?
Solved

access to win2k lan from internet via a device on DMZ maybe ???????????

Posted on 2003-03-12
8
Medium Priority
?
230 Views
Last Modified: 2010-04-11
Hi all

Forgive me if this has already been asked but new to group, very informative place indeed.

I have been tasked with allowing access to our win2k lan from the internet via some method.

I am unsure about this but my idea is as follows, please let know of any better ideas, I am not greatly into microsoft and have no idea if its possible.

We stick a terminal services server or (VNC server) on our DMZ (Sonicwall)which should in theory be able to access our lan also, as long as all the rules are in place on the sonic, would this be right???
The machine on the DMZ would act like its part of the win2k network and a standard machine on the win2k network but would have a public ip address?????

We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?

I cannot see it working as the machine on the DMZ in public ip and the lan machines are all freespace ip.

Can someone suggest a solution, I would be very interested in your views any idea about any kind of access

Thanks
xterm69


0
Comment
Question by:xterm69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 

Accepted Solution

by:
japeters earned 100 total points
ID: 8122507
I did a similar setup for a company once, where an NT server sat on the DMZ but was part of the domain.  I don't think the IP addresses are the issue, It's more likely going to be a WINS/DNS configuration headache.  Yes, if the rules on the sonic wall are in place, certain traffic can be allowed in either direction (PLEASE get the latest firmware on your sonic wall though), but you really don't want much traffic going from the DMZ to the LAN side.    As for the VPN client disallowing other traffic--  huh?  I don't think so, unless I misunderstand your setup and usage.  If a single client from another company has the vpn client installed and attaches to your Sonic wall to gain access to your LAN, that client, and everyone else on the client pc's network, will still be able to get to the internet.  Some performance degredation may be noticable in very low bandwith pipes.  But don't worry about that.  You weren't clear about what these outside people need to access...is it the whole lan, or just one server?  If it's the whole lan, just use VPN and you'll have created what is known as an extranet.  But you may not want the outside company to access everything on the LAN, so you can tie down the traffic with access rules on the sonicwall or your router.  Even simpler, if they need only access to one server, just use NAT on the Sonic Wall/Router to make a public IP/port map to the specific applications (presuming you can easily define the ports needed.  If you can't, and you only have one public to use...you need to go another way).  VNC tools may be a perfect option, much less costly and complicated than terminal services, but again, you'd need to be clear on how people will use this and what specifically they need to access in order for me to give a more concise recommendation.  My company, with offices in NYC and Chicago, specializes in this sort of thing, in case you need some serious on-site help or remote support.  corpinfo@hydranetwork.com
0
 

Expert Comment

by:japeters
ID: 8122521
I did a similar setup for a company once, where an NT server sat on the DMZ but was part of the domain.  I don't think the IP addresses are the issue, It's more likely going to be a WINS/DNS configuration headache.  Yes, if the rules on the sonic wall are in place, certain traffic can be allowed in either direction (PLEASE get the latest firmware on your sonic wall though), but you really don't want much traffic going from the DMZ to the LAN side.    As for the VPN client disallowing other traffic--  huh?  I don't think so, unless I misunderstand your setup and usage.  If a single client from another company has the vpn client installed and attaches to your Sonic wall to gain access to your LAN, that client, and everyone else on the client pc's network, will still be able to get to the internet.  Some performance degredation may be noticable in very low bandwith pipes.  But don't worry about that.  You weren't clear about what these outside people need to access...is it the whole lan, or just one server?  If it's the whole lan, just use VPN and you'll have created what is known as an extranet.  But you may not want the outside company to access everything on the LAN, so you can tie down the traffic with access rules on the sonicwall or your router.  Even simpler, if they need only access to one server, just use NAT on the Sonic Wall/Router to make a public IP/port map to the specific applications (presuming you can easily define the ports needed.  If you can't, and you only have one public to use...you need to go another way).  VNC tools may be a perfect option, much less costly and complicated than terminal services, but again, you'd need to be clear on how people will use this and what specifically they need to access in order for me to give a more concise recommendation.  My company, with offices in NYC and Chicago, specializes in this sort of thing, in case you need some serious on-site help or remote support.  corpinfo@hydranetwork.com
0
 
LVL 9

Assisted Solution

by:Joeisanerd
Joeisanerd earned 100 total points
ID: 8125306
Sense you SonicWall as your firewall a better option for outside offices (more than one computer) is to get the SonicWall SOHO3 for that remote office, along with a DSL connection. You can then setup a VPN connection on your main SonicWall firewall to allow the VPN tunnel from the remote office. You can also create a Group VPN for people working from home to use the SonicWall VPN client software. You don't need to make any server exposed to the outside world unless you want to, for WebServer or some other purpose. Terminal Services is understandable if you also turn on the 128 bit encryption for it.  

The above setup is similar to what we do at work. We have 26 sites currently VPNing into our SonicWall and everyone is now joined into our domain. When their computer makes a request for the internet while connected through a VPN your SonicWall SOHO3 rules would direct to the DSL internet. When the computer needs an inside address 172.20.X.X then the rules tell it to use the VPN tunnel. Simple as that.

You can use the VPN SOHO's with static or dynamic ip's.
0
 
LVL 1

Expert Comment

by:PaulBobby
ID: 8137067
My response is specifically about this part of your request:

"We could also use VPN client direct to the fire, but the connection is from another companies office and I guess that would tie up the internet connection on that users workstation completely not allowing any other internet traffic to that desk untill the VPN client has disconnected is this right ?"

VPNs allow you to operate in a 'split tunneling' mode.

50k foot level: an end-user would still be able to use their internet connection for regular 'stuff', and yet still use the VPN connection to access the resources you were talking about.

Even better is that split-tunneling is controlled at the VPN Server end, where it should be. So you can specify exactly what must come over the tunnel, and everything else can use the regular internet connection.

It's a great solution for your the problem you posed.
0
 
LVL 1

Expert Comment

by:Beerman
ID: 8156268
You have a few options, starting from the best and most secure.
1.Setup a vpn tunnel from there firewall to the sonicwall.  Allow only services needed at your site thru the tunnel
2.If there firewall is not compatible, or choose not to buy one, a vpn client can be loaded on each pc that needs access to your server.
3a.Do this as a 3rd option by itself, or in combination with 1 or 2.  Put your TS server on your lan, not the dmz.
3b.If you decided not to use options 1 or 2, then configure your sonicwall this way.  In the access area of your sonicwall, add service tab, add the terminal service (its preconfigured in the list). It should then be listed on the services tab.  Enter the lan ip address of your TS server.  If the other company has a static public ip, then restrict the public ip.  On the rules tab, you should also see the terminal service listed.  Modify the rule to only allow from the other companies ip to the lan.  This blocks the TS port (#3389) to all ip's except that companies.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question