Setting Up a VPN Server

I have been reading a lot about this...and just need to clear a few points PLEASE..

I have a clean install of W2K3 server with 2 NIC cards in. I am led to believe that I need to connect 1 to the router IP and 1 to my internal network

So I am assuming that the Router IP is assigned by the DHCP of the router and the Lan DHCP is assigned by my DHCP server on my LAN.

My question is if my router and my Lan are on seperate ranges how do my Internal PC's get access to the Internet?

Do they all have to go through the VPN server?

Or can I set up the router setting in DHCP to a different range?

This is confusing me a little... I understand the need for 2 NIC's for security but just need to understand how the internet works?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?   |

With this setup your LAN users are accessing the Internet Through Win 2003 and Through Router.

If the subnet mask is same as, then you are having 2 networks and users are passing through first the Win 2003 and later the Router from other NIC card.

IF you are trying to create the VPN Server then

You can create a the RRAS server on the Win 2003 and forward the Reguired ports from router to the Win 2003 server.

Routing is a follows.

If any packet or a request that is destined to out of your LAN from users then that arives to the win 2003,
then those packets will be forwarded to the Router by using Outbond NIC card of win 2003.(that includes the Internet requests)
Then the router will forward the request to the default gateway which is provided by your ISP.

and in the same way the requested data will back to your router. Your router will forward the requested to the Win 2003.
now your win 2003 knows the actual source and it forwards to that source

Also read about the NAT which is actually performed on the Router.
alanheatonAuthor Commented:
So let me understand this....

Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static                Static (NIC 1)          Static                                               DHCP Assigned
                                                                        Static (NIC 2)

The router connects to 192.168.02 and then the connection from goes into my switch to support the server and clients?

So the internet comes into the router and it forwards on requests to the other servers.?

1723 to
25 to


My next question is, in my DHCP on my server what is the IP address of the router?

Is it or .2 or .3  ?

I hope this is clear? Probably as MUD

But we will see.

Obviously here the router is acting as the firewall so everything behind the firewall SHOULD be secure?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Sorry i have corrections

Intenet---------->Router----------------->Win 2003(2 NIC)-------------LAN
           External IP    Internal IP                           |  Internal IP            
          ?.?.?.?   |<<<<<<<<<Correction

Internet-------------------Router---------------------Win 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP             Static                Static (NIC 1)          Static                                               DHCP Assigned
                                                                        Static (NIC 2)<<<<I suppose so

IF you want all devices to have,2,3,4,5, then you just need 1 NIC on the VPN server and disable the DHCP on the router
>>>My next question is, in my DHCP on my server what is the IP address of the router?
>>>Is it or .2 or .3  ?

when you are on win2003(DHCP, E2K3)
you can access the router by
if you cannot access the, let me know, because if thats the case you have to configure the default gateway on Win2003 VPN server correctly.

IF in future if you want to publich OWA on exchange then you have to do
port forward on Router and also on the Win 2003 VPN server(as both are acting as the firewalls).
in this case, managing is not that easy, because you have to edit rules on router and Win 2003.

IF you just enable routing and disable the firewall on win 2003 VPN server.
then you have one point i.e router to edit firewall rules.(i suppose your router is also a firewall)

It could be little confusing...

But first you have to decide how many firewalls you want???
and also keep in mind the maintenence if you have 2 firewalls....

Let me know so that i can give you the final design
alanheatonAuthor Commented:
At Present I have a simple setup

Internet-------------XP Machine------------W2K3 with all services----------Clients
ISDN----------------VPN Server
External ISP-------- assigned

So XP machine has a dial up ISDN connection and all other services point to it for the gateway.

Now I am getting broadband installed via a satelite feed and want to enhance a little.

So the question is what do I need and what is the best solution?

I have a firewall Router, I have access to ISA 2004 just want to know best way to get this up and running?

Should I put router into ISA and do it that way, if that is the case does the VPN server still need to have 2 NIC's or can it sit on the same range as the Internal NIC of the ISA.
alanheatonAuthor Commented:
Let me ask another...

If I have this setup

Internet----------------Router---------------VPN Server----------------Server All In-----------Clients
External IP        

Obviously I can route the traffic for the VPN on port 1723 to

My question would be can I forward Port 25 to my mail server on Evewn though it is on a different range will it still forward through the VPN to my mail server, or do I have to set up port forward in my VPN server as well

This could get a little messy having to double forward everything?
with the above diag.
you have to do port forwarding on router and VPN server for the Mail..

My suggesstion is

If you are getting a good piece of router/firewall then you can stick with that.

no need of another VPN server because Router/Firewall will also serve as the VPN server.

another suggession is
Just use the ADSL modem,
Use ISA 2000/2004 firewall With 2 Nics
as the firewall and proxy server. ISA is a very good proxy server too.

Internet---------Router/Firewall/VPN Server---------------LAN
            External IP address           Range

                                External IP     

Both will do the job
However you have to decide on the what Firewall you gonna use.
alanheatonAuthor Commented:
Does ISA acts as a VPN server? or would I need to put another machine in the loop for the VPN Server.

Or can you set up the VPN Server on the ISA machine.

I thought the ISA Machine had to only be loaded with W2k3 and ISA nothing else?
ISA 2000/2004 is a
VPN Server
Proxy Server with cacheing
all in one

for vpn setup have a look at this

going for a good hardware router/firewall/vpn server is also a good option

anyways how many users are in the LAN
and how many will do VPN on an average daily

alanheatonAuthor Commented:
The Network is only for 15.

There will be 1 laptop on VPN Pernamently and possibly a couple during the evening.

Nothing fantastic but the security and setup has to be correct.
If you dont have an exchange server right now
then you can go for a SBS 2003 Server.
IT has all 3
Exchange 2003
File Server
ISA 20004

Buying ISA 2004 Seperatly is costly

another suggesting is
Go for a Linksys Business Product
Where it will serve you all 3 again

Both are correct only the budget matters


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.