?
Solved

Setting Up a VPN Server

Posted on 2006-04-23
14
Medium Priority
?
292 Views
Last Modified: 2010-03-19
I have been reading a lot about this...and just need to clear a few points PLEASE..

I have a clean install of W2K3 server with 2 NIC cards in. I am led to believe that I need to connect 1 to the router IP 192.168.0.2 and 1 to my internal network 192.168.1.2

So I am assuming that the Router IP is assigned by the DHCP of the router and the Lan DHCP is assigned by my DHCP server on my LAN.

My question is if my router and my Lan are on seperate ranges how do my Internal PC's get access to the Internet?

Do they all have to go through the VPN server?

Or can I set up the router setting in DHCP to a different range?

This is confusing me a little... I understand the need for 2 NIC's for security but just need to understand how the internet works?
0
Comment
Question by:alanheaton
  • 9
  • 5
14 Comments
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16521056





Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?           192.168.0.0      192.168.0.0  |  192.168.0.0
                             255.255.255.0  255.255.255.0|   255.255.255.0  

With this setup your LAN users are accessing the Internet Through Win 2003 and Through Router.

0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16521094
If the subnet mask is same as 255.255.255.0, then you are having 2 networks and users are passing through first the Win 2003 and later the Router from other NIC card.

IF you are trying to create the VPN Server then

You can create a the RRAS server on the Win 2003 and forward the Reguired ports from router to the Win 2003 server.

Routing is a follows.


If any packet or a request that is destined to out of your LAN from users then that arives to the win 2003,
then those packets will be forwarded to the Router by using Outbond NIC card of win 2003.(that includes the Internet requests)
Then the router will forward the request to the default gateway which is provided by your ISP.

and in the same way the requested data will back to your router. Your router will forward the requested to the Win 2003.
now your win 2003 knows the actual source and it forwards to that source

Also read about the NAT which is actually performed on the Router.
0
 
LVL 2

Author Comment

by:alanheaton
ID: 16522666
So let me understand this....


Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static 192.168.0.1                Static 192.168.0.2 (NIC 1)          Static 192.168.0.4                                               DHCP Assigned
                                                                        Static 192.168.0.3 (NIC 2)

The router connects to 192.168.02 and then the connection from 192.168.0.3 goes into my switch to support the server and clients?

So the internet comes into the router and it forwards on requests to the other servers.?

1723 to 192.168.0.2
25 to 192.168.0.4

CORRECT?

My next question is, in my DHCP on my server what is the IP address of the router?

Is it 192.168.0.1 or .2 or .3  ?

I hope this is clear? Probably as MUD

But we will see.

Obviously here the router is acting as the firewall so everything behind the firewall SHOULD be secure?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16522768
Sorry i have corrections

Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?           192.168.0.0      192.168.0.0  |  192.168.1.0<<<<<<<<<Correction
                             255.255.255.0  255.255.255.0|   255.255.255.0  


Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static 192.168.0.1                Static 192.168.0.2 (NIC 1)          Static 192.168.1.4                                               DHCP Assigned
                                                                        Static 192.168.1.3 (NIC 2)<<<<I suppose so

IF you want all devices to have 192.168.0.1,2,3,4,5, then you just need 1 NIC on the VPN server and disable the DHCP on the router
>>>My next question is, in my DHCP on my server what is the IP address of the router?
>>>Is it 192.168.0.1 or .2 or .3  ?

when you are on win2003(DHCP, E2K3)
you can access the router by 192.168.0.1
if you cannot access the 192.168.0.1, let me know, because if thats the case you have to configure the default gateway on Win2003 VPN server correctly.

IF in future if you want to publich OWA on exchange then you have to do
port forward on Router and also on the Win 2003 VPN server(as both are acting as the firewalls).
in this case, managing is not that easy, because you have to edit rules on router and Win 2003.

IF you just enable routing and disable the firewall on win 2003 VPN server.
then you have one point i.e router to edit firewall rules.(i suppose your router is also a firewall)

regards
Naren
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16522781
It could be little confusing...

But first you have to decide how many firewalls you want???
and also keep in mind the maintenence if you have 2 firewalls....

Let me know so that i can give you the final design
0
 
LVL 2

Author Comment

by:alanheaton
ID: 16525879
At Present I have a simple setup

Internet-------------XP Machine------------W2K3 with all services----------Clients
ISDN----------------VPN Server
External ISP--------192.168.2.1------------192.168.2.2--------DHCP assigned

So XP machine has a dial up ISDN connection and all other services point to it for the gateway.

Now I am getting broadband installed via a satelite feed and want to enhance a little.

So the question is what do I need and what is the best solution?

I have a firewall Router, I have access to ISA 2004 just want to know best way to get this up and running?

Should I put router into ISA and do it that way, if that is the case does the VPN server still need to have 2 NIC's or can it sit on the same range as the Internal NIC of the ISA.
0
 
LVL 2

Author Comment

by:alanheaton
ID: 16529726
Let me ask another...

If I have this setup


Internet----------------Router---------------VPN Server----------------Server All In-----------Clients
External IP              192.168.0.1              192.168.0.2
                                                            192.168.1.1--------------192.168.1.2

Obviously I can route the traffic for the VPN on port 1723 to 192.168.0.2

My question would be can I forward Port 25 to my mail server on 192.168.1.2. Evewn though it is on a different range will it still forward through the VPN to my mail server, or do I have to set up port forward in my VPN server as well

This could get a little messy having to double forward everything?
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16531680
with the above diag.
you have to do port forwarding on router and VPN server for the Mail..

regards
Naren
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16531709
My suggesstion is

If you are getting a good piece of router/firewall then you can stick with that.

no need of another VPN server because Router/Firewall will also serve as the VPN server.

another suggession is
Just use the ADSL modem,
Use ISA 2000/2004 firewall With 2 Nics
as the firewall and proxy server. ISA is a very good proxy server too.

Internet---------Router/Firewall/VPN Server---------------LAN
            External IP address                    192.168.1.0 Range

or
Internet-----ADSLMOdem-----ISA2000/2004---------LAN
                                External IP               192.168.1.0

Both will do the job
However you have to decide on the what Firewall you gonna use.
0
 
LVL 2

Author Comment

by:alanheaton
ID: 16531983
Does ISA acts as a VPN server? or would I need to put another machine in the loop for the VPN Server.

Or can you set up the VPN Server on the ISA machine.

I thought the ISA Machine had to only be loaded with W2k3 and ISA nothing else?
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16532320
ISA 2000/2004 is a
VPN Server
Firewall
Proxy Server with cacheing
all in one

for vpn setup have a look at this
http://www.isaserver.org/articles/isa2000vpndeploymentkit.html

going for a good hardware router/firewall/vpn server is also a good option

anyways how many users are in the LAN
and how many will do VPN on an average daily

regards
naren
0
 
LVL 2

Author Comment

by:alanheaton
ID: 16536971
The Network is only for 15.

There will be 1 laptop on VPN Pernamently and possibly a couple during the evening.

Nothing fantastic but the security and setup has to be correct.
0
 
LVL 12

Accepted Solution

by:
r_naren22atyahoo earned 2000 total points
ID: 16539625
If you dont have an exchange server right now
then you can go for a SBS 2003 Server.
IT has all 3
Exchange 2003
File Server
ISA 20004

Buying ISA 2004 Seperatly is costly

another suggesting is
Go for a Linksys Business Product
Where it will serve you all 3 again
VPN/Router/Firewall

Both are correct only the budget matters

Regards
Naren
0
 
LVL 12

Expert Comment

by:r_naren22atyahoo
ID: 16541595
Thanks
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question