I have a customer with two Windows Server 2003 Standard Edition R2 servers in an AD environment. They are behind a Sonicwall firewall with no perimeter network.
The primary server (server1) runs is a DC and runs the DHCP, WINS, DNS, RRAS, file sharing, print sharing etc.
The other server (server2) runs DHCP and DNS but is primary a databse server.
The Sonicwall is licensed for 1 VPN user. I have the online account order to purchase upgrades and the web account synch works fine.
Currently we run a PPTP VPN using the Routing and remote access service. Remote salesfolks connect remotely over the VPN from hotels and update their sales info.
The sales people are having problems in hotels with the VPNs and I am pretty sure that this is various firewall issues with PPTP. The owner has purchased cell wireless cards for the salesfolks and they usually work fine, however they cost a bunch of money and are slower than hotel wireless.
The owner wants a secure, reliable, and cheap way to have remote staff connect to the corp office. A one-time fee of a couple hundred bucks is not a problem, he hates recurring costs. He also wants to keep single sign-on and absolutely minimize training and downtime. He knows almost zero about computers and wants to keeps him and most of his staff that way as well.
My understanding is that moving to an L2TP VPN or the sonicwall firewall client will handle these issues.
The Sonicwall upgrade to 5 simultaneous users is fairly cheap and one time. The problem is I have to transfer he client to each user and configure it - that is doable. The next issue is that each user would have to login to their notebook without the dial-in checkbox we currently use for PPTP VPN. This violates the "no new training clause." At that point then the user needs to be instructed to run the client, again violating the "no training clause."
This leads me to an L2TP VPN. I was all set to do this when I discovered that some of the certificate templates require Server 2003 Enterprise Editiion. That is way out of budget. I also read that some people do not recomend making a DC and Enterprise Root CA. With an environment of 2 servers and 20 total clients, I do not see using any subordinate CAs. Just the root and a subordinate on the other server if needed. My understanding is I could do the L2TP VPN without certificates by using shared keys, but I imagine I would have the same issues as I do now with PPTP -easy to crack user passwords. If I could set one password on each end without the user knowing that would be be fine (imagines 60 character random password), but I have read that you should not do this in a production environmen.
Can anyone suggest a way to use the 2003 Standard servers to get L2TP VPN working to minimize training for the end-users? or another way? Or how to get the dial-in checkbox at Windows XP (ALL XP clients using SP2 or higher) It doesn't matter how technical it is for me as long as we minimize the details for the users. I can schedule time with them to use a web support service to make changes to their desktop. One other reason I would like to use L2TP is I believe that I can leave the PPTP and slowly phase in each user.
All help is appreciated.
Thank you.
