?
Solved

Creating a VPN

Posted on 2005-03-11
19
Medium Priority
?
540 Views
Last Modified: 2012-05-05
Ok I am a VPN virgin, and need to setup a VPN from my domain at work to some of the senior staff member's homes and laptops. I will also (of course) be granted access to the tunnel.

       here is a lovely ruff visual representation of our network (here at work):


                          internet
                               |
                               |
                       ||||||||||||||
                      || ISP Router ||
                       ||||||||||||||
                              |
                              | WAN Interface
          ||||||||||||||||||||||||||||||||||
          || Hardware Firewall (M0n0wall) || ---------   Webserver
          ||||||||||||||||||||||||||||||||||   DMZ Interface (bridged with WAN- ie. Transparent)
                              | LAN Interface
                              |
                              |
                     internal network

              2003 Server       Win2K Server
                PDC                      DC

                             
Here is my setup and capabilities:

* Our domain at work has a Static Public IP address (xx.xx.139.178) - WAN interface
* We use M0n0wall 1.1 as a hardware firewall solution. It supports PPTP and IPSec. It has a WAN interface, LAN interface, and a DMZinterface     (for Webserver with public IP's)
* The senior staff have home networks using Cable Modem and dynamically assigned IP addresses (COX and Charter)
* Our internal Network (LAN Interface) is NAT'ed behind the firewall's WAN interface (192.168.172.0 subnet)
* The M0n0wall supports 1 to 1 NAT, Server NAT, Inbound, and Outbound NAT
* Windows 2003 Server is Primary Domain Controller and Win2k Server is Secondary DC
* Senior Staff home computers use Windows XP Pro


How do I go about setting this up on:

A) The firewall (Do I use IPSEC or PPTP, what is the difference or do I use both- how does this work?)
B) The server (PDC I am guessing)- When the senior staff member connects to the WAN interface, will he be promted to login under his Active Directory user account?- How does this work, and what is the server configuration?
C) On the client machines using Windows XP, how do I set this up? Do I have to join their home machines to my domain at work?
d) Once the VPN tunnel has been established and they are connected, how do I allow them access to their work computers and user shares?

Ok I know I am asking a lot here, so of course I will start this one off at 500 points...




0
Comment
Question by:Trihimbulus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 4
  • +2
19 Comments
 

Expert Comment

by:implexant
ID: 13520108
I would highly recommend against IPSEC. It's fugly, ugly, and fairly hard to work with. However, this is simply a personal preference. It's a good technology, just not one I care to work with. To setup a VPN that would integrate with your current AD interface.

Here's what you need to do:

1) Configure RRAS on one of the servers to accept VPN connections. More information on that can be found here: http://www.guidescentral.com/help/singlenic.html

2) Forward TCP port 1723 and GRE port 47 to the IP of the server you set this up on.

3) Configure your client machines using the new network connection wizard. It should be simple from here.

Post if you have any questions :)

-Chris
0
 
LVL 6

Assisted Solution

by:DaVinci007
DaVinci007 earned 800 total points
ID: 13520339
implexant's procedure is the best way to go in my opinion.

However, I would suggest after step 1 you test the RRAS server from inside to inside.  Use a PC on your LAN, setup VPN using Win XP's "new connection wizard".  If it connects succesfully, you can concentrate on your firewall setup.  The overall procedure should be pretty straight-forward but this is just in case, its always easier when you know where to concentrate your efforts when something doesn't work.

Regards.
0
 

Expert Comment

by:implexant
ID: 13520453
Testing from the internal LAN wouldn't be such a bad idea. But unless you have specific problems, or planning on a huge deployment, there is really no reason to do internal testing unless the router doesn't forward stuff properly.

Let us know how it goes!

-Chris
0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 
LVL 16

Accepted Solution

by:
samccarthy earned 1200 total points
ID: 13520554
OK, I agree too, I would set this up according to the link implexant provided.  I would not choose to use the RRAS policy unless you set one up.    

On some routers and firewalls all it takes is a port 1723 to be opened.  On others, they require GRE.  A correction implexant, GRE is IP Protocol 47, it is not port 47.  There is a big difference there.

Setup your clients using the wizard.  To make matters easier, create an alias for your VPN.  I use Register.com, so I created an alias there.  My domain is say xyzcorporation.org.  I create an alias vpn.xyzcorporation.org.  Now, all I need to put in my VPN clients configuration is vpn.xyzcorporation.org so I don't have to worry about remembering IP addresses or messing it up when putting it in.

I would then do a DaVinci said.  Test from Inside first.  It only takes a few minutes, but it will tell you that everything is setup and connecting.  It's such a pain to be at the remote site and wonder if the problem is internal or external.

Lastly, on those people VPNing in.....  Give them a shortcut to the logon script you normally use.  These will not map automatically over your VPN, but you can click on that shortcut and run the logon script that way.  Your users authenticate to the domain, the logon script runs after you click on the icon and now the person is just another machine sitting on the network with all their drives mapped.
0
 

Expert Comment

by:implexant
ID: 13520806
The DNS name instead of IP is a great idea. Didn't even think of that.

My apologies on the GRE deal, you are correct.

-Chris
0
 
LVL 1

Expert Comment

by:dhaval001
ID: 13522509
Hi there

I am not against IPSEC at all since it offers very strong security. But with the strong security, comes it's headaches. It is not friendly enough to use and also configure. You will have to do 2 things if you want IPSEC.

1. Connect the home laptops to your work domain.
2. Configure your hardware firewall for the IPSEC VPN, install the firewall's IPSEC vpn client on the home laptops and configure it.

The reason for connecting home laptops to your work domain is that the VPN connection will only put your home laptops on the same IP subnet. After that, just like any computer on the same subnet, if a computer tries to access any resource on the server and if the computer is not part of the domain, it will ask for credentials and trust me, you don't want to go through that hassel when we talk about the senior staff who would probably want as less hassel as possible.


If you want to use PPTP, it is quite easy to use but it is not as secure as IPSEC.  Also it is not a good idea at all to make your DC to be the RRAS server. This is because if a user's VPN username and password leaks, it is a big security problem since it is the same for accessing the server.

Instead of making your DC an RRAS server, see if your router itself can act as PPTP server i.e. RRAS server. Some routers like Draytek can do this. This will separate the username and password for VPN and accessing server.

In this scenario, all you need to do is configure VPN accounts on your firewall, if it has such a functionality.

If your firewall doesn't act as PPTP server, you should consider this. Get your home users to get a static IP address instead of dynamic. I am not sure if you can do this, but it is worth it. Here why it is worth.

If you get static IP address, you can restrict the inbound VPN connections only from those IP addresses. In solutions listed above, if you open ports for the RRAS, anyone come come in from anywhere as long as the user supplies correct username and password. But if you have static IP, you can configure your firewall to accept VPN connections only from certain IP addresses.

This is a very secure solution since no hacker in the world can come to know what IP addresses are allowed on your firewall. Also, if you do not restrict as to what IP addresses can come in, your firewall can be port scanned and the hacker can come to know that there is a port open. But if you restrict by IP address, the port scan will also not work.

I hoep this helps.

let me know if you need more help.

Dhaval
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13522701
Buttttttt, if you authenticate to the router, you are not authenticated to the domain, so no domain resources are available unless you logon or authenticate to them.

IPSEC is more secure, but lets face it, for the amount of time most VPN users are connected, PPTP is just fine and secure enought for the average, general user.
0
 

Author Comment

by:Trihimbulus
ID: 13535797
Ok so I am going to use the firewall/router as the PPTP server. Now once connected, I am going to need the users to have access to domain resources such as user shares etc.. Now once connected to the PPTP server, how do I get them authenticated into the domain? I will also set up the RRAS Server on a server besides one of the DC's .
0
 

Author Comment

by:Trihimbulus
ID: 13536080
Another thing is- On the firewall, I have the option to :

A) Enable PPTP and redirect incoming PPTP connections to a server on my LAN.
  - Prompts for address of server on LAN

B) Enable PPTP Server
  - Prompts to "Enter the IP address the PPTP server should use on its side for all clients"
  - Use a RADIUS server for authentication
When set, all users will be authenticated using the RADIUS server specified below. The local user database will not be used.
  - Enter the IP address of the RADIUS server.
  - Enter the shared secret that will be used to authenticate to the RADIUS server.

So what is a RADIUS Server? Is this a method I can use instead of RRAS or is the server that will be running RRAS the Radius server?
Also- When I went to set up RRAS on the server, it said I need another NIC card. Why is this? It is already connected to the network. We have a star topology and no servers act as routers or gateways.
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13538217
As I said earlier, if you authenticate to the firewall/router, you are not authenticating to the domain, so you will then have to provide credentials to the domain resources you want to access.

For example, to map a drive to a domain resource after authenticating to the domain, you might use this.
net use l: \\CTL-File02\Finance /PERSISTENT:NO

To map a drive to the same domain resource authenticating to the Firewall/Router, you would have to add a username and password to the command.
net use l: \\CFL-File02\Finance /PERSISTENT:NO /USER:username Password

Option A is for using your Server as the VPN Server.

Option B is for using your Firewall.  A Radius Server can be used.  It is a server setup specifically for authentication that Active Directory can use.  If you have a RADIUS server in your Domain and are using that, you could have your firewall authenticate to that.  If you are just starting out on VPN's, don't even worry about doing Radius.  You wil overcomplicate your life when all you need is to use the KISS method.

You do not need a second NIC.  Use the custom setup, and select VPN server there.  Follow the prompts.  It will work just fine.

0
 

Author Comment

by:Trihimbulus
ID: 13575908
Ok, I sucessfully established a VPN connection inside the network to the RRAS server. Now once I have established the VPN connection, how to I access resources in the domain? Can I do a net view, and see all the computers in the domain? Can I map network drives and/or access user shares? I am unsure how this part works, as I mentioned I am a VPN virgin hehehe
0
 

Expert Comment

by:implexant
ID: 13576927
Once you establish a connection outside your current network via the VPN, you should be able to do anything just as if you were directly plugged into the LAN with a CAT5 cable. Obviously, dependant on your WAN connections on both ends, the speed will vary.

-Chris
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13582999
Once the connection is established, you are ON the network.  For remote users, I jut put a shortcut to a mapping script.  They run it, the drives map and it's just like being in the office!
0
 

Author Comment

by:Trihimbulus
ID: 13590993
Ok so lets say I set the hardware firewall to pass all PPTP requests to my internal RRAS server. Once the Connection is initiated and connected, will they then be prompted to login to the domain? And one last questions, does their desktop/laptop have to be joined to the domain as well?
0
 

Expert Comment

by:implexant
ID: 13595972
You can have them join the domain if you want. But I wouldn't. When they aren't connected to the VPN, then they wouldn't be on the domain. Best to just connect without logging into the domain. You'll obviously have to use the appropriate machine level user names and passwords when mapping drives.

-Chris
0
 

Expert Comment

by:implexant
ID: 14006853
I think we pretty much answered all of his questions. If he has any more, he needs to post them, and then we can answer them :-)

-Chris
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 14009194
A split would be most appropriate
0
 

Expert Comment

by:implexant
ID: 14016485
Agreed, split would be best.

-Chris
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Make the most of your online learning experience.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question