?
Solved

Window server 2003 site to site vpn

Posted on 2007-07-31
38
Medium Priority
?
401 Views
Last Modified: 2008-03-17
Hi all expert...

I want to setup site to site vpn in Window Server 2003 Std Edition. Both side have an external IP address and 2 NIC card.

1. Do i need 2 router for each side? Or just use window server 2003 RRAS as router?
2. Any recomended site for more information.

Regards
Kevin
0
Comment
Question by:kevin203
  • 17
  • 17
  • 2
  • +1
37 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19602386
It is not easy to configure but you may find the following site helpful:
http://technet2.microsoft.com/windowsserver/en/library/74f65f37-9482-4316-a2e9-4e1e295457d71033.mspx?mfr=true
You do not need to add routers to connect 2 2003 server sites by VPN.

Installing VPN routers at each site and creating a VPN hardware solution, is much easier and has definite advantages. This can be done for as little as $125 US/site using Linksys BEFVP41 routers, though I would recommend the RV042 Linksys about 50% more, or if within the budget, Cisco ASA5500's.
0
 
LVL 2

Expert Comment

by:NickGT20
ID: 19602426
Yes two Windows 2003 Servers can do a site to site via RRAS they have to have a world addressable IP.  IPSEC site to site VPNS do not support NAT.  Even though this is possible I would HIGHLY recomend considering two routers that are VPN capable on either end and put the servers behind them for protection.  Unless you feel like running ISA Server or something that is semi-built for this I would stear clear of putting a windows box in the wild with sensitive data.
0
 
LVL 1

Expert Comment

by:sparkofgenius
ID: 19603495
I would recommend getting two hardware VPN routers and run your VPNs through that using RRAS. If you do not want to use hardware VPNs then get two licenses for ISA and set them up using ISA and RRAS.

It is not as secure to use ISA than to use hardware VPNs. Information sent over a VPN secured using ISA is unencrypted and viewable in plain text if someone were to sit and grab packets. Hardware VPNs can encrypt the data and make it much harder for outside influences to view.

As both of the previous comments have stated use hardware VPNs -its the safest and securest way of doing it - and by far the easiest!

0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 

Author Comment

by:kevin203
ID: 19609218
okie... the only problem i face now is both side router also by pass by the ISP IP addresses direct to the NIC. Which means both side NIC ip address shown is from ISP and not the router ip address.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19609314
Sorry, could you clarify that last statement?
0
 

Author Comment

by:kevin203
ID: 19614319
i mean the NIC ip address is using the ISP ip address instead using the ip address given by the router itself.
0
 

Author Comment

by:kevin203
ID: 19614407
Dear all expert...

Pls tell me if its work in this environment... like below:

Place A:
OS: Window Server 2003 (2 servers)
Interface: 2 NIC (no router dhcp ip's is assign) for each server.
Server 1: DNS, DHCP, RRAS, Exchange and AD
Server 2: RRAS

Place B:
OS: Window Server 2003
Interface: 2 NIC (same as above setting)
Service: DNS, DHCP, RRAS, Exchange & AD

Can i connect both site-to-site vpn? Or anyting i need to create or modify?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19615969
>>"Can i connect both site-to-site vpn?"
Yes as mentioned above you can, but there are many steps to configure it. The better option for site-to-site is to purchase 2 routers. This is easier, more secure, and will give you better performance.
0
 
LVL 1

Expert Comment

by:sparkofgenius
ID: 19624985
like RobWill said above. buy two routers! we use netgear vpn concentrators in each location and we have never had a problem.
0
 

Author Comment

by:kevin203
ID: 19637214
but its all depends on budget. I will try to configure using RRAS between 2 server and site.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19641327
It will work, but it takes quite a while to get familiar with all the required options, certificate creation, policies, and routing, such that if you consider the cost of your time, it will probably be cheaper to buy a couple of basic VPN routers. Once they are installed, you have better security and performance, and much easier to troubleshoot when you have a problem. I do understand though, budgets can be a problem.
Let us know how you make out.
0
 

Author Comment

by:kevin203
ID: 19653323
alright... if worst come to worst can i just a create vpn connection from a server to the other site of the server and share the vpn connection with all the internal client. What i mean is a one site vpn connection.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19653378
That should work, but it's not a great solution. If you do so, make sure the VPN client has "use remote default gateway" disabled or your users will loose access to the server while the VPN is connected. It is located:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
0
 

Author Comment

by:kevin203
ID: 19653432
Yeah... i understand that as i set before many type of vpn software and hardware before.
0
 

Author Comment

by:kevin203
ID: 19667801
I manage to create a vpn connection between 2 site and the connection is so strong that can share with all other client within the network.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19668973
Excellent. Sounds great.
0
 

Author Comment

by:kevin203
ID: 19689931
But this vpn connection is meant for client to talk to remote server only and not for client to remote client. Which means one of the client pc can ping and share file with th other site client pc.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19690834
Not sure what if you are asking, but it sounds like you have created a site to site VPN. Doing so effectively puts all PC's on the same network allowing any PC to connect to any other PC.

If you don't want that you can enable the Windows firewall, and under scope options for the various exceptions, set the scope to only allow connections from the local subnet.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19690841
Also I suspect in your VPN configuration you have specified the remote site connection information as a subnet such as 192.168.123.0  25.255.255.0  You may be able to specify just an IP, that of the server using  192.168.123.123  255.255.255.255
0
 

Author Comment

by:kevin203
ID: 19691515
Do you mean the static routing? Set the routing to a single pc IP instead of all?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19691568
No, in the VPN configuration itself.
I haven't done a site to site with 2 Windows servers since early Win2000 days so I don't know where you set it, but in most VPN configurations you define the remote network to which you are connecting. With site to site as a rule you would specify the remote subnet. If you can change that to a single IP it should resolve your problem.
0
 

Author Comment

by:kevin203
ID: 19714013
Dear Robwill

AFter i follow your lead to change the static router to fix IP of the server instead of putting '0'. The reply getting well but can i put in 2 static route for a single site-to-site vpn?

I get this message "TTL expired in transit" when i try to ping the other site server? What does this mean anyway.


Regards
Kevin
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19714294
>>"AFter i follow your lead to change the static router to fix IP of the server instead of putting '0'"
Sorry, I meant in the VPN configuration. Not on the router.
I am assuming you have not changed and purchase VPN routers to create the tunnel.
0
 

Author Comment

by:kevin203
ID: 19716461
Yeah, absolutely. i set it in the vpn server.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19731999
Yes you can add multiple static routes.
Not sure why you would be getting the "TTL expired in transit" error. It usually indicates too many hops, i.e taking too long to reach the destination.
0
 

Author Comment

by:kevin203
ID: 19738077
Yeah... i am new to this environment cause i have setup many vpn server using the watchguard and fortinet firewall. So is this problem only liase in window RRAS?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19738232
Windows site-to-site using RRAS is really designed for open site to site. It can be configured but I am not familiar with doing so. ISA server gives you more control but for less money you could set up 2 WatchGuard SOHO's, which would be my recommended method.
0
 

Author Comment

by:kevin203
ID: 19739975
Which modal you refer to?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19739999
I haven't used Watchguard for a while but if you do not have too many users, the SOHO 6 with appropriate licenses, might be suitable.
0
 

Author Comment

by:kevin203
ID: 19740036
there is so many problem with the site-to-site vpn though. I tried so many things out but for example put in the fix IP for both side, register A host on both DNS records and static routes. After i rebooted the server, everything seems to be working but just after a few minutes the connection to the other side server is down although the vpn link is still stated connected in the RRAS. Any idea what happen?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19740399
As I mentioned earlier I haven't configured one in years, and it is a nuisance to do so. For the amount of time spent, as myself and others suggested earlier, it is better to install 2 VPN routers, even Linksys BEFVP41's. A hardware solution is easy to configure, more secure, and better performance.
0
 

Author Comment

by:kevin203
ID: 19742941
Yeah... this is the best solution but also need it as secondary vpn server for my customer as they got heavy vpn user and ftp server.
0
 

Author Comment

by:kevin203
ID: 19873241
Create another Site-to-site vpn again lately to test out MAC user. At first the MAC user manage to connect to exchange and access share folder to the other site server. So happy with that but this is only a temp solution. The link fail after a while. The vpn is connected but no more access to the server anymore.

Is this a Microsoft issue or myself?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 19873410
>>"The vpn is connected but no more access to the server anymore.
"
Do you mean no access to the server locally?
If so try putting the LAN adapter at the top of the list in the binding order. To do so go to: control panel | network connections | on the menu bar - advanced | advanced settings | adapters and bindings
Sometimes you cannot apply this change. If so see:
http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
0
 

Author Comment

by:kevin203
ID: 19888512
What you locally is internal network?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19888540
Yes.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20129861
Thanks Kevin.
Cheers !
--Rob
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question