ajaikumarr
asked on
Configuring Winroute on Windows 2003 to enable RDP & VPN access.
Hai All,
Below is the settings in my server.
Windows 2003 EE.
ADS Installed on Windows 2003
DNS Installed on Windows 2003
Winroute Firewall v6.1.4 Installed
(No DHCP, WINS)
All the users inside the local network are assigned with a static IP's.
Three Network Cards
1. LAN
IP :- 192.168.100.1 (Static)
Sub :- 255.255.255.0
GW :- <NULL>
DNS :- 192.168.100.1
2. ISP 1 (Using this for primary connection. ISP assigns Dynamic IP on router)
IP :- 192.168.1.2 (Static)
Sub :- 255.255.255.0
GW :- 192.168.1.1 (Router IP)
DNS :- 192.168.1.1 (Router IP)
3. ISP 2 (Using this for backup & incomming connection. ISP provided Static IP)
IP :- 61.11.74.xxx (Static)
Sub :- 255.255.252.0
GW :- 61.11.72.1 (ISP's GW address)
DNS1 :- 202.9.145.6 (ISP's DNS address)
DNS2 :- 202.9.145.7 (ISP's DNS address)
"ISP 1" is primary connection on winroute and "ISP 2" is configured as backup connection which can switch over when the primary connection fails.
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x10003 ...44 45 53 54 89 88 ...... Kerio VPN adapter
0x10004 ...00 0e 0c 3b e2 ff ...... Intel(R) PRO/1000 MT Network Connection - Virtual Machine Network Services Driver <<LAN>>
0x10005 ...00 e0 4c e3 16 c3 ...... Realtek RTL8139/810x Family Fast Ethernet NIC <<ISP 1>>
0x10006 ...00 08 a1 8f ed aa ...... Realtek RTL8139 Family PCI Fast Ethernet NIC #2 <<ISP 2>>
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.11.72.1 61.11.74.xxx 20
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
61.11.72.0 255.255.252.0 61.11.74.xxx 61.11.74.xxx 20
61.11.74.xxx 255.255.255.255 127.0.0.1 127.0.0.1 20
61.255.255.255 255.255.255.255 61.11.74.xxx 61.11.74.xxx 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.70.0 255.255.255.0 169.254.70.157 169.254.70.157 20
169.254.70.157 255.255.255.255 127.0.0.1 127.0.0.1 20
169.254.255.255 255.255.255.255 169.254.70.157 169.254.70.157 20
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.1 20
192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 61.11.74.xxx 61.11.74.xxx 20
224.0.0.0 240.0.0.0 169.254.70.157 169.254.70.157 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.100.1 192.168.100.1 20
255.255.255.255 255.255.255.255 61.11.74.xxx 61.11.74.xxx 1
255.255.255.255 255.255.255.255 169.254.70.157 169.254.70.157 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.100.1 192.168.100.1 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
Winroute Configuration
----------------------
Trafic policy
=============
Name Source Destination Service Translation
RDP ISP 2 61.11.74.xxx PPTP
ISP 2 RDP
Firewall TCP 3389
RDP ISP 2 61.11.74.xxx PPTP 192.168.100.1
ISP 2 RDP
Firewall TCP 3389
What I need to do is,
1. Allow internal users to go through "ISP 1" <Which is working great>.
2. Switch connection "ISP 2" when "ISP 1" connection fails <Which is also working great>.
3. Allow external users to come in (either RDP or VPN) through "ISP 2".
If I ping this IP it return's the "ISP 1" ip rather than it's own IP.
If the Default gateway is set to 61.11.72.1 then VPN works fine, but Outgoing connection is going through "ISP 2".
To change the gateway to 61.11.72.1 I normally disable the "ISP 2" card and re-enable it this makes 61 series as default gateway.
The above structure is because, "ISP 1" does not have restriction on transfer capacity where as "ISP 2" is limited to 1GB/Month. That's why the outgoing connection is routed through "ISP 1" and incomming connection is routed through "ISP 2".
Can somebody guide me to setup Winroute for this situation
Below is the settings in my server.
Windows 2003 EE.
ADS Installed on Windows 2003
DNS Installed on Windows 2003
Winroute Firewall v6.1.4 Installed
(No DHCP, WINS)
All the users inside the local network are assigned with a static IP's.
Three Network Cards
1. LAN
IP :- 192.168.100.1 (Static)
Sub :- 255.255.255.0
GW :- <NULL>
DNS :- 192.168.100.1
2. ISP 1 (Using this for primary connection. ISP assigns Dynamic IP on router)
IP :- 192.168.1.2 (Static)
Sub :- 255.255.255.0
GW :- 192.168.1.1 (Router IP)
DNS :- 192.168.1.1 (Router IP)
3. ISP 2 (Using this for backup & incomming connection. ISP provided Static IP)
IP :- 61.11.74.xxx (Static)
Sub :- 255.255.252.0
GW :- 61.11.72.1 (ISP's GW address)
DNS1 :- 202.9.145.6 (ISP's DNS address)
DNS2 :- 202.9.145.7 (ISP's DNS address)
"ISP 1" is primary connection on winroute and "ISP 2" is configured as backup connection which can switch over when the primary connection fails.
IPv4 Route Table
==========================
Interface List
0x1 ..........................
0x10003 ...44 45 53 54 89 88 ...... Kerio VPN adapter
0x10004 ...00 0e 0c 3b e2 ff ...... Intel(R) PRO/1000 MT Network Connection - Virtual Machine Network Services Driver <<LAN>>
0x10005 ...00 e0 4c e3 16 c3 ...... Realtek RTL8139/810x Family Fast Ethernet NIC <<ISP 1>>
0x10006 ...00 08 a1 8f ed aa ...... Realtek RTL8139 Family PCI Fast Ethernet NIC #2 <<ISP 2>>
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.11.72.1 61.11.74.xxx 20
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
61.11.72.0 255.255.252.0 61.11.74.xxx 61.11.74.xxx 20
61.11.74.xxx 255.255.255.255 127.0.0.1 127.0.0.1 20
61.255.255.255 255.255.255.255 61.11.74.xxx 61.11.74.xxx 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.70.0 255.255.255.0 169.254.70.157 169.254.70.157 20
169.254.70.157 255.255.255.255 127.0.0.1 127.0.0.1 20
169.254.255.255 255.255.255.255 169.254.70.157 169.254.70.157 20
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.1 20
192.168.100.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.100.255 255.255.255.255 192.168.100.1 192.168.100.1 20
224.0.0.0 240.0.0.0 61.11.74.xxx 61.11.74.xxx 20
224.0.0.0 240.0.0.0 169.254.70.157 169.254.70.157 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.100.1 192.168.100.1 20
255.255.255.255 255.255.255.255 61.11.74.xxx 61.11.74.xxx 1
255.255.255.255 255.255.255.255 169.254.70.157 169.254.70.157 1
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.100.1 192.168.100.1 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
Winroute Configuration
----------------------
Trafic policy
=============
Name Source Destination Service Translation
RDP ISP 2 61.11.74.xxx PPTP
ISP 2 RDP
Firewall TCP 3389
RDP ISP 2 61.11.74.xxx PPTP 192.168.100.1
ISP 2 RDP
Firewall TCP 3389
What I need to do is,
1. Allow internal users to go through "ISP 1" <Which is working great>.
2. Switch connection "ISP 2" when "ISP 1" connection fails <Which is also working great>.
3. Allow external users to come in (either RDP or VPN) through "ISP 2".
If I ping this IP it return's the "ISP 1" ip rather than it's own IP.
If the Default gateway is set to 61.11.72.1 then VPN works fine, but Outgoing connection is going through "ISP 2".
To change the gateway to 61.11.72.1 I normally disable the "ISP 2" card and re-enable it this makes 61 series as default gateway.
The above structure is because, "ISP 1" does not have restriction on transfer capacity where as "ISP 2" is limited to 1GB/Month. That's why the outgoing connection is routed through "ISP 1" and incomming connection is routed through "ISP 2".
Can somebody guide me to setup Winroute for this situation
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not familiar with Winroute, so I may not be much help, but give it a try.
--Rob
--Rob
ASKER
Hai Rob,
Tried your sugessions,
When I try to connect through 61.11.74.xxx "ISP 2" it's not connecting. I can see the request for PPTP, IKE on my winroute console and the client get's 800 as an error.
If I disable either of the ISP and connect through their public IP, it is getting connected without any probs... Any thoughts?
Tried your sugessions,
When I try to connect through 61.11.74.xxx "ISP 2" it's not connecting. I can see the request for PPTP, IKE on my winroute console and the client get's 800 as an error.
If I disable either of the ISP and connect through their public IP, it is getting connected without any probs... Any thoughts?
>>"If I disable either of the ISP and connect through their public IP, it is getting connected without any probs... Any thoughts?"
No, not really. I assume it is a default gateway issue. You did assign a specific DHCP range to the VPN users and they are assigned the 61.11.72.1 gateway? If so I don't really have any other solution, at least not right now. Usually this is done with load balancing or fail over routers rather than on the server.
No, not really. I assume it is a default gateway issue. You did assign a specific DHCP range to the VPN users and they are assigned the 61.11.72.1 gateway? If so I don't really have any other solution, at least not right now. Usually this is done with load balancing or fail over routers rather than on the server.
ASKER
Hai Rob,
Yes I've assigned DHCP scope to 192.168.200.1 - 192.168.200.255, gateway is assigned to 61.11.72.1 inside "Scope Options" & also on "Server Options" (003 Router) of DHCP Console. What If I have a Sygate ZyXel firewall? Is it possible to handle this scenario? I have a bit experience with this firewall and did faiover settings but I'm not sure about the possiblity of setting a backup port for incomming connections. Is this feasible?
Yes I've assigned DHCP scope to 192.168.200.1 - 192.168.200.255, gateway is assigned to 61.11.72.1 inside "Scope Options" & also on "Server Options" (003 Router) of DHCP Console. What If I have a Sygate ZyXel firewall? Is it possible to handle this scenario? I have a bit experience with this firewall and did faiover settings but I'm not sure about the possiblity of setting a backup port for incomming connections. Is this feasible?
How are the 2 connections configured now ?
NIC1/ISP1 => Sygate ZyXel => Modem => Internet
NIC2/ISP2 => Modem => Internet
As for multiple connections to the Sygate ZyXel, which model is it ?
NIC1/ISP1 => Sygate ZyXel => Modem => Internet
NIC2/ISP2 => Modem => Internet
As for multiple connections to the Sygate ZyXel, which model is it ?
ASKER
Hai Rob,
Sorry I think I've bit confussed you... What I meant was, If I buy a ZyXel firewall can I handle the same structure without any probs?
Currently like this
Server
- NIC1/ISP1 -> ISP Modem -> Net
- NIC2/ISP2 -> ISP Modem -> Net
- NIC3/Switch -> Internal
How about "ZyWALL 35"? Can you please sugest me some models on any brands... Have minimal budget...
Sorry I think I've bit confussed you... What I meant was, If I buy a ZyXel firewall can I handle the same structure without any probs?
Currently like this
Server
- NIC1/ISP1 -> ISP Modem -> Net
- NIC2/ISP2 -> ISP Modem -> Net
- NIC3/Switch -> Internal
How about "ZyWALL 35"? Can you please sugest me some models on any brands... Have minimal budget...
Yes the Zywall 35 UTM should do the trick if you want to pursue that route. I am not familiar with it, but looking at the on-line data sheet it looks quite good.
ASKER
Thanks Rob,
What would be your choice if you have to setup like this?
What would be your choice if you have to setup like this?
I would definitely use a dual port router, myself, not to say it cannot be configured without. As to make, we all tend to recommend the one/s we have used. I would do some reading and comparisons. Look at them carefully as some offer load balancing and or fail-over protection. In some cases you have the option of using one or the other but not both. Where you want the 2 connections for protection as well as to use the second connection for remote users, you will need one that will do both simultaneously.
ASKER
Thanks Rob,
Will suggest this to my CEO let them decide what to go with... Any how thanks...
@present I've installed DYDNS in my server to get the problem solved for timebeing. hope that should be ok for them till that does not have any probs.... Let's c...
Will suggest this to my CEO let them decide what to go with... Any how thanks...
@present I've installed DYDNS in my server to get the problem solved for timebeing. hope that should be ok for them till that does not have any probs.... Let's c...
Let me know how you make out in the end ajaikumarr. Thanks for the update.
--Rob
--Rob
ASKER
Sure Rob Will update this thread... But it's now time to accept the answers... Thanks for the helps...
Thanks ajaikumarr,
--Rob
--Rob
ASKER
You are most welcome Rob.
ASKER
Sorry... ASA I setup the RAS I had setup DHCP server... It's scoped to 192.168.100.201 to 250... Will try as per your sugession and let you know... Any how thanks for the inputs.