Simple VPN Setup : VPN, VPN

May 17, 2008 10:10am pdt

1. batry_boy 209,084
2. RobWill 183,875
3. arnold 81,143
4. lrmoore 72,848
5. mwecompu... 55,414
6. MrHusy 36,470
7. ebjers 35,950
8. mkielar 33,600
9. dpk_wal 28,673
10. Cyclops3590 27,700
11. trinak96 22,665
12. TechSoEasy 20,114
13. from_exp 19,775
14. stuknhawaii 18,075
15. johnb6767 16,522

1. RobWill 1,336,768
2. lrmoore 873,591
3. batry_boy 383,794
4. grblades 213,434
5. rsivanandan 138,641
6. calvinetter 112,055
7. TechSoEasy 93,193
8. arnold 83,143
9. dpk_wal 81,673
10. tim_holman 75,964
11. mwecompu... 73,214
12. MrHusy 69,744
13. keith_al... 69,385
14. ewtaylor 68,324
15. plemieux72 64,143

02.05.2008 at 09:25AM PST, ID: 23138670

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.7

Simple VPN Setup

Zone: Virtual Private Networking (VPN)

Tags: VPN, VPN

I want to set up a VPN that can be accessed anywhere in the world from a laptop.
I want the user to login to the VPN with local Active Directory username / password and have access to our exchange server.

We have a router that is managed by our ISP and behind that a tz170 sonicwall --
What will be the easiest way to get the users access with a VPN?
Should I use the sonicwall or is there some other software that is easy to configure.
I also have spare servers that can be used for this VPN.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: JasonBrownlee

Solution Provided By: Qlemo

Participating Experts: 6

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

02.05.2008 at 09:34AM PST, ID: 20824994

adolphus850:

Use the sonicall VPN client which is purchased separately. I've used it on the 2040pros. i think you can get it for the tz170's too.

Adol

02.05.2008 at 09:35AM PST, ID: 20824996

gjacknow1:

Using windows 2003R2 Routing and Remote Acces services should work. Free and easy (other than server license)
http://technet2.microsoft.com/windowsserver/en/library/00c498a8-95e7-4780-942e-c4594b01f6151033.mspx?mfr=true

02.05.2008 at 09:35AM PST, ID: 20825002

ryansoto:

I prefer a dedicated unit for vpn purposes not a server but thats me.
Now to integrate with AD you need a radius server no matter what solution you go with.
Is it just one laptop or multiple? If business process allows
I would go
http://products.nortel.com/go/product_content.jsp?segId=0&catId=null&parId=0&prod_id=53021&locale=en-US

Then use a radius server that talks to this unit and integrate with AD

02.05.2008 at 09:38AM PST, ID: 20825022

JasonBrownlee:

The company I work for is in big favor of free or use what we have. I believe our tz170 has the vpn license but the last IT person who was here told me he could never get it to work.

02.05.2008 at 09:43AM PST, ID: 20825061

ryansoto:

You just need to set the vpn up then I believe those units also have a vpn client.
You need to set the client up to match the tz unit.
This unit will not support radius.

02.05.2008 at 09:46AM PST, ID: 20825097

JasonBrownlee:

So the easiest way to get the user access to Exchange / Network files would be with the tz170 setup with Radius?

02.05.2008 at 09:50AM PST, ID: 20825121

ryansoto:

No No.

Radius is not suport with your firewall which means they will not be able to authenticatw with AD.
BUt you configure the firewall with the client software with authentication (basically a username and password if you will....)
Then you load the client software on the laptop and the policy from the firewall.
Once finished the user will be able to get into your setup as if he was sitting in the office and access network files and the exchange box. Of course as long as the settings and configuration is done right.

02.05.2008 at 09:54AM PST, ID: 20825154

Qlemo:

I recommend using OpenVPN (www.openvpn.net), which is absolutely free. It is a SSL VPN, and requires to be installed on both ends.. If using https port, there should be no problems with connecting even through firewalls. With connection (which should be established with a private certificate), one have full network access to the server. The OpenVPN client does not interfere with any other solution.

If security is not an issue, then it should! PPTP (MS-VPN) is easy to set up, but not secure at all. I cannot recommend that for worldwide usage.

Accepted Solution

02.05.2008 at 09:57AM PST, ID: 20825175

JasonBrownlee:

If going with open VPN ---> Will exchange work over the connection?

02.05.2008 at 09:58AM PST, ID: 20825187

adolphus850:

you probably need to create a global vpn key on the sonicwall then import it into the client if you have all the software already. A wizard should take you through it.

The VPN client should only cost around £30 per user if you don't already have it.

02.05.2008 at 10:23AM PST, ID: 20825367

gjacknow1:

Any VPN, if properly configured, will tunell all traffic. Therefore Exchange will work through it.

Open VPN seems like an interesting app. It is not obvious how that can tie in ones AD username/password. I guess it it can use radius then you can do it that way.

BTW MS gives you IAS (internet authentication server?) which is a radius server linked in to the AD.

I still say the security concerns about PPTP are overblown and it works fine. How many problems has anyone heard about with it? All you have to do to disable acess fro old (win9x) clients in uncheck one check box and most of the issue are taken care of.

Greg J

02.05.2008 at 10:58AM PST, ID: 20825696

Qlemo:

@qjacknow1: If you use PPTP in China, you will have no secrets very soon ... This is no paranoia thing.

@JasonBrownlee: Of course Exchange will work that way.

02.06.2008 at 09:07AM PST, ID: 20833685

chrisrandleman:

what server version are you running?

02.06.2008 at 09:21AM PST, ID: 20833795

JasonBrownlee:

I have both Server 2003 and Server 2000.

02.06.2008 at 09:26AM PST, ID: 20833847

chrisrandleman:

I would use either the 2003 or 2000 for a vpn server through routing and remote access

http://www.chicagotech.net/vpnsetup.htm#How%20to%20configure%20W2K%20server%20as%20VPN%20server

02.07.2008 at 09:24AM PST, ID: 20842780

JasonBrownlee:

One more thing:

After setting up the VPN server will I need to assign any public ip to the server?

02.07.2008 at 09:26AM PST, ID: 20842806

chrisrandleman:

You should be able to set up portforwarding for pptp on your router to go to the private ip of the server

02.07.2008 at 09:28AM PST, ID: 20842831

JasonBrownlee:

I don't have access to the router. The ISP we use has their own router. Would I then need to call them and have them do it?

02.07.2008 at 09:29AM PST, ID: 20842847

chrisrandleman:

I would imagine that would be your step.

02.07.2008 at 09:58AM PST, ID: 20843134

gjacknow1:

If your ISP "router" is only a router, it is already forwarding a range of public IPs that are your to you and it should not be blocking any ports.

Your firewall is what would be blocking traffic to your internal network and is what would have to be configured to have a public IP mapped to a private IP and have certain ports (and protocals) opened for to the VPN server.

I found this: For PPTP VPN connections, you need to open TCP port 1723 for PPTP tunnel maintenance traffic and permit IP Type 47 Generic Routing Encapsulation (GRE) packets for PPTP tunnel data to pass to your RRAS server's IP address.

02.07.2008 at 10:01AM PST, ID: 20843161

JasonBrownlee:

It's just a router. A Cisco 2200 -- It does't block any ports. I've confirmed that with the ISP. Thanks for the information!

02.07.2008 at 10:04AM PST, ID: 20843182

chrisrandleman:

In the tz170 go to the firewall tab
then the access rules should be the first thing to come up
use the rule wizard on the top of the page
Click next
click public server rule
click next
Select PPTP from the services drop down menu
Server Ip address will be your local ip (192.168.x.x)
destination interface is LAN
Then clip next
and then click apply

Don't forget to go into active directory and add these users to remote web workers or individual accounts and allow user to dial in

02.08.2008 at 08:37AM PST, ID: 20851708

JasonBrownlee:

So I went ahead and am using OpenVPN. Currently I've configured everything correctly I believe and the error I'm getting from the client side is this.

Fri Feb 08 10:35:58 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Fri Feb 08 10:35:58 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Fri Feb 08 10:35:58 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Feb 08 10:35:58 2008 LZO compression initialized
Fri Feb 08 10:35:58 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Feb 08 10:35:58 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Feb 08 10:35:58 2008 Local Options hash (VER=V4): 'd79ca330'
Fri Feb 08 10:35:58 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Fri Feb 08 10:35:58 2008 UDPv4 link local: [undef]
Fri Feb 08 10:35:58 2008 UDPv4 link remote: 64.19.32.114:443
Fri Feb 08 10:35:58 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:00 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:03 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:05 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:07 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:09 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:11 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:14 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Fri Feb 08 10:36:16 2008 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

I've verified that I opened the right port on the firewall as well as checked with our ISP to make sure nothing needed to be done on their end.
I've taken one of the public IP's they've given us and used it as the connection ip and it doesn't seem to be working. Anybody have any clues?

02.08.2008 at 08:59AM PST, ID: 20851942

Qlemo: