting these problems reported...
1. I've opened port 443 on the Draytek, then re-ran the anywhere access wizard but still getting the same errors. I thought as long as 443 port is open on router then it should work fine?

 

[YeOldeStonecat]

Did you "port forward" 443 to the LAN IP of the server?
Often by default the external management port of routers is 443...so I go in and customize that to something like 8443...freeing up 443.

Static IP from the ISP right?
Make an a-record for the server....remote.clientsdomain.com pointing to that static IP.

 

[d3v]

Hi, I followed this guide to open port 443! Yes forwarded to WAN1 and server IP address!
How do I create a "record for the server"?

I read briefly that having VPN enabled on Draytek routers prevents anywhere access from working? I'm guessing I should disable VPN dial-in on the routers firmware page, even though as per that guide I linked to, I did change the VPN port to from 443 to 444 if that makes any diff?


edit: this is scandalous, I just knew a few clicks of the mouse wouldn't be enough to setup such a great feature like anywhere access, typical microsoft features that doesn't work and you have to spend hours searching for solutions.

edit: now I've lost access to my router setup page. typing the IP in Chrome or IE, or from another PC makes no difference! I've rebooted the router and still cannot access it!!!
edit2: had to reset router to get back access and reconfigure PPOAE and wifi, ect but all ok now!

 

[marley1]

Just throwing this out.

I'll set you up soup to nuts for a flat rate. You just reset back to defaults and give me scope of work.

 

[marley1]

Wonder what happened?

 

[Mick]

Now using today to figure out Anywhere Access. I've created a microsoft account and also registered a domain name "tkwater@anywhereaccess.com" but during the setup I'm getting these problems reported...

I don't know if you're still reading this, but that 'domain name' you say you registered ( "tkwater@anywhereaccess.com" is actually an email address....

 

[d3v]

lol guys I ended up letting that chap take over the whole thing. He's been doing pretty well this past month so I've left him to it, I just help out with bits and bobs if need be, mostly remotely! I don't believe he has got remote VPN for the workers setup yet, but might be close to getting there I think!

 

[Mick]

lol guys I ended up letting that chap take over the whole thing. He's been doing pretty well this past month so I've left him to it, I just help out with bits and bobs if need be, mostly remotely! I don't believe he has got remote VPN for the workers setup yet, but might be close to getting there I think!

"This past month"?? Wow - that's a seriously good client you've got there. Most of mine, I'd be out on the pavement if something took a month to do. Look after them!