xterm69
asked on
access to win2k lan from internet via a device on DMZ maybe ???????????
Hi all
Forgive me if this has already been asked but new to group, very informative place indeed.
I have been tasked with allowing access to our win2k lan from the internet via some method.
I am unsure about this but my idea is as follows, please let know of any better ideas, I am not greatly into microsoft and have no idea if its possible.
We stick a terminal services server or (VNC server) on our DMZ (Sonicwall)which should in theory be able to access our lan also, as long as all the rules are in place on the sonic, would this be right???
The machine on the DMZ would act like its part of the win2k network and a standard machine on the win2k network but would have a public ip address?????
We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?
I cannot see it working as the machine on the DMZ in public ip and the lan machines are all freespace ip.
Can someone suggest a solution, I would be very interested in your views any idea about any kind of access
Thanks
xterm69
Forgive me if this has already been asked but new to group, very informative place indeed.
I have been tasked with allowing access to our win2k lan from the internet via some method.
I am unsure about this but my idea is as follows, please let know of any better ideas, I am not greatly into microsoft and have no idea if its possible.
We stick a terminal services server or (VNC server) on our DMZ (Sonicwall)which should in theory be able to access our lan also, as long as all the rules are in place on the sonic, would this be right???
The machine on the DMZ would act like its part of the win2k network and a standard machine on the win2k network but would have a public ip address?????
We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?
I cannot see it working as the machine on the DMZ in public ip and the lan machines are all freespace ip.
Can someone suggest a solution, I would be very interested in your views any idea about any kind of access
Thanks
xterm69
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I did a similar setup for a company once, where an NT server sat on the DMZ but was part of the domain. I don't think the IP addresses are the issue, It's more likely going to be a WINS/DNS configuration headache. Yes, if the rules on the sonic wall are in place, certain traffic can be allowed in either direction (PLEASE get the latest firmware on your sonic wall though), but you really don't want much traffic going from the DMZ to the LAN side. As for the VPN client disallowing other traffic-- huh? I don't think so, unless I misunderstand your setup and usage. If a single client from another company has the vpn client installed and attaches to your Sonic wall to gain access to your LAN, that client, and everyone else on the client pc's network, will still be able to get to the internet. Some performance degredation may be noticable in very low bandwith pipes. But don't worry about that. You weren't clear about what these outside people need to access...is it the whole lan, or just one server? If it's the whole lan, just use VPN and you'll have created what is known as an extranet. But you may not want the outside company to access everything on the LAN, so you can tie down the traffic with access rules on the sonicwall or your router. Even simpler, if they need only access to one server, just use NAT on the Sonic Wall/Router to make a public IP/port map to the specific applications (presuming you can easily define the ports needed. If you can't, and you only have one public to use...you need to go another way). VNC tools may be a perfect option, much less costly and complicated than terminal services, but again, you'd need to be clear on how people will use this and what specifically they need to access in order for me to give a more concise recommendation. My company, with offices in NYC and Chicago, specializes in this sort of thing, in case you need some serious on-site help or remote support. corpinfo@hydranetwork.com
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My response is specifically about this part of your request:
"We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?"
VPNs allow you to operate in a 'split tunneling' mode.
50k foot level: an end-user would still be able to use their internet connection for regular 'stuff', and yet still use the VPN connection to access the resources you were talking about.
Even better is that split-tunneling is controlled at the VPN Server end, where it should be. So you can specify exactly what must come over the tunnel, and everything else can use the regular internet connection.
It's a great solution for your the problem you posed.
"We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?"
VPNs allow you to operate in a 'split tunneling' mode.
50k foot level: an end-user would still be able to use their internet connection for regular 'stuff', and yet still use the VPN connection to access the resources you were talking about.
Even better is that split-tunneling is controlled at the VPN Server end, where it should be. So you can specify exactly what must come over the tunnel, and everything else can use the regular internet connection.
It's a great solution for your the problem you posed.
You have a few options, starting from the best and most secure.
1.Setup a vpn tunnel from there firewall to the sonicwall. Allow only services needed at your site thru the tunnel
2.If there firewall is not compatible, or choose not to buy one, a vpn client can be loaded on each pc that needs access to your server.
3a.Do this as a 3rd option by itself, or in combination with 1 or 2. Put your TS server on your lan, not the dmz.
3b.If you decided not to use options 1 or 2, then configure your sonicwall this way. In the access area of your sonicwall, add service tab, add the terminal service (its preconfigured in the list). It should then be listed on the services tab. Enter the lan ip address of your TS server. If the other company has a static public ip, then restrict the public ip. On the rules tab, you should also see the terminal service listed. Modify the rule to only allow from the other companies ip to the lan. This blocks the TS port (#3389) to all ip's except that companies.
1.Setup a vpn tunnel from there firewall to the sonicwall. Allow only services needed at your site thru the tunnel
2.If there firewall is not compatible, or choose not to buy one, a vpn client can be loaded on each pc that needs access to your server.
3a.Do this as a 3rd option by itself, or in combination with 1 or 2. Put your TS server on your lan, not the dmz.
3b.If you decided not to use options 1 or 2, then configure your sonicwall this way. In the access area of your sonicwall, add service tab, add the terminal service (its preconfigured in the list). It should then be listed on the services tab. Enter the lan ip address of your TS server. If the other company has a static public ip, then restrict the public ip. On the rules tab, you should also see the terminal service listed. Modify the rule to only allow from the other companies ip to the lan. This blocks the TS port (#3389) to all ip's except that companies.