alanheaton
asked on
Setting Up a VPN Server
I have been reading a lot about this...and just need to clear a few points PLEASE..
I have a clean install of W2K3 server with 2 NIC cards in. I am led to believe that I need to connect 1 to the router IP 192.168.0.2 and 1 to my internal network 192.168.1.2
So I am assuming that the Router IP is assigned by the DHCP of the router and the Lan DHCP is assigned by my DHCP server on my LAN.
My question is if my router and my Lan are on seperate ranges how do my Internal PC's get access to the Internet?
Do they all have to go through the VPN server?
Or can I set up the router setting in DHCP to a different range?
This is confusing me a little... I understand the need for 2 NIC's for security but just need to understand how the internet works?
I have a clean install of W2K3 server with 2 NIC cards in. I am led to believe that I need to connect 1 to the router IP 192.168.0.2 and 1 to my internal network 192.168.1.2
So I am assuming that the Router IP is assigned by the DHCP of the router and the Lan DHCP is assigned by my DHCP server on my LAN.
My question is if my router and my Lan are on seperate ranges how do my Internal PC's get access to the Internet?
Do they all have to go through the VPN server?
Or can I set up the router setting in DHCP to a different range?
This is confusing me a little... I understand the need for 2 NIC's for security but just need to understand how the internet works?
If the subnet mask is same as 255.255.255.0, then you are having 2 networks and users are passing through first the Win 2003 and later the Router from other NIC card.
IF you are trying to create the VPN Server then
You can create a the RRAS server on the Win 2003 and forward the Reguired ports from router to the Win 2003 server.
Routing is a follows.
If any packet or a request that is destined to out of your LAN from users then that arives to the win 2003,
then those packets will be forwarded to the Router by using Outbond NIC card of win 2003.(that includes the Internet requests)
Then the router will forward the request to the default gateway which is provided by your ISP.
and in the same way the requested data will back to your router. Your router will forward the requested to the Win 2003.
now your win 2003 knows the actual source and it forwards to that source
Also read about the NAT which is actually performed on the Router.
IF you are trying to create the VPN Server then
You can create a the RRAS server on the Win 2003 and forward the Reguired ports from router to the Win 2003 server.
Routing is a follows.
If any packet or a request that is destined to out of your LAN from users then that arives to the win 2003,
then those packets will be forwarded to the Router by using Outbond NIC card of win 2003.(that includes the Internet requests)
Then the router will forward the request to the default gateway which is provided by your ISP.
and in the same way the requested data will back to your router. Your router will forward the requested to the Win 2003.
now your win 2003 knows the actual source and it forwards to that source
Also read about the NAT which is actually performed on the Router.
ASKER
So let me understand this....
Internet------------------ -Router--- ---------- --------Wi n 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP Static 192.168.0.1 Static 192.168.0.2 (NIC 1) Static 192.168.0.4 DHCP Assigned
Static 192.168.0.3 (NIC 2)
The router connects to 192.168.02 and then the connection from 192.168.0.3 goes into my switch to support the server and clients?
So the internet comes into the router and it forwards on requests to the other servers.?
1723 to 192.168.0.2
25 to 192.168.0.4
CORRECT?
My next question is, in my DHCP on my server what is the IP address of the router?
Is it 192.168.0.1 or .2 or .3 ?
I hope this is clear? Probably as MUD
But we will see.
Obviously here the router is acting as the firewall so everything behind the firewall SHOULD be secure?
Internet------------------
External ISP Static 192.168.0.1 Static 192.168.0.2 (NIC 1) Static 192.168.0.4 DHCP Assigned
Static 192.168.0.3 (NIC 2)
The router connects to 192.168.02 and then the connection from 192.168.0.3 goes into my switch to support the server and clients?
So the internet comes into the router and it forwards on requests to the other servers.?
1723 to 192.168.0.2
25 to 192.168.0.4
CORRECT?
My next question is, in my DHCP on my server what is the IP address of the router?
Is it 192.168.0.1 or .2 or .3 ?
I hope this is clear? Probably as MUD
But we will see.
Obviously here the router is acting as the firewall so everything behind the firewall SHOULD be secure?
Sorry i have corrections
Intenet---------->Router-- ---------- ----->Win 2003(2 NIC)-------------LAN
External IP Internal IP | Internal IP
?.?.?.? 192.168.0.0 192.168.0.0 | 192.168.1.0<<<<<<<<<Correc tion
255.255.255.0 255.255.255.0| 255.255.255.0
Internet------------------ -Router--- ---------- --------Wi n 2003 (VPN Server)-----------Win 2003 (All Services incl DHCP and E2K3)----------Clients
External ISP Static 192.168.0.1 Static 192.168.0.2 (NIC 1) Static 192.168.1.4 DHCP Assigned
Static 192.168.1.3 (NIC 2)<<<<I suppose so
IF you want all devices to have 192.168.0.1,2,3,4,5, then you just need 1 NIC on the VPN server and disable the DHCP on the router
>>>My next question is, in my DHCP on my server what is the IP address of the router?
>>>Is it 192.168.0.1 or .2 or .3 ?
when you are on win2003(DHCP, E2K3)
you can access the router by 192.168.0.1
if you cannot access the 192.168.0.1, let me know, because if thats the case you have to configure the default gateway on Win2003 VPN server correctly.
IF in future if you want to publich OWA on exchange then you have to do
port forward on Router and also on the Win 2003 VPN server(as both are acting as the firewalls).
in this case, managing is not that easy, because you have to edit rules on router and Win 2003.
IF you just enable routing and disable the firewall on win 2003 VPN server.
then you have one point i.e router to edit firewall rules.(i suppose your router is also a firewall)
regards
Naren
Intenet---------->Router--
External IP Internal IP | Internal IP
?.?.?.? 192.168.0.0 192.168.0.0 | 192.168.1.0<<<<<<<<<Correc
255.255.255.0 255.255.255.0| 255.255.255.0
Internet------------------
External ISP Static 192.168.0.1 Static 192.168.0.2 (NIC 1) Static 192.168.1.4 DHCP Assigned
Static 192.168.1.3 (NIC 2)<<<<I suppose so
IF you want all devices to have 192.168.0.1,2,3,4,5, then you just need 1 NIC on the VPN server and disable the DHCP on the router
>>>My next question is, in my DHCP on my server what is the IP address of the router?
>>>Is it 192.168.0.1 or .2 or .3 ?
when you are on win2003(DHCP, E2K3)
you can access the router by 192.168.0.1
if you cannot access the 192.168.0.1, let me know, because if thats the case you have to configure the default gateway on Win2003 VPN server correctly.
IF in future if you want to publich OWA on exchange then you have to do
port forward on Router and also on the Win 2003 VPN server(as both are acting as the firewalls).
in this case, managing is not that easy, because you have to edit rules on router and Win 2003.
IF you just enable routing and disable the firewall on win 2003 VPN server.
then you have one point i.e router to edit firewall rules.(i suppose your router is also a firewall)
regards
Naren
It could be little confusing...
But first you have to decide how many firewalls you want???
and also keep in mind the maintenence if you have 2 firewalls....
Let me know so that i can give you the final design
But first you have to decide how many firewalls you want???
and also keep in mind the maintenence if you have 2 firewalls....
Let me know so that i can give you the final design
ASKER
At Present I have a simple setup
Internet-------------XP Machine------------W2K3 with all services----------Clients
ISDN----------------VPN Server
External ISP--------192.168.2.1---- --------19 2.168.2.2- -------DHC P assigned
So XP machine has a dial up ISDN connection and all other services point to it for the gateway.
Now I am getting broadband installed via a satelite feed and want to enhance a little.
So the question is what do I need and what is the best solution?
I have a firewall Router, I have access to ISA 2004 just want to know best way to get this up and running?
Should I put router into ISA and do it that way, if that is the case does the VPN server still need to have 2 NIC's or can it sit on the same range as the Internal NIC of the ISA.
Internet-------------XP Machine------------W2K3 with all services----------Clients
ISDN----------------VPN Server
External ISP--------192.168.2.1----
So XP machine has a dial up ISDN connection and all other services point to it for the gateway.
Now I am getting broadband installed via a satelite feed and want to enhance a little.
So the question is what do I need and what is the best solution?
I have a firewall Router, I have access to ISA 2004 just want to know best way to get this up and running?
Should I put router into ISA and do it that way, if that is the case does the VPN server still need to have 2 NIC's or can it sit on the same range as the Internal NIC of the ISA.
ASKER
Let me ask another...
If I have this setup
Internet----------------Ro uter------ ---------V PN Server----------------Serv er All In-----------Clients
External IP 192.168.0.1 192.168.0.2
192.168.1.1--------------1 92.168.1.2
Obviously I can route the traffic for the VPN on port 1723 to 192.168.0.2
My question would be can I forward Port 25 to my mail server on 192.168.1.2. Evewn though it is on a different range will it still forward through the VPN to my mail server, or do I have to set up port forward in my VPN server as well
This could get a little messy having to double forward everything?
If I have this setup
Internet----------------Ro
External IP 192.168.0.1 192.168.0.2
192.168.1.1--------------1
Obviously I can route the traffic for the VPN on port 1723 to 192.168.0.2
My question would be can I forward Port 25 to my mail server on 192.168.1.2. Evewn though it is on a different range will it still forward through the VPN to my mail server, or do I have to set up port forward in my VPN server as well
This could get a little messy having to double forward everything?
with the above diag.
you have to do port forwarding on router and VPN server for the Mail..
regards
Naren
you have to do port forwarding on router and VPN server for the Mail..
regards
Naren
My suggesstion is
If you are getting a good piece of router/firewall then you can stick with that.
no need of another VPN server because Router/Firewall will also serve as the VPN server.
another suggession is
Just use the ADSL modem,
Use ISA 2000/2004 firewall With 2 Nics
as the firewall and proxy server. ISA is a very good proxy server too.
Internet---------Router/Fi rewall/VPN Server---------------LAN
External IP address 192.168.1.0 Range
or
Internet-----ADSLMOdem---- -ISA2000/2 004------- --LAN
External IP 192.168.1.0
Both will do the job
However you have to decide on the what Firewall you gonna use.
If you are getting a good piece of router/firewall then you can stick with that.
no need of another VPN server because Router/Firewall will also serve as the VPN server.
another suggession is
Just use the ADSL modem,
Use ISA 2000/2004 firewall With 2 Nics
as the firewall and proxy server. ISA is a very good proxy server too.
Internet---------Router/Fi
External IP address 192.168.1.0 Range
or
Internet-----ADSLMOdem----
External IP 192.168.1.0
Both will do the job
However you have to decide on the what Firewall you gonna use.
ASKER
Does ISA acts as a VPN server? or would I need to put another machine in the loop for the VPN Server.
Or can you set up the VPN Server on the ISA machine.
I thought the ISA Machine had to only be loaded with W2k3 and ISA nothing else?
Or can you set up the VPN Server on the ISA machine.
I thought the ISA Machine had to only be loaded with W2k3 and ISA nothing else?
ISA 2000/2004 is a
VPN Server
Firewall
Proxy Server with cacheing
all in one
for vpn setup have a look at this
http://www.isaserver.org/articles/isa2000vpndeploymentkit.html
going for a good hardware router/firewall/vpn server is also a good option
anyways how many users are in the LAN
and how many will do VPN on an average daily
regards
naren
VPN Server
Firewall
Proxy Server with cacheing
all in one
for vpn setup have a look at this
http://www.isaserver.org/articles/isa2000vpndeploymentkit.html
going for a good hardware router/firewall/vpn server is also a good option
anyways how many users are in the LAN
and how many will do VPN on an average daily
regards
naren
ASKER
The Network is only for 15.
There will be 1 laptop on VPN Pernamently and possibly a couple during the evening.
Nothing fantastic but the security and setup has to be correct.
There will be 1 laptop on VPN Pernamently and possibly a couple during the evening.
Nothing fantastic but the security and setup has to be correct.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Thanks
Intenet---------->Router--
External IP Internal IP | Internal IP
?.?.?.? 192.168.0.0 192.168.0.0 | 192.168.0.0
255.255.255.0 255.255.255.0| 255.255.255.0
With this setup your LAN users are accessing the Internet Through Win 2003 and Through Router.