Solved

Want to setup a VPN

Posted on 2007-11-27
22
215 Views
Last Modified: 2013-11-21
Hi Experts, a customer wants to be able to work remoteley from home to thier business and although I have a little knowledge about networking but this is a bit new to me and I need to know where to start.

I was thinking about using windows remote desktop to do this but I'm not sure where to start. I assume I would have to setup a VPN as well??

I am also concerned about the security of the system.

Regards Jason
0
Comment
Question by:MXDEWD
  • 11
  • 10
22 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 20362265
Remote Desktop is relatively secure on it's own, but using a VPN is much more secure and allows you to use the same local IP's as when on the LAN.

The VPN is quite straight forward to set up. The basic server and client configurations can be found at the following sites with good detail:
Server 2003 configuration if Server is present:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
Windows XP can be the server if Server 2003 or 200 is not present:
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office , the remote should be something like 192.168.2.x

Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.

Then to connect to remote desktop see the following instructions. However, because you have a VPN there is no need to configure the router for port forwarding of port 3389. Simply connect to the Office PC's LAN IP.
http://www.lan-2-wan.com/RD-XP.htm
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20362448
Will the Remote desktop work if both systems are on XP Home?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20362476
No, afraid not. You can only connect to an XPpro or Server 2003/200 system with remote desktop. You can connect from any Windows or even MAC computer. If you add the client. The client to connect from is built in to XPpro and home.

However there are many other solutions, and they too are free. VNC is a very popular tool, but not as secure as Remote Desktop. Therefore it should be used with the VPN. Quite safe then. There are 3 or 4 different VNC versions.
Another one that can be used alone (without the VPN) and is very easy to set up is LogMeIn.
A brief description of each and links to the downloads and further information can be found at:
http://www.lan-2-wan.com/3rd.htm
0
 
LVL 31

Expert Comment

by:Cláudio Rodrigues
ID: 20362737
Keep in mind that VPNs are a double edge sword. More secure indeed BUT as the remote PC becomes a node of your corporate network, if you do not understand exactly what you are doing, the remote PCs have the potential of infecting corporate machines. Of course there are ways to check the PC 'health' before allowing it on the corporate network but as you can see things start to get very complicated for someone with basic skills or still learning (as you mentioned).
Remote Desktop in the other hand does not make the remote machine a node of the network and therefore in that respect it is a MUCH safer solution (not to mention faster in many cases, especially when trying to run apps hosted on the corporate network).
Rob is correct. XP Home is a no go. You need XP Pro or Server 2003. If you want to use a third party add-on you can check WinConnect XP Server. It turns any XP Home/Pro into a multi-user TS.

Claudio Rodrigues

Microsoft MVP
Windows Server - Terminal Services
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20363170
Hi there, thanks for the wealth of information already recieved.

I have just learned that the computer at the office is XP pro and the comp at home is XP Home! Does that help me?

Regards Jason
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20363195
Definitely, assuming you want to connect to the office. The outline in my first post will cover that scenario, either with the VPN or without.

tsmvp has a good point about VPN's. There primary purpose is to encrypt all traffic in a "virtual tunnel' between two sites. This allows more or less seamless file sharing and and access other shared services at a remote location but protected from the Internet. The one weakness is it is a wide open door to the home site. Though the VPN client has options to protect the tunnel from other users, such as Johny playing on-line video games, should the home computer be compromised, there is direct access to the corporate office. If this is a concern there are methods of quarantining access, but best bet would be to ignore the VPN and use direct Remote Desktop Access as per:
http://www.lan-2-wan.com/RD-XP.htm

From a performance point of view Remote Desktop (with or without the VPN) or possibly LogMeIn will give you the best results.


0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20522961
Hi all, sorry it has taken a while to get back and accept answer. I have had a problem getting access to this computer and will resolve in a couple of weeks after the xmas break.

Regards Jason
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20524516
Let us know how you make out Jason.
Have a great holiday season !
--Rob
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20702505
Hi All... have just got back on deck and looking into this problem again.

Hope you had a good and safe xmas!

I have used Robs post and gon though the setup, and the RDC comes back with a no connection error...

This is what I have done so far.

*Setup an acount with dyn dns
*Configured the router (LINKSYS model: WAG200G), setup ddns service to the client - this tests OK, setup the port forwarding, I have used port 4500 - I changed this on the machine that is being connected to as well in the registry - changed from the default 3389.
* Ensured the service is running on the Host machine.

Any Ideas?

Regards Jason


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20702531
Did you set up the VPN?
As you set up port forwarding for 4500 (3389) I assume not
When you connect are you adding the port number such as my.domain.net:4500

Also I wonder if you will have problems with port 4500. It is defined for use with L2TP VPN's. You may not be able to use it for other services. Try 3500.

Have you verified on your LAN that this works with that port number? You would also have to use 192.168.123.123:4500 there, if it is properly configured.

The Windows firewall will also have to be reconfigured to allow your new port as it would default to 3389, and also you need to set it to allow connections from outside of your local network:
http://www.lan-2-wan.com/RD-FW.htm
This would apply to any other software firewall as well.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20702903
Hi Rob, no VPN setup (thats the next thing I want to learn how to do).

Yes, I have tried my.domain.net:4500

I will try poret 3500

no I havent tried the on the LAN (Im off site using remote PCHelpware - the irony!)

Im using Zone Alarm IS on the host, I have turned it off during connection attempts. Windows Firewall has been disabled.

Let you kow how I go.

Regards Jason
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 20703220
I would
-switch to 3500
-test from LAN
-from LAN go to http://www.canyouseeme.org and test that port 3500 is open
-then test from off site. Try using the current public IP first

Let us know how you make out.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20703623
Hey Rob...

When using can youseeme on 3500 I get...

Error: I could not see your service on 222.154.16.195 on port (3500)
Reason: Connection refused

Regards Jason
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20703627
I get an extrenal ping back tho
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20703642
I assume you are connecting to CanYouSeeMe from the remote desktop host (not the client site).
I would say then your router's port forwarding is not configured correctly, or you have 2 "routers" a router and a modem that is a combined router and modem". If you have the latter it needs to be put in bridge mode or have port 3500 forwarded to the other router, and the other router forwarded to the PC.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20703702
The rdc works fine on the LAN
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20703732
That would confirm it's a forwarding issue.
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20889822
Hi Rob, sorry I havent been back in to update. I havent been able to get to my customers site for a while, I hope to tomorrow or monday so I will let you know how I get on. I will be targeting the portfowarding setup in the router.

Regards Jason
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20889939
Thanks for the update Jason. Let us know how you make out.
--Rob
0
 
LVL 1

Author Closing Comment

by:MXDEWD
ID: 31411319
Thanks for your Patience Rob, in the end all you said was good. The  last problem I was having is one of the fools on site had deleted the user profile I was trying to connect on! (The Manager!)

Regards Jason
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20944160
Thanks MXDEWD. Our jobs would be much easier without users wouldn't it <G>
-Cheers !
--Rob
0
 
LVL 1

Author Comment

by:MXDEWD
ID: 20951295
ha ha, tru that...  but then I probably wouldnt have a job... cheers to foolish antics of the users!
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now