Remote Access VPN Setup

[deeno]

I have been reading topics in this forum for the past several weeks and must admit I am becoming more and more confused. Let me explain the setup I’m trying to create...

Our current network has a single (static) public IP address. The line passes through a firewall and from there the line goes into a switch. All of the computers/devices that are on our network are connected to that switch (this is a very small network). NAT is enabled in the firewall to share the Internet connection.

The network consists of a Windows 2003 Server acting as the PDC. The rest of the computers are clients and run Windows 2000 Professional.

I would like to create a way for traveling employees to log on to the local domain so that they can access the network resources that they would have if they were in the office (files, printers, etc.).

What kind of hardware will we need to add in order to facilitate this? I thought we could just make the Windows 2003 Server a VPN server, but it says it would need a second network card. For our configuration this wouldn’t make sense, since it would just plug back into the switch and create a loop back.

What am I missing?

Thanks!

-deeno

 

[ChicagoTechNet]

quoted from

http://www.ChicagoTech.net

Interface(s) for VPN server. If your network doesn't have a router or the VPN is also a gateway, your computer must have at least two interfaces, one connecting to the Internet and another connecting to the LAN. If it behind a router, you just need one NIC.

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www.ChicagoTech.net

 

[deeno]

Mr. Lin, thanks for the reply. With your reply, I think it is accurate to say that the router (the firewall in my case) must be able to act as the VPN server. In other words, my firewall must be the VPN server (rather than having a server behind the firewall acting as the VPN server). Please correct me if I'm mistaken.

This brings another question to mind, and that is how the incoming connections are granted access to the network. Would an incoming connection be able to log on to the domain as if it were locally on the network? Or would an incoming connection gain access to the network in some other way?

Thanks again for the help,

-deeno

 

[John Lewis]

Actually, the point of the prior post was that you should be good to go as you are. You don't have to have the second NIC, and your VPN server can be behind the firewall.

That was true with W2K server, although not MSPC (Microsoft Politiaclly Correct). The official line was that you should have two interfaces, one on the LAN and the other on the WAN. Over a period of time, they made less of a big deal about that, but at the same time there were some rumors that it might be enforced as policy on W2K3. I haven't tried with W2K3, so I don't know. Not sure if the post from ChicagoTechNet is based upon fact, or if he is assuming, as I would be likely to, that it will work as it does on W2K. Perhaps that will be clarified.

For now let's assume that it does work, as I suspect it does. You would leave your server where it is, inside the firewall. You would configure your firewall to forward TCP port 1723 to the server and let protocol 47/GRE/PPTP pass through. Should not be an issue unless it is old or a cheap router intended for home use. Even if it is, it may not be a problem.

Your server will accept the incoming VPN connections. Authentication to the domain is possible, it's an option on the VPN client supplied with recent versions of Windows. You may run into some problems here, some services do not like to live on the same box as a VPN server. Exchange server is a big no-no, it will NOT work. Most of the other issues can be worked through.

Now, seems that you can do what you want, so the next question is should you do it. The situation described does have some security issues. They are minor, but there are more secure ways to configure a VPN server.

The following is an opinion, so take it as such. This probably is a workable solution provided security is not a very high priority, the users are somewhat limited in number and do not turn over often, you don't have people that are out to get you, your company, or it's employees, and your willing to put in some time learning how to get it going. If you work for a medical firm (hospital, doctor, pharmacy, etc), a financial institution, a company that generates a lot of marketing email, produces a controversial product, etc. this would not be a good idea. On the learning curve side, the VPN server should be rather easy, getting the domain logon working correctly and accessing the resources on the network may take some time to work out.

Ooops . . . rambled on a lot longer than I intended. Hope some of this makes some sense and give you some feel for a direction.

 

[deeno]

Thanks for the clarification, mhkwood. While I understand what you’re saying, I still have a few things that aren’t making sense.

First, I have tried to make a VPN server out of a in a W2K Server machine that I have running (just a stand alone test computer). I tried this through the VPN server option under the Routing and Remote Access Server Setup Wizard. The second screen into the setup it asks to specify the Internet connection that the server uses. Having only one network card, I select it, and an error message returns saying, “You have chosen the last available connection as the internet connection. A VPN server requires that one connection be used as the private network connection.” I’m not sure where to go because of that (basically the same thing happens in the W2K3).

The next thing is the security concern you mentioned. Do you see this as a problem since the VPN Server is behind the firewall? Or is it for another reason? I would obviously prefer to have this fairly secure, maybe not as tight as a bank or something, so I’m open to suggestions. What changes would you make to make this more secure?

Thanks for your time. Your posts have been very valuable.

-deeno

 

[richyd]

You can get away with on NIC but assign 2 ip addresses for security. For example, The VPN server will have a 172.16.0.1 address subnet of 255.255.0.0 in a DMZ, this will not let the outside world to wonder in to your network. The second address will be of your internal LAN i.e. 192.168.1.1 255.255.255.0 so authenticated users can browes the internal lan.

For testing purposes as the inital VPN setup is quite easy, setup the VPN server and a client on its own domain or via a cross over cable. Once you gain connection, then start putting a client on the other side of your router. Allow the correct ports through as discribed above

Try installing certificate services on the server to allow additional security, you could make your own or use verisign which with cost money.

With regards to what you say about the second NIC missing, I've managed to make the vpn work with one NIC. The VPN is behind the firewall so only one will be needed. The setup wizard will mention thats theres only one nic but will carry on working. I've tested this in a test environment. What router do you use?

Hope this helps

Rich

 

[deeno]

richyd, sorry for not getting back to you sooner. I have been on the road since my last post and have just now had time to view your reply.

I had never considered adding a second IP address to the NIC, but that actually makes a lot of sense.

Currently, I'm using the 3com OfficeConnect 25 Firewall. It does not have a DMZ port, so I am going to be upgrading when we go ahead and start this project. I'm thinking about getting the Linksys RV082 VPN Router as a replacement. It does have a DMZ port.

I was able to make the VPN work with just one NIC. I was able to ping any of the remote computers and I could gain access to shared resourses with my domain user/password. In this test, the domain controller was also the VPN server, so I'm not sure what would happen if the VPN server was just another computer on the network.

While this configuration would work just fine, I was hoping that there was a way to make the remote user actually log on to the domain when the computer started. For instance, when Windows 2000 starts up, after pressing Ctrl+Alt+Del, I would like the domain to be listed in the log on to box. Is this setup possible?

Thanks for the help. I look forward to your response.

-deeno

 

[richyd]

I wouldn't recommend having your VPN on the the domain controller, this would make your DC more open to the outside world. Try putting VPN on a seperate machine or running in a VMware senerio. Have you used VMware before?

http://www.vmware.com

for more info.

You could set up a Radius log on, it give you the option whilst setting up the vpn server, this is easier then it sounds or if you have Active Directory running, the user accounts can be read from the VPN server as this would have AD running. Don't quote me on that as I havent tried it.

I can find out a little more as I haven't done this for a while and then I'll send you some better useful advice. At home I'm running a Netgear MR314 router which has DMZ option, it just makes it a little safer but I havent seen the Linksys routers.

To make it even easier, get yourself a VPN box. I.e. Netscreen and you can control everything through a web browser.

RichyD