YankeeFan03
asked on
Best practice setup for a windows 2003 vpn server
I have a box installed with windows server 2003 standard. It has two nics. I have put one NIC on the LAN with 10.1.30.20 255.255.255.0 no gateway and set persistant routes for the other backend neworks. I have the other NIC on the DMZ 10.50.1.20 255.255.255.0 10.50.1.2 DNS 4.2.2.2. This gateway address is the DMZ port of the firewall.
My question is should this server be on the domain or in a workgroup? What rules and ports should be configured on the firewall to allow the server to communicate with the network and DCs?
etc...
My question is should this server be on the domain or in a workgroup? What rules and ports should be configured on the firewall to allow the server to communicate with the network and DCs?
etc...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh just another note...
Once a VPN connection has been establish, any traffic can be allowed through the VPN itself, so long as the data is inside the tunnel (PPTP) wrapper.
Once a VPN connection has been establish, any traffic can be allowed through the VPN itself, so long as the data is inside the tunnel (PPTP) wrapper.
ASKER
excellent answers, thanks so much for spelling this out.
YankeeFan03, did you mean we both helped? I think we did, and respectfully request you as Community Support to re-open the question and split the points.
I would also take a (slight) exception to Skullblock's assertion that traffic from the VPN server to the LAN should be open. The (slight) is because that is what I do - once you're authenticated then you have full access.
The issue in your case is that you're putting in the server specifically as a DMZ server, therefore there is probably a good security reason for doing so. In that case, you want the server to have as minimal access to the LAN as possible, as if the VPN server is ever compromised, then the rest of the LAN is not so easily raped. Still, once netbios ports are open, it is very difficult to stop a hacker/datathief, but you've got the firewall, why not use it.
I would also take a (slight) exception to Skullblock's assertion that traffic from the VPN server to the LAN should be open. The (slight) is because that is what I do - once you're authenticated then you have full access.
The issue in your case is that you're putting in the server specifically as a DMZ server, therefore there is probably a good security reason for doing so. In that case, you want the server to have as minimal access to the LAN as possible, as if the VPN server is ever compromised, then the rest of the LAN is not so easily raped. Still, once netbios ports are open, it is very difficult to stop a hacker/datathief, but you've got the firewall, why not use it.
A very good point there by harleyjd.
Yankeefan03 i would still suggest that you not use the vpn server as a firewall, either put it down behind the firewall, or infront.
Here is a link to MS techsite that shows how to configure the vpn properly with firewalls.
http://technet2.microsoft.com/WindowsServer/en/Library/428c1bbf-2ceb-4f76-a1ef-0219982eca101033.mspx?mfr=true
That said.. i would also like to point out that if the lock down on the vpn is tight enough (deny all access except the ports we suggested earlier in this post, and then setup some rather rigid remote access policies) eg: limited to specific groups, encryption, frammed protocols .. etc)
We have our vpn server sitting behind a firewall, but the firewall doesnt do too much blocking, so technically our vpn is sitting in the open, and it works fine, had no problems so far.
That is also why i suggest you use L2T over IPSec, rather then just plain PPTP, as it is far more secure. (double the encryption + security can be specified by certificates or in my case, a pre shared key)
Yankeefan03 i would still suggest that you not use the vpn server as a firewall, either put it down behind the firewall, or infront.
Here is a link to MS techsite that shows how to configure the vpn properly with firewalls.
http://technet2.microsoft.com/WindowsServer/en/Library/428c1bbf-2ceb-4f76-a1ef-0219982eca101033.mspx?mfr=true
That said.. i would also like to point out that if the lock down on the vpn is tight enough (deny all access except the ports we suggested earlier in this post, and then setup some rather rigid remote access policies) eg: limited to specific groups, encryption, frammed protocols .. etc)
We have our vpn server sitting behind a firewall, but the firewall doesnt do too much blocking, so technically our vpn is sitting in the open, and it works fine, had no problems so far.
That is also why i suggest you use L2T over IPSec, rather then just plain PPTP, as it is far more secure. (double the encryption + security can be specified by certificates or in my case, a pre shared key)
If you want to lock it down tight, you should list your requirements, but in general: Ports 135, 136, 137, 139, 445 form the basis for windows networks, then 389 for LDAP (might not be needed) and HTTP, HTTPS, SMTP, POP... MAPI uses 445, I think, so that's ok.
On the external side, the firewall rules should be the PPTP port 1723 and L2TP port 1701 (though I only use PPTP myself) and maybe the Protocol 47.