Solved

Best practice setup for a windows 2003 vpn server

Posted on 2006-07-12
6
354 Views
Last Modified: 2010-04-18
I have a box installed with windows server 2003 standard.  It has two nics.  I have put one NIC on the LAN with 10.1.30.20 255.255.255.0 no gateway and set persistant routes for the other backend neworks.  I have the other NIC on the DMZ 10.50.1.20 255.255.255.0 10.50.1.2 DNS 4.2.2.2.  This gateway address is the DMZ port of the firewall.

My question is should this server be on the domain or in a workgroup?  What rules and ports should be configured on the firewall to allow the server to communicate with the network and DCs?
etc...
0
Comment
Question by:YankeeFan03
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 17095941
I would make it a domain member server to allow you to use the domain user accounts for access.

If you want to lock it down tight, you should list your requirements, but in general: Ports 135, 136, 137, 139, 445 form the basis for windows networks, then 389 for LDAP (might not be needed) and HTTP, HTTPS, SMTP, POP...  MAPI uses 445, I think, so that's ok.

On the external side, the firewall rules should be the PPTP port 1723 and L2TP port 1701 (though I only use PPTP myself) and maybe the Protocol 47.

0
 
LVL 2

Accepted Solution

by:
SkUllbloCk earned 500 total points
ID: 17098288
Hi YankeeFan03

I have just  a few questions regardin your network layout.
1. Is the VPN behind or infront of a firewall?
2. What traffic goes throught he VPN server? (is it also running as a proxy server? or is it only intended for VPN access?)
3. Are the other computers in the network a part of the domain? (if you have a large amount of users connecting to this server, i would suggest adding it to the domain so that you can use the domain user/group accounts.) that said.. i my vpn server is a standalone system, but then again we only have a handful of users connected at any one time.

4. How tight do you want security? ( just PPTP or are you going to use L2TP/IPSec) .. i reccomend the later, more secure.

The plan of action after this would be then to configure lock down procedures on your NIC's (rather block all, and allow only the exceptions) and authentication processes.

Here is a list of ports for a standalone. (it should be the same for a domain PC, as this traffic is only filtered on the external NIC, the Internal NIC allows all access)
Protocol       Source Port     Destination Port       Required For
TCP             any                 1723                       PPTP  VPN
47                any                 any                         PPTP      VPN
TCP (E)        1723               any                         PPTP  VPN
UDP             any                 500                         L2TP  VPN
UDP             any                 1701                       L2TP  VPN
UDP             any                 4500                       L2TP  VPN
TCP             80                   any                         HTTP Windows Updates
UDP             53                  any                          DNS   Windows Updates
TCP             443                 any                         HTTPS   Windows Updates
0
 
LVL 2

Expert Comment

by:SkUllbloCk
ID: 17098313
Oh just another note...

Once a VPN connection has been establish, any traffic can be allowed through the VPN itself, so long as the data is inside the tunnel (PPTP) wrapper.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:YankeeFan03
ID: 17101728
excellent answers, thanks so much for spelling this out.  
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 17104558
YankeeFan03, did you mean we both helped? I think we did, and respectfully request you as Community Support to re-open the question and split the points.

I would also take a (slight) exception to Skullblock's assertion that traffic from the VPN server to the LAN should be open. The (slight) is because that is what I do - once you're authenticated then you have full access.

The issue in your case is that you're putting in the server specifically as a DMZ server, therefore there is probably a good security reason for doing so. In that case, you want the server to have as minimal access to the LAN as possible, as if the VPN server is ever compromised, then the rest of the LAN is not so easily raped. Still, once netbios ports are open, it is very difficult to stop a hacker/datathief, but you've got the firewall, why not use it.

0
 
LVL 2

Expert Comment

by:SkUllbloCk
ID: 17106364
A very good point there by harleyjd.
Yankeefan03 i would still suggest that you not use the vpn server as a firewall, either put it down behind the firewall, or infront.

Here is a link to MS techsite that shows how to configure the vpn properly with firewalls.
http://technet2.microsoft.com/WindowsServer/en/Library/428c1bbf-2ceb-4f76-a1ef-0219982eca101033.mspx?mfr=true

That said.. i would also like to point out that if the lock down on the vpn is tight enough (deny all access except the ports we suggested earlier in this post, and then setup some rather rigid remote access policies) eg: limited to specific groups, encryption, frammed protocols .. etc)

We have our vpn server sitting behind a firewall, but the firewall doesnt do too much blocking, so technically our vpn is sitting in the open, and it works fine, had no problems so far.

That is also why i suggest you use L2T over IPSec, rather then just plain PPTP, as it is far more secure. (double the encryption + security can be specified by certificates or in my case, a pre shared key)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now