Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 352
  • Last Modified:

VPN Questions

I need some help with a VPN so I thought you guys were the best to ask.

I have software on a server that shares the same public IP internet connection with everyone on the LAN, includling all 4 servers and of course everyones (192) IP is different.  I need to set up a VPN or some other way where 3 users in 1 location can get into our system and access the software and DB behind it.  What would be the best and most easy way to accomplish this?  Do i need VPN software to do this?  Do i use Windows built in VPN tool?
0
Mdombeck
Asked:
Mdombeck
  • 5
  • 3
1 Solution
 
Rob WilliamsCommented:
Hi Mdombeck.
You can create a VPN connection on the server itself, and then just use the Windows VPN client on the remote PC, which will allow them to connect and access resources.
However, if multiple users want to connect at the same time, from the same site you will need to set up a site to site hardware VPN. Alternatively you can do so between 2 servers, if present, but it is difficult and inefficient. The ideal routers for a site to site VPN are something like the Cisco ASA5500 series, but for much less you can use something like the Linksys RV042 (about $200 each).

Before pursuing further, you mention accessing a data base. Can you elaborate? VPN's are ideal for accessing shared resources such as Word and Excel files, but if you plan to run a database application locally and access a remote database it probably will not work. Most data base applications are too "chatty" and it results in terrible performance and possible data corruption. I am not a "database guy" but some are written with a "front end" application that deals better with this.

Maybe some more details and we can customize a solution for you.
Terminal services is an excellent choice for databases.

--Rob
0
 
MdombeckAuthor Commented:
Yup there is a front end application in front of the DB.  The client side has a 2wire 1701 HG gateway, and 3 XP machines, chances are more than 1 of them will be in the VPN at once.  There is no server on the client side.  The host has a Edgewater Router that is VPN capable.  Is it going to be a problem that all servers and workstations on the host side have the same public IP since they all share the same internet connection?  I have never set up a VPN like this before so I am beyond confused.
0
 
Rob WilliamsCommented:
>>"Yup there is a front end application in front of the DB."
You may be fine then. You might want to test performance by setting up a software based VPN, for free, but as mentioned this will probably not work for multiple clients for several reasons. At the end of the post are the instructions for doing so. Should you be running Microsoft Small Business Server, please advise. The concepts are the same, but the process is a little different.

The best solution however would be to install matching VPN routers at each site. This will work for sure, provides better security and performance, and is easier to manage. If your Edgewater Router can act as a VPN router you can use it, but configuring it to connect to a different device at the other end requires a little more knowledge and support is much more difficult to find. Is it possible to install Edgewater Router at the other site? That might be an economical solution, though personally I am not familiar with those units.

The best units available in my opinion are Cisco's and the 5500 series are ideal for smaller businesses. They are licensed for 10, 50, or unlimited users, and priced accordingly. You would probably be looking at under $500 per site. Cisco also have excellent support if needed. Support contracts are extra.
Linksys RV042's are actually very stable devices and as mentioned about $200 per site. They are also very easy to set up as per the following guidelines:
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=1705&p_created=1094687137&p_sid=U6Top31i&p_accessibility=0&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PSZwX2dyaWRzb3J0PSZwX3Jvd19jbnQ9MTAzJnBfcHJvZHM9MCZwX2NhdHM9JnBfcHY9JnBfY3Y9JnBfc
The Linksys has no support costs (support is also poor), and no user licenses. The Cisco's also require that each site has a static external/public IP's, where the Linksys only requires the corporate site to have a static IP.

>>"There is no server on the client side. "
No problem, That is just another option.

>>"Is it going to be a problem that all servers and workstations on the host side have the same public IP since they all share the same internet connection?"
Not at all.That is very typical.

I know this is a "mile high view" but glad to answer any specifics.

-----------------------------------------------------------------------
Setting up a windows based software VPN is quite straight forward. The basic server and client configurations can be found at the following sites with good detail:
-Server 2003 configuration:
http://www.lan-2-wan.com/vpns-RRAS-1nic.htm
-Windows XP client configuration:
http://www.lan-2-wan.com/vpns-XP-Client.htm
-You will also have to configure the router to forward the VPN traffic to the server. This is done by enabling on your router VPN or PPTP pass-through, and also forwarding port 1723 traffic to the server's IP. For details as to how to configure the port forwarding, click on the link for your router (assuming it is present) on the following page:
http://www.portforward.com/english/applications/port_forwarding/PPTP/PPTPindex.htm
-The users that are connecting to the VPN need to have allow access enabled under the dial-in tab of their profile in active directory
-The only other thing to remember is the subnet you use at the remote office needs to be different than the server end. For example if you are using 192.168.1.x at the office, the remote should be something like 192.168.2.x

-Once this is configured you can then use services similar to how you would on the local network. You will not be able to browse the network unless you have a WINS server installed. Also depending on your network configuration you may have problems connecting to devices by name, though this can usually be configured.. Using the IP address is less problematic such as \\192.168.1.111\SharenName.
-Nome resolution can be dealt with in many ways. See:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
However, the best method is to add the DNS suffix to the remote users VPN client configuration as described in the link above.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
MdombeckAuthor Commented:
Wow that is a wealth of information to absorb.  I am going to try it with windows based  VPN  software 1st to see if I can get it to work.  I will forward 1723 to my server.  I will need to add their remote computer name to my AD to get it to work?

It is people like you who make the monthly fee to use this site an absolute bargain!!!
0
 
Rob WilliamsCommented:
Thanks for the kind words Mdombeck.

>>"I will need to add their remote computer name to my AD to get it to work?"
No, but you will likely need to add the DNS suffix and DNS IP to the client if you want to access using names rather than IP's. The other option is using the Hosts file. Rather than duplicating here, my blog outlines name resolution issues and options for VPN clients:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx

If you have a router between the 2-wire and the server let me know as the 2 wire would then have to be put in "bridged" mode. I can post instructions if that is the case but it doesn't sound necessary based on your description.
0
 
MdombeckAuthor Commented:
<<<<<If you have a router between the 2-wire and the server let me know as the 2 wire would then have to be put in "bridged" mode. I can post instructions if that is the case but it doesn't sound necessary based on your description.>>>>>

Well the 2wire is on the remote side, and the 2wire is pretty much the end of the line up there .   The servers are on the host side and that is where the edgewater is.  
0
 
Rob WilliamsCommented:
So you have:
client => 2-wire => Internet => possible modem => Edgewater =>server ?
If so that should be fine.
0
 
Rob WilliamsCommented:
Thanks Mdombeck.
Cheers !
--Rob
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now