Solved

Make Server 2003 VPN WLAN more secure

Posted on 2004-04-08
5
795 Views
Last Modified: 2008-02-01
Hello, right now i have the following setup:
I run a LAN with a server 2003 to allow VPN-WLAN Clients to connect to the local LAN.
LAN: 192.168.0.x (server 2003 192.168.0.2)
WLAN/ VPN: 192.168.1.x (server 2003 192.168.1.1)

NAT, RAS and VPN is working and i activated the following filters for packetfiltering to prevent Wlan Users without activated VPN to connect to the server and to be routet to the local LAN:

allow incoming:
destination-IP        
192.168.1.1    TCP 1723
192.168.1.1    IP-Protocol-ID 47
deny the rest.

allow outgoing:
source-IP
192.168.1.1   TCP 1723
192.168.1.1    IP-Protocol-ID 47
deny the rest.

This way only VPN-users can access the server 2003/ LAN/ internet.


But a friend told me, that this is a bad workaround. It would be way more secure, if i configured my network that way:

LAN eth: 192.168.0.x
native WLAN eth: 192.168.1.x      (server WLAN eth: 192.168.1.1)
virtual VPN eth: 192.168.2.x         (servervirtual VPN eth: 192.168.2.1)

Advantages:
You can allow routing only for 192.168.2.x to 192.168.0.x, which allows only VPN users to be routet into the LAN. Native WLAN users with 1.x subnet won't be routet.
If you allow only authenticated users (MS-Chap v2)  to connect the servers vpn eth, you have a very secure setup.

BUT MY PROBLEM NOW IS:
How can i change the IP of the virtual VPN eth adapters?  i need to change them on the server and on the clients as well (Clients should get their IP through the servers DHCP), and the routing has to be changed from 1.x->0.x to 2.x->0.x
The Wizard unfortunately doesn't allow this setup.
0
Comment
Question by:MaNiAcLRSC
  • 2
5 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10782410
Hi MaNiAcLRSC,

I think this is what you're looking for.
Open up the RRAS MMC - right click on your server name - properties - select the IP tab and then enter the ip address range you want to hand out via dhcp make sure you pick the correct adaptor.
0
 

Author Comment

by:MaNiAcLRSC
ID: 10782474
HI What90,
i hand out the IP Adresses via DHCP. The other option is a static pool, which i don't use, because i'm already using dhcp.
I didn't find the option yet where i can tell the 2003 server to differ between the WLAN adapters and the virtual VPN adapters when the dhcp hands out IP addresses. The VPN adapter is nowhere shown. Right now they both get 1.x IP addresses.
0
 
LVL 20

Accepted Solution

by:
What90 earned 195 total points
ID: 10782587
At the bottom of the IP tab on the under the DHCP is a drop down box which says automatic select adapter. You can pick which adapter gets that range of ip addresses.

If you look at step 7) on this link, it should explain and show you:
http://www.tacteam.net/isaserverorg/vpnkit/configisavpn.htm
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question