[cvsnt] Connecting to CVSNT Server via VPN

[Worth Robbins]

Please bear with me, I'm not a networking giant, nor am I very experienced 
with CVS. I worked a little with CVSNT as a developer a year ago, and 
somebody set it up for me then. Now, I'm IT, development, operations, etc., 
supporting a couple of developers remote working remotely, and trying to set 
up CVSNT services.

I put the lowest level Symantec Firewall appliance at the edge of my 
network, and am trying to provide access via VPN tunnels from the 
developers' laptops.

To answer your questions:

"Bo Berglund" <bo.berglund at telia.com> wrote in message 
news:rdpuh1p3937q5lh0ckba13kk0strvh5pek at 4ax.com...
> On Wed, 7 Sep 2005 13:05:07 -0400, "Worth Robbins"
> <wrobbins at macoun.com> wrote:
>
>>Let me narrow the focus of my question. I had already decided not to try
>>using sspi over VPN, because of advice regarding limited authentication.
>
> Advice from whom?
> In my book SSPI is to be preferred anyday over pserver because of
> authentication and security issues...

One of the Symantec phone support people said I wouldn't have full domain 
login authentication over VPN, I would only have whatever cached credentials 
were on the laptop. I interpreted this to mean I might have trouble using 
SSPI.
>
>>I only want to be able to make pserver work. When I am locally connected, 
>>the
>>connection string
>>
>>:pserver:cvsuser at pc325:/cvsrepo
>>
>>works fine.
>>
>>When connected via VPN, this doesn't work, even though I am able to ping
>>pc325 and am able to access various network shares.
>
> Network shares are of no concern here, the only valid thing is the
> access to the TCP port 2401 via your firewall. Maybe the VPN people
> have put in a policy to not allow port 2401 calls to propagate through
> the firewall?
> It does not make sense to me, but it could be so anyway. Or otherwise
> if you are on XP-Pro SP2 the IT people may have put a policy in place
> on your PC that activates Windows firewall whenever you are not
> locally connected and it is set to block 2401...

I am the IT people, and I know this isn't the case. In fact, I specifically 
opened TCP ports 2401 and 2402 on both the XP box running CVSNT and on the 
laptop running TortoiseCVS. I only mentioned the network shares as evidence 
that, at least at the node level, to laptop can see the server, enough to 
ping it and enough to mount a share it publishes.
>
>>
>>I have also tried substituting the ip address i.e.
>>
>>:pserver:cvsuser at 192.168.0.5:/cvsrepo
>>
>>This also works connected locally but not via VPN.
>
> The name is resolved into an address by the DNS service. If that is
> working so you can ping the server by name then you should not have to
> change this at all.

It's possible that the name resolution is happening because of WINS rather 
than DNS. I don't know if that is significant, but it's definitely possible. 
In any case, since I am also unable to make it work using the IP address, it 
doesn't seem likely to be a DNS issue.
>>
>>What else, other than being able to access the server node by name or IP
>>address, is there that could be causing a problem?
>
> A block on port 2401 somewhere.

Ok, I'm definitely focusing there. I'm certain it isn't on either the box 
running CVSNT or on the box running TortoiseCVS, but maybe it's somewhere in 
the Firewall/VPN.

There's another possibility I could try. What if I port forwarded 2401 at 
the firewall to the CVSNT box, and had Tortoise pointing at the external 
address of the firewall. Should that work?

Again I apologize for so many naive/newbie questions, and I really 
appreciate patience helping me get this going.

Thanks,

Worth