[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 300
  • Last Modified:

Networking question regarding 2 gateways

Hello:

I do not have much experience with networking, because I do more programming stuff. A problem has arisen here and I am looking for a solution.

We have our main office in Barcelona and an office in Madrid.
We have two 2 servers: 1 is a Windows 2003 TS, the other is a Windows 2000 TS only with Administrator rights
We also have 2 routers: 1 is an ADSL one the other is a Cisco
We have a IP service provider that  serves as a intermediary link between Barcelona and Madrid.

Our Madrid users connect to corporate applications via Terminal Server through a router, called "router A" that only accepts users from a static IP (192.168.10.4). That works fine, but we now have a user with a laptop who connects via Wireless to the "internet" and from there, and we also have workers who would like to connect from home.  They would need to connect to router A and then use TS. Right now, the only way our "mobile laptop user" can connect is to connect to the internet (dynamic IPs), and then from there to an ADSL router called "router B", which has one default gateway, 192.168.10.51, and then from there to an Administrator account on a different machine using TS. This also is working..........but I do not like it.

How can I set it up so that all of our users, can connect to router A? Or rather how I set the gateway to accept the Madrid users or any external user?

Please help.

thanks,

joseph
0
CEGE
Asked:
CEGE
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
simonlimbCommented:
Does the router allow for MAC Address filtering? If so enable this and enter the MAC addresses of your user's NIC's, allowing those computers to connect through the router.  Then add TS CAL's to allow for the "new" user computers to the Terminal Server.
0
 
CEGEAuthor Commented:
hello:

Using Mac Address Filtering doesn't seem to safe though...I know of programs that can find legitimate MAC addresses and spoof and then they are in. It's not a bad option though, except for the security deal.

What is the standard practice in a case such as mine?

thanks,

joseph
0
 
hfernCommented:
The standard practice is to set up a VPN, a virtual private network. VPNs are enrypted tunnels who accept only authenticated users. VPN in a windows environment is nicely described at this site: http://www.windowsnetworking.com/j_helmig/vpn.htm.

You'd want to set up a VPN server in your Barcelona office. You may even consider letting the Madrid folks also connect over this VPN connection, instead of straight over the Internet and only check the IP address. How to configure VPN in more detail is described at http://www.jsifaq.com/subM/tip6000/rh6084.htm. Please note that *any* connection that you allow in the Internet is prone to hacking. VPN is a standard way of opening up your network, but you will see people trying to break in.

If you are concerned about security then you may want to evaluate a more secure method like what Checkpoint offers. Checkpoint uses something they call SecureIDs tokens. All your remote users will get a small badge with an LCD display that displays 7 digits. These digits change every 30 seconds or so. Remote users authenticate themselves with a username and a password. The password is made up out of a static part with the 7 digits of the SecureID token appended to it. This is a very secure way of opening up your internal network to the Internet. You can check out details at Checkpoints website at http://www.checkpoint.com/ .
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
mianniCommented:
Have you thought of setting up a VPN, only for external users. Either with a dedicated VPN device such as a Nortel contivity or perhaps with a Microsoft VPN server (PPTP). There are also many other free VPN solutions based on Linux.
You can then choose how to authenticate users, radius,ldap,user database, basically it depends on your security needs..
0
 
CEGEAuthor Commented:
thank you fr getting back to me.

I have one other doubt...once a user has entered thru the VPN, how does he access what he needs to access.

Example. A remote user would attempt to start a TS session to address X, an address of a router. (let's say an ADSL one we have which allowss access to only one port that goes to machine A, becuase that is the way it is working now). Behind it would be the VPN server in charge of verifying users, etc. Once okayed he would then go where? to machine A or can he go wherever he wants... to Machine B, C or D? This is still what isn't clear to me.

Thanks,
Joseph
0
 
CEGEAuthor Commented:
Hello:

Could another option be to use the MS Certificate Server? How could that work? Would all of the internet get to the Certif. server? How could I limit that to just a specific set of people? Reverse proxy? Router with one port? Just asking to scope out all the options.

thanks,

jis
0
 
hfernCommented:
> Once a user has entered thru the VPN, how does he access what he needs to access.
Basically, the user will get get an IP address and routing will be in place for the user to access all systems in your local network, just if he was on the local network in Barcelona. So, if he uses a file server called server_1, then he can access server_1 just as if he was in the local network. Same for intranet server or any other application.

> Could another option be to use the MS Certificate Server?
No, MS Certificate server is a system that can send security certificates. It can prove the identity of a web server if one accesses a web site for https. It does not help you with opening up your network and internal services to staff at remote locations.
0
 
CEGEAuthor Commented:
hello hfern:

I thought that perhaps the MS Certif Server could be used to verify users via web, to then get access to a reverse proxy that would serve as a 2nd filter for who gets in and who gets out.

So, in yr opinion, what would be the right way of doing this under the following circumstances...using an ADSL router with one port opened, the rest are shut off by the firewall. We would have two types of users entering, one type would be maintenance and would go to TS MAchine A, the other typw would be workers who connect remotely either from the Madrid office (fixed IP) or mobile users (dynamic IPs).

One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and redirect users inside the LAN. Does this make sense? Or would a reverse proxy be needed before passing whoever to the ADSL router. I would like it to be as safe as possible.

I appreciate yr help and that of the others.

thanks,
joseph
0
 
mianniCommented:
The best solution and most secure would be to get yourself a firewall appliance which is able to give you multiple DMZ's.
Then you could have a VPN device(ie: Nortel contivity/Cisco VPN concentrator/Sonicwall) within a dedicated DMZ, separate from the corporate LAN, allocate a subnet which you route into your corporate network and allow whatever you require to these users. For authentication you can use inbuilt user database (not so secure), radius authentication (you can add  RSA Tokens using two factor authentication which is a pin + token).
If you don't want hardware tokens you can also purchase soft tokens which are installed on the users laptop.

Another way is to setup a citrix server, and implement a reverse proxy as the first line into the network adding authentication to the reverse proxy, it is also capable of handing off auth requests to radius, ldap ...whatever you want to use really.

0
 
hfernCommented:
> I thought that perhaps the MS Certif Server could be used to verify users via web, to then get access to a
> teverse proxy that would serve as a 2nd filter for who gets in and who gets out.
No, this server does exactly what it sayh it does, it provides certificates. It does not do acccess verification.

>One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and
>redirect users inside the LAN. Does this make sense?
It is possible, bit not recommended, as you would have unauthenticated users on your internal LAN. A VPN server in a DMZ as described by mianni is more secure, this way you will only get properly authenticated users on your internal LAN.

>Or would a reverse proxy be needed before passing whoever to the ADSL router.
No, you do not need a reverse proxy. The solution with a reverse proxy would limt you to just intranet access.

> We would have two types of users entering, one type would be maintenance and would go to
> TS MAchine A, the other typw would be workers who connect remotely either from the Madrid
> office (fixed IP) or mobile users (dynamic IPs).

If you want to separate the access of your 2 types of staff for different machines then you best organize that via access permissions on the different servers. This will give you the most flexibility and will not require you to change your remote access setup every time a new service will be made available.
0
 
CEGEAuthor Commented:
thanks hfern and mianni:

I am going to work on this this way. Should I need advice, may and how can I contact you?

cheers,

jis
0
 
hfernCommented:
> hanks hfern and mianni
You're welcome. We aim to please.

> Should I need advice, may and how can I contact you?
You can always add more comments to this topic. Contributors to this question will see it and may react. If it goes too far beyond the scope of the original question, you may need to open up a new question.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now