[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

Make Server 2003 VPN WLAN more secure

Hello, right now i have the following setup:
I run a LAN with a server 2003 to allow VPN-WLAN Clients to connect to the local LAN.
LAN: 192.168.0.x (server 2003 192.168.0.2)
WLAN/ VPN: 192.168.1.x (server 2003 192.168.1.1)

NAT, RAS and VPN is working and i activated the following filters for packetfiltering to prevent Wlan Users without activated VPN to connect to the server and to be routet to the local LAN:

allow incoming:
destination-IP        
192.168.1.1    TCP 1723
192.168.1.1    IP-Protocol-ID 47
deny the rest.

allow outgoing:
source-IP
192.168.1.1   TCP 1723
192.168.1.1    IP-Protocol-ID 47
deny the rest.

This way only VPN-users can access the server 2003/ LAN/ internet.


But a friend told me, that this is a bad workaround. It would be way more secure, if i configured my network that way:

LAN eth: 192.168.0.x
native WLAN eth: 192.168.1.x      (server WLAN eth: 192.168.1.1)
virtual VPN eth: 192.168.2.x         (servervirtual VPN eth: 192.168.2.1)

Advantages:
You can allow routing only for 192.168.2.x to 192.168.0.x, which allows only VPN users to be routet into the LAN. Native WLAN users with 1.x subnet won't be routet.
If you allow only authenticated users (MS-Chap v2)  to connect the servers vpn eth, you have a very secure setup.

BUT MY PROBLEM NOW IS:
How can i change the IP of the virtual VPN eth adapters?  i need to change them on the server and on the clients as well (Clients should get their IP through the servers DHCP), and the routing has to be changed from 1.x->0.x to 2.x->0.x
The Wizard unfortunately doesn't allow this setup.
0
MaNiAcLRSC
Asked:
MaNiAcLRSC
  • 2
1 Solution
 
What90Commented:
Hi MaNiAcLRSC,

I think this is what you're looking for.
Open up the RRAS MMC - right click on your server name - properties - select the IP tab and then enter the ip address range you want to hand out via dhcp make sure you pick the correct adaptor.
0
 
MaNiAcLRSCAuthor Commented:
HI What90,
i hand out the IP Adresses via DHCP. The other option is a static pool, which i don't use, because i'm already using dhcp.
I didn't find the option yet where i can tell the 2003 server to differ between the WLAN adapters and the virtual VPN adapters when the dhcp hands out IP addresses. The VPN adapter is nowhere shown. Right now they both get 1.x IP addresses.
0
 
What90Commented:
At the bottom of the IP tab on the under the DHCP is a drop down box which says automatic select adapter. You can pick which adapter gets that range of ip addresses.

If you look at step 7) on this link, it should explain and show you:
http://www.tacteam.net/isaserverorg/vpnkit/configisavpn.htm
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now