Although we planned the previous scenario without a Gateway Server, and got it working, it was inevitable that we would have to install a gateway as our next exercise 
We will be building on top of our existing “infrastructure”, and reconfigure some settings rather than do it all from scratch. So you may want to review the first guide:
http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/
This server is also a virtual box, running Windows Server 2003 R2 x64, 2 GB RAM, etc.
Starting off make sure that you set the FQDN of the server, even though it is not domain-joined. (This is done manually through the “Change”-button.)
Just like the other servers there are some prerequisites on this box as well:
- Install IIS
- Install PowerShell
- Install MBCA
- Install SCMDM BPA
With the Gateway Server installation you should also run BPA first. But this one’s a little different. If you run the Pre Deployment Scan you may very likely get a big red error, but no explanation why. What we want to know regarding the Gateway is if it is reachable from the DM server. So you should click “Enable Port Listener” in BPA on the Gateway Server. Then run BPA from the DM Server testing the Gateway role and pointing it to the GW Server. (And either get some green lights, or warnings indicating what to fix.)
Installing Certificates
Before installing the Gateway Server you have to install certificates – the Root CA, and a Gateway certificate.
There are two methods for getting this in place; either creating files and submitting directly to the CA, or a web-based GUI. TechNet Library documents the non-graphical way, but for this scenario I’m choosing the web. This is possible in our scenario since there are no firewalls, and the internal interface of the Gateway is directly connected to the LAN.
Open http://md-dc-ca.mobilitydojo.net/Certsrv in your browser. (Add the site to “Trusted sites” for the scripts to work correctly.) Click “Download a CA certificate, certificate chain, or CRL”.
If you choose the install option it will not be installed in the correct certificate store, so you need to choose “Download CA certificate”.
Start a new MMC. File->Add/Remove Snapins->Certificates (Local Computer). Right-click the correct store and choose “Import”.
You should be able to just follow the wizard.
Then comes the more “tricky” part of generating and installing the certificate for the Gateway server itself. If you’ve still got your web browser open click “Home”, and then click “Request a certificate”.
Choose “advanced certificate request”.
“Create and submit a request to this CA”
Type in the FQDN of the server in the name field.
Scrolling down the page fill in the “Friendly name:”-field. (You can put anything you like here.)
And this is important: Check “Store certificate in the local computer certificate store” or the certificate will be installed in the user certificate store (which will not work).
Click “Submit”, and “Yes” in the warning popup.
Click “Install this certificate” and acknowledge the same warning.
Installing Gateway Server
You are now finally ready to install the Gateway Server.
The IP address you enter here must be the one assigned to the internal interface of the Gateway Server. When your Device Management Server resolves the Gateway address through DNS it must resolve to this IP.
Browse and choose the certificates you installed in the previous step.
“Install”.
And “Finish”. (Checking “Open the New Gateway Wizard Help” will just bring up a help file so we don’t need to check that.)
Configuring the gateway
Now it’s onto configuring the Gateway. I was banging my head against the wall trying to troubleshoot a connection problem, so to make sure you don’t run into the same problem later on verify the following:
The Gateway Management Web site (in IIS) must be configured to accept requests for the internal IP (the same you specified during the install process.) If not the Gateway will not accept connections from your DM Server (and you’ll get an “Unreachable” error).
You should also check your loopback settings (I disabled this on my server):
http://support.microsoft.com/kb/896861
Since we previously did not use a Gateway we need to change the EnrollmentConfig to reflect this. This is done with two cmd-lets:
Set-EnrollmentConfig –GatewayURI md-gw.mobilitydojo.net
Set-EnrollmentConfig –ActivateVPNbyDefault:$true
Adding the Gateway Server
Now we’re getting there. Last step I perform before adding the Gateway is logging on to the Domain Controller and creating a DNS (A) record for md-gw.mobilitydojo.net resolving to 192.168.10.40.
Open up your MDM Console, Find “Gateway Management” on the left, followed by “Add MDM Gateway Wizard” on the right.
The name can be anything you like.
The external IP address is the one assigned to your external interface. In my scenario my external connection is connected to another private IP range, but in a real live scenario it would be a “proper” external IP address. NAT will not work! The gateway is meant to be directly connected to the Internet. (Firewall in front is ok, as is other mechanisms that don’t introduce an address translation.)
The “Name”-field should match up with the DNS record we created.
Add an IP Address pool for the devices. The devices will be assigned addresses in this range dynamically. The range must not be an existing subnet, and it is “virtual” in the sense that no servers or other computers should be assigned addresses in this range. You can only specify complete subnet ranges; it would not work reserving only 192.168.20.10 – 192.168.20.50. It’s optional whether you want to route outbound traffic through the Gateway’s default gateway, or if you want to specify another gateway.
We don’t have a lot of servers here, so I’ll only specify the Domain Controller which by it’s nature is also a DNS Server.
“Add”.
“Finish”
The console needs a moment or two to connect, and exchange some data, and then it should look like this:
If your “Sync State” is not up-to-date this is where you start your troubleshooting…
Enrolling a device
Before you try to enroll a device we need to fix one more thing. I have created a separate subnet for the devices, but I have not configured any routes to this subnet so my servers will not be able to communicate with the device. (And the devices will not be able to communicate with any servers.) So run the following command on both your Gateway Server, and your DM Server:
route –p add 192.168.20.0 mask 255.255.255.0 192.168.10.40
A minor detail at this point…I do not have a router in my infrastructure, and thus the route addition above is sort of a workaround. You might remember that my virtual servers have their own private subnet, but with no gateway defined. Between the servers this is ok because no routing is involved. The gateway has an external interface (that does have a default gateway). In my lab this is not a proper external interface facing the Internet, but a different private IP range. I don’t want to interfere with any routing tables, or static routes, on this subnet. Waiting for a while will let the Gateway Server work out a new routing table, and my device will be able to connect. This is a larger topic, and we’re not doing it in a proper setting here anyways, so I’ll leave it be for now. (Work it out by reading the docs at TechNet at the moment – maybe I’ll expand on this later.) This does mean however, that you might have problems actually getting the devices to establish the VPN tunnel.
To wrap things up I’ll have to test that it actually works with a device, and that the VPN configuration is activated upon successful enrollment.
This time we are prompted for a reboot after enrollment.
You’ll quickly notice there’s a new icon on the task bar in the form of a “V” when the device boots up again. This is what it looks like when the VPN tunnel is established.
To verify communications, (it’s not enough “just” establishing the tunnel), you can ping the IP address of the device from the Device Management Server. To find the IP address to ping you can look it up in the “MDM Mobile VPN Connections” category in Event Viewer.
And with that we conclude the installation and configuration of a full working lab infrastructure for testing SCMDM2008. I’ll probably delve into “Best Practices” later on, and reconfigure parts of our lab to more closely mirror what you should do in a production environment.
Is this gateway running Standard or Ent ed of Windows Server?
The Gateway Server I have installed is running Enterprise Edition, but Standard Edition should work as well.
Great documentation, it really helped. I’m having an issue with my gateway server, though. The sync state shows “Error”. If I stop and restart it will show “up to data” but when I refresh it’s in error again. I checked the logs on both the DM/Enrollment server and the gateway server. The one that makes sensce is ‘Mobile VPN Agent failed to apply VPN Configuration;/ I checked Microsofts site and it says I have to ‘enable the agent api, vpn tracing’? Just wondering if you had any idea what this is?
It’s great to hear my guides are of help to people!
As for your error, it sounds like there is a connectivity problem from the DM server to the GW server. Do you have any firewalls in between?
You already checked the GW site is listening on the correct IP and host name? First try on the GW if you can open “https://FQDN/Vpn/ApplyConfig.ashx”. If this fails the GW server isn’t correctly configured.
If it succeeds you’ll get prompted to provide a client certificate (which you don’t have, but that’s not an issue).
Try the same thing from your DM server to see if it is either a firewall issue, or a DNS issue. (DNS must resolve to the IP address the GW is listening on.)
Hey Andreas,
Thanks this helps. I haven’t worked on this before and I was going back and fourth between a bunch of different things. I can open the FQDN from the DM server, but I wasn’t sure why I didn’t have the certificate. This clears things up. I’ll take a look at everything on the network side. I have everything running on Virtual machines and after reading one of the guides here I added the second nic to the gateway server. No change in the behavior but at least I know where to look.
Just wanted to update this, in case anyone else who might browse here happens to run across the same issue.
I ran filemon and found that the DM server was looking for this file C:\program files\scmdm\webservices\vpn\applyconfig.ashx. This matched the same errors I was viewing in the event log. I uninstalled/reinstalled gateway server and it worked.
Hi regarding the infrastrucuture is there any difference between the the one with gateway and the one without?
A point to add, other then another “box” is a router, wireless connection necessary?
You don’t get the “instant wipe” feature without a Gateway, so if you wipe a device it will not be executed until the next scheduled connection.
Other than that the functionality is pretty much the same, but with some security aspects. (Devices contacting LOB servers directly, not being proxied/routed through different paths, etc.)
You don’t need a wireless connection in this scenario, provided your devices can connect through ActiveSync or other means enabling it to make a direct connection.
I have not used a router in this scenario either, but that also works because the external IP of the Gateway is the same subnet that the device is on, and the internal IP of the Gateway is on the same subnet as the DM server.
Hi Andreas in regards to the External IP address for the gateway server, do i have to have another NIC card for it? And what IP address do i configure for it. I am unsure of that and so far I have used the IP address you had input and my Sync State is currently unreachable. Guess it’s the issue with external ip sec. Hope you can advice me on that
Do i have to configure it in accordance to the IP address my device is having currently? If so, how do i check the IP address of it. Sorry for the questions
I “faked” an external IP and used a private IP. This will work even if the BPA gives you a warning, but the wipe now feature might not work properly.
You will need two network cards to get it to work, if you’re using a virtual server you can get it to work with one physical NIC, and two virtual NICs. (I’ve made a guide for that too.)
If you can assign a proper external IP that will be the best, and if so the IP of your device does not matter. If you’re using a private IP like I am doing here you need to get your device on the same external subnet.
Hope that explanation made sense to you
I tried “faking” an external IP address, simply just adding 172.16.12.10 in the external IPSec portion, however under the Sync State, there still seems to be an error. I am currently using VMWare and have created 2 nic card, one using the private ip address while the other is the one which i “faked”. Are there any logs available that may help see what is the root of the issue?
I don’t know how VMWare works, since I’m using Hyper-V. I had to have two subnets (defined in the switch) to get it to work though.
However the Sync State issue may be caused by other issues as well.
Are you able to open up “https://FQDN/Vpn/ApplyConfig.ashx” from your DM server? (This should work regardless of the external address defined, if your GW is listening on its internal address.)
I finally got the Sync State to “Up to date” after re-installing a couple of times. However after the V icons appear, it is with a small x at the bottom instead of the tick as shown in your screenshot. Upon clicking on the V, it states that “There are no data sessions active. Programs connect automatically as needed. To change connection settings, tap settings.” are there any other configurations i have to do on the device?. Thanks Andreas
Some devices aren’t able to bring up the GPRS/3G connection automatically. Try either connecting it manually (Settings->Connections) or fire up the browser and trigger a connection to a web site.
The “V” should then switch to having three dots (…) indicating that it’s trying to establish the tunnel.
I tried enabling the Mobile VPN under “Settings” – Mobile VPN” – “Menu” and selecting enable, however, it states that “Mobile VPN not connected. Corporate and Internet access are temporarily unavailable. Your device will periodically attempt to reconnect. I can take some screen shots if it helps.
Your next step will be installing the VPN Diagnostics tool, and it will tell you if the config is ok, do port scans, etc.
All right will do, just to confirm with you, despite of the VPN, my device will still be connecting via Active Sync? Thus a “direct connection”. Will this defeat the purpose of the VPN?
Not sure what you mean. ActiveSync is just a data connection really (when you’re not synchronizing with Outlook,etc). The VPN tunnel will be established regardless of this. Though it would not necessarily make sense in a real scenario to have a VPN tunnel between the device and the DM server if they are on the same subnet/IP range.
Upon using the VPN diagnostic tool
The following are stated
VPN Name: My Mobile VPN
State: Disconnected
Detail: Unable to connect to MDM gateway server
Type: PC
SubType: DTPT
Profile: CurrentDTPTNetwork
Address: None
Gateway: 192.168.165.30
Base IP: None
Enroll: Enrolled
Uptime: 00:00:00(0)
I have set the address pool of the Mobile VPN to be 192.168.20.0 255.255.255.0
My private network belongs to the 192.168.165.0 subnet
External IP = 172.16.12.10
Could this be that my device is unable to get the Gateway server due to the IP address configured?
The following warnings/errors were found under event viewer.
Warning Description
Gateway Central Management service did not connect to Gateway Server https://mha-gw.scmdm.local:443/VPN/BlockDevice.ashx. Make sure that the server is running and is reachable from this computer, and that this computer can resolve the DNS names of the Gateway Servers
Error Description
Gateway Central Management service did not connect to any Gateway Server. Make sure that all Gateway Servers are running and are reachable from this computer, and that this computer can resolve the DNS names of the Gateway Servers.
I have added the Host(A) record mha-gw.scmdm.local with IP 192.168.165.30 and upon reading this i added the following – mha-gw.scmdm.local 172.16.12.10 however it still did not resolve the issue.
The thing you have to work around when connecting your device through ActiveSync is that the device needs to resolve the DNS name to the external IP, but the DM server needs to resolve to the internal IP. (Management only listens on the internal IP.)
I consider the “best” solution is to set the Host record to the internal IP, and getting the device to resolve to the external IP. It’s a registry hack, but I have created a tool that enables you to easily set host records on your device.
Hey Guys,
Not sure if this is still on subject but I’m able to enroll a device. Directly after enrollment it drops connection. Instead of a checkbox on the V in the menu bar I see an x. I can’t even browse webpages after enrollment. The device will stay in the pending enrollments, but on the device it says it’s enrolled. I ran BPA for my gateway server and I have 2 critical issues :
–Primary Domain Name System (DNS) IP address is not configured in MDM Gateway Server.
The managed devices use the primary Domain Name System (DNS) IP address to access the MDM Gateway Server.
For more information on Gateway Server configuration refer to Operations Guide for System Center Mobile Device Manager 2008.
–VPNAddress is not having Extenal IP Address. VPNAddress should have the external IP address that a managed Windows Mobile powered device uses for remote virtual private network (VPN) connections to MDM Gateway Server. You can set this using Set-MDMGatewayServer cmdlet for specifying VpnAddress. Refer to Operations Guide for System Center Mobile Device Manager 2008
This doesn’t make sense because I have entries for DNS and an external IP for my VPN/Gateway server.
Settings:
VPNAddress : 20x.xx.xxx.xx
PrimaryDNS : 1x.1x.x.xxx
BackupDNS : 1x.1x.x.xxx
Any suggestions?
The comment section is starting to grow large, but I still think you’re on subject
Have you tried running the “Get-MDMGatewayServer”-cmdlet on the DM server? This will tell you if the settings are actually applied to the GW.
Sometimes for some reason the DM server fails to update the GW properly so you could also try deleting the GW from the DM console, and adding it again. (Now that you have verified that https://FQDN/Vpn/ApplyConfig.ashx works, and there’s no firewall blocking..)
Also check the Event Viewer on both the DM and GW server for clues.
Thanks Andreas. This is a better resource then the microsoft technet (seems to be down alot!).
Get -MDMGateway returns all the results I expected. Identity, Gateway, etc. The last successfull update looks normal,10/30/08.
When I go to https://FQDN/Vpn/ApplyConfig.ashx. I get a “Page requests a client certificate, which is good, correct?
Event viewer has no errors or warnings, that stand out. This is really strange. I’ll try adding the gateway again…
I use TechNet a lot for reference material, but there aren’t that many tutorials there, and you might have to look in more than one place to find all the info needed. This is the gap I try to fill.
You’re supposed to be prompted for a client certificate so that’s good. Since Get-MDMGateway also reports the expected values I’d try to remove and add the gateway pssoibly followed by a reboot of the servers.
It might or might not solve the issue, but it doesn’t hurt as the next troubleshooting step.
Also remember to check that your device is resolving the DNS address to the correct IP. (And if you’re connecting from an external network that the proper ports are open on the external firewall.)
Okay I’m about 80% sure this has to do with DNS. Only I don’t know how to fix it. I installed the VPN diag tool to the emulator and it shows that it can’t resolve DNS name. My question is DNS name of what? I reinstalled the gateway server. All of my servers can ping each other. The gateway server is not part of my domain but there is a DNS entry that allows me to ping it. What DNS name is the device looking for?
P.S. Microsoft ticket opened on Thursday. No help so far
The device will obviously try to look for the DNS entry of the gateway first. If this succeeds it will try to look to the DNS entry of the DM server.
For ping/trace/etc there’s the excellent vxUtil to try out. If you want to make sure DNS resolves to the correct IP you can try out the hosts file editor available on this very site.
Is it really accurate that the external IP on the Gateway CANNOT be NAT’d? We only have one Firewall and hoped to put the public side into a DMZ. Is this not possible?
Well, this is one of those “yes and no” answers
You may get it working with a NATed IP. (Although I don’t NAT in this lab, I am using an internal IP and I could have had a NAT in front.)
(Ok, technically speaking I could have provided some more details above, but I thought I’d stick to the official instructions.)
But you lose out on some of the important functionality provided by the gateway like the alerter/wipe now function. And in some scenarios it might not work for instance if your device is also NATed.
You would also be running an unsupported configuration, which may or may not be a concern.
If you get it working in a lab, and don’t mind losing “wipe now”, I’m not going to stop you
Regarding the use of NAT on the external interface, how much firewall-type protection is the Gateway providing given that it is an Internet-facing server? I don’t mind doing this with ISA, but I have not seen anything to lead me to believe that the SCMDM Gateway is a firewall. Doesn’t this seem a bit risky?
Thanks!
The Gateway Server has some basic mechanisms in place – can only be administrated from the internal interface, uses a “virtual” subnet for the devices, etc. But no, it is not a firewall in itself. So by default NetBIOS ports will be accessible externally and similar threats.
You can mitigate some of these risks by general hardening of the OS, and one must consider if this is considered acceptable or not. (The internal firewall should block traffic trying to get further into the infrastructure.)
You can/should install a dedicated firewall in front and open just the necessary IPSec ports as long as the firewall does not perform NATing and you can assign an external IP to the external interface of the Gateway.
Hope this makes sense
Thanks this really helped although I have a question.. I have a firewall and the external IP is mapped to an internal one on the gateway server(12.x.x.x mapped to x.x.x.120), on the same nic I have another IP x.x.x.122 which is for the GW to communicate to the DM server… however I get the sync state error “Config is incorrect. VPN external interface IP could not be found” I have all the proper ports and bi-directional setup for IPsec… any ideas why this i’m getting this error?
The Gateway Server is quite specific about the network setup it accepts, and you need to have two network interfaces on different logical subnets.
If you have one NIC with two IPs this will be treated as only one interface. If you have two NICs with IPs in the same range the Gateway will probably flag this as an error too.
This is by design as part of the security package where the GW acts as a router between the clients and the DM server.
Thanks, that makes sense. I set it up that way because I am running this on a blade, and one NIC is setup for iSCSI and the other NIC for network connectivity.. Therefore, I think I’m SOL since those blades only allow 2 NICS.
I’m using cisco switches and currently have this setup virtualized on Hyper-v do you know if your VLAN config for Hyper-V will work with cisco switches? I should note that I am using SP1 which is compatible with Hyper-V in a production environment.
Thanks again in advance.
Yeah, SCMDM likes to have things a certain way regardless of what would be the most convenient thing for certain scenarios
Since VLAN isn’t vendor-specific I see no reason why it wouldn’t work with a Cisco switch. I’ve only tested it on my 3Com switch, but properly configured you could probably get it working on your equipment as well. Obviously you need to make sure it doesn’t create too much load on the physical NIC, but I think you can get away with a decent number of clients before this becomes an issue.
If i remember Hyper-V correctly you would need to bind both of these to virtual NICs to the same physical NIC and leave the iSCSI NIC alone.
alright, one last question for you. I figured out why I couldn’t enroll earlier… old internet router setting. (also got another nic installed) Anyways, I am enrolled and connected however from within my network I cannot ping my external IP. So if I put my external IP in the external IPsec I get an error since that IP is unreachable. So I placed the IP of the server which is mapped in the firewall. So outside is 12.x.x.x is mapped to the private IP of my Gateway server. Is this way ok and my issue is else where or would this be NAT and not work?
I ask this because even though I am enrolled and “connected” I am unable to access any internal sites.
If your device has the green “V” checked everything is ok on the external side.
You setup is a NAT configuration, and as such is not recommended if following Microsofts best practices. It should work though, but you will lose the “Wipe Now” functionality and only get scheduled Wipe. You’ll have to decide whether this is a show-stopper. When you add the gateway server in your dm console the IP it needs to be reachable for the dm server. The devices will connect to the address that is defined with the Set-EnrollmentConfig cmdlet.
A common problem is that routing is not configured properly. You need a route to the device subnet from your LAN (defined on your router), and a route from the subnet to the LAN (defined on your gateway). You should also check in the event viewer on your gateway that the device has been assigned an IP address in the proper range.
I have another question
I finally got the correct hardware for my gateway server (a blade center with two nics) anyways. I have one nic plugged into the DMZ, then I have one plugged into my corporate intranet. I installed the gateway server and the external facing NIC has Defautl Gateway and DNS servers configured in the settings. My internal facing NIC does NOT. It has static IP and Default Gateway. when I try to add the Gateway server to My MDM server, I get configuration is incorrect. VPN external interface IP does not have a default gateway.
But while adding the gateway server to the MDM server I used the interal facing IP because my fireway introduces NAT and I cannot ping out and then back in, so this way I can talk to the gateway server. additionally, if I give my gateway server internal nic a default gateway everything breaks and now the gateway srever is unreachable.
Any ideas?
Just keep the questions coming
The server can only have one default gateway. This would normally be the external interface. You may have DNS assigned on multiple NICs, but if possible try to avoid this. I usually assign DNS servers on my internal NIC, as my intention is to use an internal DNS for lookups. This is obviously infrastructure dependent, but I then end up defining IP address, subnet mask, and default gateway on the external NIC and IP address, subnet mask, primary & secondary DNS on the internal NIC.
As for adding the gateway in the admin console the address used here must resolve to the internal interface, and also reach the gateway on this NIC as the gateway only accepts admin connections on the internal IP. (Check in IIS on the gateway that this is configured correctly.) You should use the host name, not the IP address. If your DNS resolves the host name for the gateway to the external IP you should redefine it in the hosts file on the DM server to point to the internal.
Ok, so how do I get around the external interface error? I cannot ping my external IP from my DM server primarliy because our infrastructure does not allow it. Also we use NATing so that poses a problem. Is there any route command I can do on the GW server to point any traffic coming from the DM server to the Default gateway of the external nic on the GW Server?
These IP’s are on different logical subnets 192.168.63.x/22 and 192.168.73.x/22 I have tried creating a static mapping in the firewall from a 73.x IP to the 63.x ip so that it tricks the server into going ot the firewall then going back to the external interface of the Gateway server. Either way I am really getting annoyed because I just can’t quite figure this out.
THANKS!
Exactly what is the error message you receive, and at which point do you get it? I am able to input invalid values in the wizard, but it will still complete. Though naturally the Sync State will be showed as “Unreachable”… Do you get any errors in the event viewer on either the DM server or the GW?
You need to have port 443 open outbound from the DM server to the internal IP of the GW server. You cannot trick this to hit the GW through the external NIC. This is a security feature so that people cannot connect to your GW admin interface over the internet. If traffic from the DM server is not coming in on the internal NIC, bound to the IP the IIS site is listening to it will be dropped.
The DM server will happily ignore what you put into the external IPsec field. (Obviously the devices will care, but that’s not the problem at hand here.)
NAT from the internet to the external NIC is ok, even though it’s not recommended. NAT from the DM server to the GW I do not know, so I’m not sure if that’s ok.
After using the wizard to add the Gateway Server. This is what event view shows
Gateway Central Management service received HTTP error code InternalServerError
from Gateway Server.https://md-gw.sandhillsdealerservices.com:443
This Gateway Server may have rejected a message that included Gateway server configuration and alert requests. Confirm that the Gateway Server configuration is legitimate.
Note: Gateway Central Management service will try to re-send this message.Error Details:Configuration is incorrect. VPN external interface IP does not have a default gateway.
So thats’s kind of where I am stuck at.. and it’s not going to have a Default Gateway becuase my external NIC has the default gateway.
Oh, and if I use PortPing I can ping md-gw.mydomain.com on 443 from the DM server
Unfortunately it’s difficult to argue with the GW if it says the config is incorrect
It does mean though that it seems the DM server is able to reach the GW like it should. The GW server rejects the admin message because it perceives your network configuration as invalid.
When running through the wizard – what have you chosen in the router configuration on page 3? “VPN tunneled traffic uses default…”, or “Redirect traffic…”?
I have tried both to no avail, any recomendations? Also once I install the GW server am I supposed to loose the ability to browse the web?
You should not loose the ability to browse the web. If you cannot access web sites from the GW I’d say there’s something wrong with routing. At this point I would probably uninstall the GW, and verify all network related settings to be ok before a reinstall. Remove any static routes you’ve configured. Only have one default gateway defined (on the external NIC). Ping your GW from the DM, telnet to port 443 from the DM, and use Network Monitor or Wireshark to verify it hits the GW on the correct interface. Use something like the port scanner on grc.com to verify traffic from the internet hits the GW on the external interface. Verify that you can browse from the GW.
Double-check firewalls and routers. If possible connect the GW through a separate connection to the internet (if you’re able and allowed to do so).
Only when all these things are checked and validated should you reinstall the GW server. I get the distint feeling that the fault lies somewhere in your network configuration, and not the GW itself.
OK, so we’ve made it farther
I have the little check mark and the gateway is up-to-date. The thing with web browsing on the GW server is that when I uninstall the gateway server I can browse the internet just fine. But when I install it I loose that ability. I do tracert and am able to get to google.com and my company website but it doesn’t know how to get back to me… but regardless we’ve made progress. Now I just need to figure out the persistent routes. so I can access the corporate intranet.