CEGE
asked on
Networking question regarding 2 gateways
Hello:
I do not have much experience with networking, because I do more programming stuff. A problem has arisen here and I am looking for a solution.
We have our main office in Barcelona and an office in Madrid.
We have two 2 servers: 1 is a Windows 2003 TS, the other is a Windows 2000 TS only with Administrator rights
We also have 2 routers: 1 is an ADSL one the other is a Cisco
We have a IP service provider that serves as a intermediary link between Barcelona and Madrid.
Our Madrid users connect to corporate applications via Terminal Server through a router, called "router A" that only accepts users from a static IP (192.168.10.4). That works fine, but we now have a user with a laptop who connects via Wireless to the "internet" and from there, and we also have workers who would like to connect from home. They would need to connect to router A and then use TS. Right now, the only way our "mobile laptop user" can connect is to connect to the internet (dynamic IPs), and then from there to an ADSL router called "router B", which has one default gateway, 192.168.10.51, and then from there to an Administrator account on a different machine using TS. This also is working..........but I do not like it.
How can I set it up so that all of our users, can connect to router A? Or rather how I set the gateway to accept the Madrid users or any external user?
Please help.
thanks,
joseph
I do not have much experience with networking, because I do more programming stuff. A problem has arisen here and I am looking for a solution.
We have our main office in Barcelona and an office in Madrid.
We have two 2 servers: 1 is a Windows 2003 TS, the other is a Windows 2000 TS only with Administrator rights
We also have 2 routers: 1 is an ADSL one the other is a Cisco
We have a IP service provider that serves as a intermediary link between Barcelona and Madrid.
Our Madrid users connect to corporate applications via Terminal Server through a router, called "router A" that only accepts users from a static IP (192.168.10.4). That works fine, but we now have a user with a laptop who connects via Wireless to the "internet" and from there, and we also have workers who would like to connect from home. They would need to connect to router A and then use TS. Right now, the only way our "mobile laptop user" can connect is to connect to the internet (dynamic IPs), and then from there to an ADSL router called "router B", which has one default gateway, 192.168.10.51, and then from there to an Administrator account on a different machine using TS. This also is working..........but I do not like it.
How can I set it up so that all of our users, can connect to router A? Or rather how I set the gateway to accept the Madrid users or any external user?
Please help.
thanks,
joseph
Does the router allow for MAC Address filtering? If so enable this and enter the MAC addresses of your user's NIC's, allowing those computers to connect through the router. Then add TS CAL's to allow for the "new" user computers to the Terminal Server.
ASKER
hello:
Using Mac Address Filtering doesn't seem to safe though...I know of programs that can find legitimate MAC addresses and spoof and then they are in. It's not a bad option though, except for the security deal.
What is the standard practice in a case such as mine?
thanks,
joseph
Using Mac Address Filtering doesn't seem to safe though...I know of programs that can find legitimate MAC addresses and spoof and then they are in. It's not a bad option though, except for the security deal.
What is the standard practice in a case such as mine?
thanks,
joseph
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Have you thought of setting up a VPN, only for external users. Either with a dedicated VPN device such as a Nortel contivity or perhaps with a Microsoft VPN server (PPTP). There are also many other free VPN solutions based on Linux.
You can then choose how to authenticate users, radius,ldap,user database, basically it depends on your security needs..
You can then choose how to authenticate users, radius,ldap,user database, basically it depends on your security needs..
ASKER
thank you fr getting back to me.
I have one other doubt...once a user has entered thru the VPN, how does he access what he needs to access.
Example. A remote user would attempt to start a TS session to address X, an address of a router. (let's say an ADSL one we have which allowss access to only one port that goes to machine A, becuase that is the way it is working now). Behind it would be the VPN server in charge of verifying users, etc. Once okayed he would then go where? to machine A or can he go wherever he wants... to Machine B, C or D? This is still what isn't clear to me.
Thanks,
Joseph
I have one other doubt...once a user has entered thru the VPN, how does he access what he needs to access.
Example. A remote user would attempt to start a TS session to address X, an address of a router. (let's say an ADSL one we have which allowss access to only one port that goes to machine A, becuase that is the way it is working now). Behind it would be the VPN server in charge of verifying users, etc. Once okayed he would then go where? to machine A or can he go wherever he wants... to Machine B, C or D? This is still what isn't clear to me.
Thanks,
Joseph
ASKER
Hello:
Could another option be to use the MS Certificate Server? How could that work? Would all of the internet get to the Certif. server? How could I limit that to just a specific set of people? Reverse proxy? Router with one port? Just asking to scope out all the options.
thanks,
jis
Could another option be to use the MS Certificate Server? How could that work? Would all of the internet get to the Certif. server? How could I limit that to just a specific set of people? Reverse proxy? Router with one port? Just asking to scope out all the options.
thanks,
jis
> Once a user has entered thru the VPN, how does he access what he needs to access.
Basically, the user will get get an IP address and routing will be in place for the user to access all systems in your local network, just if he was on the local network in Barcelona. So, if he uses a file server called server_1, then he can access server_1 just as if he was in the local network. Same for intranet server or any other application.
> Could another option be to use the MS Certificate Server?
No, MS Certificate server is a system that can send security certificates. It can prove the identity of a web server if one accesses a web site for https. It does not help you with opening up your network and internal services to staff at remote locations.
Basically, the user will get get an IP address and routing will be in place for the user to access all systems in your local network, just if he was on the local network in Barcelona. So, if he uses a file server called server_1, then he can access server_1 just as if he was in the local network. Same for intranet server or any other application.
> Could another option be to use the MS Certificate Server?
No, MS Certificate server is a system that can send security certificates. It can prove the identity of a web server if one accesses a web site for https. It does not help you with opening up your network and internal services to staff at remote locations.
ASKER
hello hfern:
I thought that perhaps the MS Certif Server could be used to verify users via web, to then get access to a reverse proxy that would serve as a 2nd filter for who gets in and who gets out.
So, in yr opinion, what would be the right way of doing this under the following circumstances...using an ADSL router with one port opened, the rest are shut off by the firewall. We would have two types of users entering, one type would be maintenance and would go to TS MAchine A, the other typw would be workers who connect remotely either from the Madrid office (fixed IP) or mobile users (dynamic IPs).
One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and redirect users inside the LAN. Does this make sense? Or would a reverse proxy be needed before passing whoever to the ADSL router. I would like it to be as safe as possible.
I appreciate yr help and that of the others.
thanks,
joseph
I thought that perhaps the MS Certif Server could be used to verify users via web, to then get access to a reverse proxy that would serve as a 2nd filter for who gets in and who gets out.
So, in yr opinion, what would be the right way of doing this under the following circumstances...using an ADSL router with one port opened, the rest are shut off by the firewall. We would have two types of users entering, one type would be maintenance and would go to TS MAchine A, the other typw would be workers who connect remotely either from the Madrid office (fixed IP) or mobile users (dynamic IPs).
One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and redirect users inside the LAN. Does this make sense? Or would a reverse proxy be needed before passing whoever to the ADSL router. I would like it to be as safe as possible.
I appreciate yr help and that of the others.
thanks,
joseph
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
> I thought that perhaps the MS Certif Server could be used to verify users via web, to then get access to a
> teverse proxy that would serve as a 2nd filter for who gets in and who gets out.
No, this server does exactly what it sayh it does, it provides certificates. It does not do acccess verification.
>One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and
>redirect users inside the LAN. Does this make sense?
It is possible, bit not recommended, as you would have unauthenticated users on your internal LAN. A VPN server in a DMZ as described by mianni is more secure, this way you will only get properly authenticated users on your internal LAN.
>Or would a reverse proxy be needed before passing whoever to the ADSL router.
No, you do not need a reverse proxy. The solution with a reverse proxy would limt you to just intranet access.
> We would have two types of users entering, one type would be maintenance and would go to
> TS MAchine A, the other typw would be workers who connect remotely either from the Madrid
> office (fixed IP) or mobile users (dynamic IPs).
If you want to separate the access of your 2 types of staff for different machines then you best organize that via access permissions on the different servers. This will give you the most flexibility and will not require you to change your remote access setup every time a new service will be made available.
> teverse proxy that would serve as a 2nd filter for who gets in and who gets out.
No, this server does exactly what it sayh it does, it provides certificates. It does not do acccess verification.
>One option could be to open up the ADSL to anyone and then behind use a VPN system to verify and
>redirect users inside the LAN. Does this make sense?
It is possible, bit not recommended, as you would have unauthenticated users on your internal LAN. A VPN server in a DMZ as described by mianni is more secure, this way you will only get properly authenticated users on your internal LAN.
>Or would a reverse proxy be needed before passing whoever to the ADSL router.
No, you do not need a reverse proxy. The solution with a reverse proxy would limt you to just intranet access.
> We would have two types of users entering, one type would be maintenance and would go to
> TS MAchine A, the other typw would be workers who connect remotely either from the Madrid
> office (fixed IP) or mobile users (dynamic IPs).
If you want to separate the access of your 2 types of staff for different machines then you best organize that via access permissions on the different servers. This will give you the most flexibility and will not require you to change your remote access setup every time a new service will be made available.
ASKER
thanks hfern and mianni:
I am going to work on this this way. Should I need advice, may and how can I contact you?
cheers,
jis
I am going to work on this this way. Should I need advice, may and how can I contact you?
cheers,
jis
> hanks hfern and mianni
You're welcome. We aim to please.
> Should I need advice, may and how can I contact you?
You can always add more comments to this topic. Contributors to this question will see it and may react. If it goes too far beyond the scope of the original question, you may need to open up a new question.
You're welcome. We aim to please.
> Should I need advice, may and how can I contact you?
You can always add more comments to this topic. Contributors to this question will see it and may react. If it goes too far beyond the scope of the original question, you may need to open up a new question.