Solved

lan2lan vpn

Posted on 2003-12-07
7
646 Views
Last Modified: 2010-03-19
We are in a need to connect two offices for apps purpose.  Each has a win2k server, about 15 users and each have a DSL link to the net (one DSL has a static IP).  Both offices utilize older versions of Linksys routers.
The information passed will be client sensitive thus need a decent level of security such as VPN.  My question is what options do we have with Windows server 2000?
In a matter of next several month a third office will have to be connected as well to the other two, same setup. Any suggestions or links would be appreciated.  Have a great day, or rather night here in San Fran.

Klossie
0
Comment
Question by:klossie
  • 5
7 Comments
 
LVL 35

Assisted Solution

by:ShineOn
ShineOn earned 90 total points
ID: 9891430
My first suggestion - don't use Windows server 2K.  Use a hardware-appliance VPN.

If you must go with a software-based VPN, then you will want to get a Win2K server (not Advanced server, don't waste the money) for each site, with that server dedicated to VPN usage.  You don't want to force you main Win2K server to also be your VPN server - that is asking for trouble.  

Since VPN servers are, necessarily, directly connected to the Internet, you have to take into consideration the risks involved in directly connecting a Windows device to the Internet.  You don't want to have your LAN subject to unnecessary risks in order to establish your VPN WAN.

All you need, besides a minimal Win2K server license for each site, is a workstation-class PC with a decent processor and memory configuration (it does NOT need a lot of disk!) and the PC's for your VPN servers must have 2 Network Interface Cards (NIC's)

When you set up your initial 2-site site-to-site RRAS VPN, one of the two servers will be your "home" or "master VPN" server (depending on what you want to call it.)  That is the server that will be "dialed to."  Yes, the oddball thing about RRAS VPN, is that is "dialup" oriented even though it works with always-on technologies like DSL.  

You can set it up so no matter which box has been booted, the one that has been booted tries to initiate the connection, but the easiest initial setup is to have what you consider to be your remote site be the one to initiate the connection.

When you add another site, that one also should be set toi nitiate the connection.  Ideally, the central-site VPN server should also be able to "dial out" in the case that it has to be restarted, so it can re-establish the tunnels with the other remote sites.  

What I have described is essentially a star configuration.

To ensure security, you will want to work with the L2TP/IPSec technologies available with RRAS on Win2K.  If that is too complex, or your company doesn't want to deal with certificates, then the other option is PPTP.  Either way, you end up with a "secure tunnel" between sites.

Whenever setting up Win2K Server as an RRAS point-to-point VPN server, you want to disable all services that the RRAS VPN service does not depend on, like FTP, IIS, etc.   You also want to have the port-blocking features enabled, and only allow the ports that are necessary to establish your site-to-site tunnels.  You DEFINITELY want to apply the most-current service pack, and all of the security hotfixes, before letting it go live, and establish a maintenance process to keep the patches as current as possible.  Remember, it is exposed to the Internet,  and it is a single-function server, so you want to harden it as much as possible and keep it up-to-date.

You could also consider other, non-Windows options for your VPN, like Novell BorderManaqer 3.8 VPN, which is more secure and more efficient than the RRAS VPN option.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9891434
Also, you will need to get a static IP for the 2nd site (and the 3rd when you add it) because the RRAS VPN is IP-address based.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9891439
To clarify - if you want to have the resilience of having a *true* site-to-site configuration with any site being able to initiate the tunnel, then you *have* to have fixed IP addresses.  It is possible to do a "pseudo" site-to-site VPN with DHCP-assigned addresses on the far end, but they would HAVE to be the initiator of the link, and it would actually be more of a client-to-site configuration since the remote-side IP won't be a known factor.  That could end up causing you routing issues if you are truly trying to establish a WAN over VPN as opposed to simply connecting a client via VPN.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:klossie
ID: 9891492
Thanks ShineOn for the well written suggestion.  There is only one site with a static IP address, any heads up on this?  Also the third office wii also be DHCP.   Latly, are you aware of any detailed configuration guidelines including hardware/sonfig specs?   Thanks again for responding so quickly.   Klossie
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9891518
There are a slew of documents on the Microsoft knowledgebase and on technet, describing in full detail how to use RRAS to establish a VPN.  It is very late here, and I am, unfortunately, too tired to go searching for links to point you to, so before I retire for the evening (actually morning) I will leave you with that.

You could try a search on technet.microsoft.com for RRAS VPN or you could do a google search for RRAS VPN configuration to get "real-world" advice on how, step-by-step, to do what you want to do using Win2K technologies.

Sorry to be so short, but I am really beat, and can't stay up any longer.  Good luck.
0
 
LVL 10

Accepted Solution

by:
KingHollis earned 35 total points
ID: 9891542
ShineOn has given you an excellent and detailed solution using Windows 2000, but his first solution was the best: Don't use W2k - use a hardware appliance VPN solution. It is the simplest solution and you can simply replace the old version Linksys routers you have. Any number of  Small Office/Home Office VPN Gateway solutions are out there on the market today that would meet your needs: Netgear, Enterasys, SonicWall, Symantec, 3Com, etc. Just go to www.cdw.com or www.insight.com or www.microwarehouse.com or the likes and look for Small Office/Home Office VPN Gateways or firewalls. All the ones I mentioned are from $150 to $300-- cheaper than buying Windows 2000 Server and hardware.

As for the static IP situation... It would certainly be preferable to have static IPs, but in theory you could get away with having one central location with an IP address only and have all locations call the one static location.

SanFran[PPoE-DSL]-->VPNTUNNEL-->SantaClara[Static]<--VPNTUNNEL<--Fresno[Cable]
                                                                ^
                                                                 |__ VPNTUNNEL<--Oakhurst[DSL]
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 9893804
Oh, by the way, warehouse.com (microwarehouse,macwarehouse,etc.) has been bought by CDW.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now