Solved

VPN with Windows 2003 Small business server and Sonicwall router

Posted on 2006-11-02
8
1,982 Views
Last Modified: 2010-05-19
Can someone set me on the right track? I want to have employees be able to VPN into the office server to retrieve files.

I have a windows 2003 small business server with a sonicwall router.

Should I set up the vpn through the router and what are the steps to doing that? What software will the client computers use to vpn into the system? Is it built into Windows?

Do I have to buy licenses from Sonicwall to do this stuff?

The on the controll panel the sonicwall model says SOHO3, if that is relevant.

If you could just set me on the right track so I don't bark up the wrong tree as it were.
0
Comment
Question by:mrmyth
  • 3
  • 3
  • 2
8 Comments
 
LVL 22

Assisted Solution

by:WMIF
WMIF earned 50 total points
ID: 17862876
this article gives you a run through on the setup of rras on sbs.
http://support.microsoft.com/kb/q238167/

you would have to configure your sonicwall to allow gre (port 47) through to the address of your sbs server.  then any windows machine can create a connection using the wizard for vpn.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 450 total points
ID: 17863969
You have 3 options as I see it:

a) set up the Sonicwall as your VPN endpoint, which is the better alternative, as it is a little more secure and will provide slightly better performance. However, you do have to buy client licenses from Sonicwall. I am not sure how there licensing works, some just require you have a support contract to be able to add VPN users, other require purchasing licenses, usually in groups of 5 or 10. Should you go this route following site has most of the documentation for setting up the Sonicwalls with their Global VPN client:
http://www.sonicwall.com/support/VPN_documentation.html

b) as WMIF suggested, you can use the Windows built-in VPN server. When working with SBS it is very important to use the wizards. You can actually 'break' networking not doing so. The end RRAS configuration is the same, but the way all the interrelated components works is somewhat different. The wizards will also make any changes to the firewall.
To create the server end of the VPN open the server management console, click on Internet and E-Mail, followed by Configure remote access,, then just follow the very short wizard. If you want to verify the configuration there is a great article at:
http://www.onecomputerguy.com/networking/w3k_vpn_server.htm
However, only use it for reference, use the wizard for the basic configuration.

As for the client end SBS again has a wizard. This will actually create a disk to configure the remote computer to connect. This is on the same page of the Server management console and is called Create a remote connection disk. The client can be configured manually, but it is recommended to use the disk. Should you need to do so manually see:
http://www.onecomputerguy.com/networking/xp_vpn.htm

You also need to forward port 1723, and GRE. Depending on the router, GRE may be a specific command, or is often labeled "PPTP pass-through". Details for configuring port forwarding can be found at:
http://www.no-ip.com/support/guides/routers/sonicwall.html

c) SBS has an other feature you may want to look at as well, Remote Web Workplace, which allows remote users to connect to a local workstation to work remotely. This is controlled with very secure access using SSL instead of a VPN, and works well:
http://support.microsoft.com/kb/833983
http://www.sbsfaq.com/Lists/FAQs/DispForm.aspx?ID=11
This requires ports 443 and 4125 be forwarded on the router.


0
 
LVL 1

Author Comment

by:mrmyth
ID: 17864512
Thanks for the very thorough answer. I'm thinking I'm going to go the Sonicwall route, on your recommendation, depending on the how much it costs for the client licenses.

However if I did decide to go the Windows built-in VPN server, would the server need to be delivering the IP addresses on the network? Right now my sonicwall is the thing that delivers all the IPs and my server's DHCP is turned off.
0
 
LVL 22

Expert Comment

by:WMIF
ID: 17864533
if you go the windows route, it doesnt have to be the dhcp server for the network.  it does however want a range of ip addresses that it can hand out to its clients.  you can drop it onto a seperate subnet or you can block out a range from your dhcp server.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:mrmyth
ID: 17864731
The windows route is looking pretty good to me, but I am a bit stuck on the DHCP range. In the wizard it asks for a DHCP range.

If the sonicwall is handing out a dynamic range of 192.168.1.30-192.168.1.50, could I just make the vpn range 192.168.1.51-192.168.1.70?

I don't need that many clients connecting at one time and I don't have static IPs in that range.
0
 
LVL 1

Author Comment

by:mrmyth
ID: 17864735
Above I meant to say it asks for a range of static IP addresses where I said "it asks for a DHCP range."
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17865554
Sue , the DHCP scope/range for the VPN clients can be anything you like, so long as it is part of the larger network subnet/range. Just make sure there is no overlap. Whether you use the server, the Sonicwall for your primary DHCP server, a typical example might be
192.168.1.1 to 192.168.1.20  static IP's for for servers
192.168.1.21 to 192.168.1.50 static for printers
192.168.1.1.101 to 192.168.1.175 DHCP for client machines (not necessary, but using the server is recommended for this)
192.168.1.176 to 192.168.1.200 for VPN clients  (could be assigned by Sonicwall)
192.168.1.225 to 192.168.1.254  for routers and network components

The Sonicwall may also have the option to use a DHCP Relay Agent for the VPN clients. This just tells the router to request the DHCP addresses from the server.

Just a note: The subnet used by the main office and the VPN client usually has to be different. If the office is using 192.168.1.x clients trying to connect from remote networks that also use 192.168.1.x probably will not be able to use the VPN. They can connect, but cannot access anything due to a routing conflict. Though it is not likely easy to change this, it is recommended the main network avoid common subnets like 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, and 10.0.0.x  If you should decide to do this plan carefully, as all routers, printers and servers need to be changed, and all DHCP clients refreshed. Very important as well that if you decide to do this with the SBS you use the built in wizard to do so. I would even recommend posting a question in the SBS forum regarding changing the server's IP, to see if there any specifics r=that need to be addressed.

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17871831
Thanks mrmyth,
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now