Solved

Setting up a VPN in Windows Server 2008

Posted on 2010-08-16
11
480 Views
Last Modified: 2012-05-10
Hi Guys,

I want to setup a VPN between two sites.
Both sites are running Windows Server 2008 with MS Forefront ISA / TMG as firewall.
We have a router in both sites with internet IP's connected to the ISA.

Not sure what the right / ideal approach will be for setting up a VPN to share data, files, videos, etc.

Any advise and direction will be appreciated.

Thanks
0
Comment
Question by:Rupert Eghardt
  • 4
  • 4
  • 3
11 Comments
 
LVL 9

Expert Comment

by:authen-tech
ID: 33451455
Here is a guide on setting up the VPN.  I did not follow all of this guys advice as he was doing more than I needed.  The tricky part for me was that there required a second NIC for the VPN.  In 2003 I was able to setup both the regular network connection and the VPN on the same NIC.  Not true for 2008.  Get a second NIC on the server and use it for the incoming VPN requests.  

Second, your ISA server should be just like any other firewall.  Make sure the ports are forwarded through it to the Server 2008.  The ports you need should be on the article but mainly 1723.

You could also set it up with VPN routers on both ends...this would eliminate the server setup need and bypasses the firewall as well...though it can be tricky since every router setup is different.

Good luck,

Todd
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 400 total points
ID: 33452399
Forefront/TMG works best (AFAIK) when running on a two-NIC machine connected directly to the Internet (without a NATting router). If you can map one public IP directly to your server (on each site), that would be the same. However, that is only to circumvent any issues which might arise with NAT.

The best result is always achieved when the devices connected to the Internet manage VPNs. If the routers are capable of terminating IPSec, and are of same brand, that is certainly the most reliable configuration.

Though some may argue that TMG is the best firewall ever (ask keith_alabaster ;-)), I still think a hardware firewall (and VPN) device is best. There is no "best" solution here, it is a matter of believe and preference.
0
 

Author Comment

by:Rupert Eghardt
ID: 33452412
Hi Todd, thanks for the help.
Should the additional "VPN" NIC be installed in the ISA box or the 2008 Server box?
If installing in the 2008 Server box, should it be connected back to the ISA box again?  On top of the existing LAN link between ISA & Server 2008?
0
 
LVL 9

Assisted Solution

by:authen-tech
authen-tech earned 100 total points
ID: 33454670
On the 2008 box.  I don't have an ISA server but I assume it's just a hardware firewall.  You need the second NIC on the same network available to the Internet as your regular Local Internet Connection.  I think you only need to forward the ports through the ISA server but if you have issues I would create a new question regarding the ISA setup since I'm not familiar.  

Good luck,

Todd
0
 
LVL 9

Expert Comment

by:authen-tech
ID: 33454684
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Rupert Eghardt
ID: 33459114
Hi Qlemo;
In response to your post;

Our TMG already has two NICs, one for external & another for internal.   Is this the config you are referring to?

It is behind a NATTED router, but the router has a public IP mapped directly to the TMG box.
We are already using the public IP via this router for RDP sessions into the Windows 2008 box, so our router NATs, etc. via TMG is working.

From your comment;  "The best result is always achieved when the devices connected to the Internet manage VPNs"  ... Unfortunately we are using an ISP router, which is blocked for any additional setting changes or functionality, apart from additional NATs we may require.  

The VPN will be ocnfigured on the TMG box and not the Win2008 box?

On the remote site, they are using a Checkpoing R65 firewall with IPSEC, which is independantly configured and managed.  Will it be possible to configure the TMG to dalk to the router config in the remote site?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 33459339
Since the TMG is facing the public IP (even if NATted), you should set up the VPN there. The ISA/TMG has more VPN options than W2008, so it is your choice anyways. BUT Checkpoint is special - recent releases should be able to terminate a standard IPSec tunnel, but previous were not, and required to use the Checkpoint-One SecuRemote client.

Looking around, I found some working examples using ISA 2004 against CP NG or R55, so I suppose it should not be a big deal. One configuration example can be seen here: http://www.redline-software.com/eng/support/articles/isaserver/general/implementing_checkpoint_ng_r55_firewall_and_microsoft_isa_2004.php .

0
 

Author Comment

by:Rupert Eghardt
ID: 33459581
I see the article of Thomas Shinder "Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2)", refers to a request for a machine certificate from a local enterprise CA, BEFORE the RRAS installation.

Our DC (Win2008) and the TMG already has a public certificate installed for Exchange.  Does this mean that an additional certificate should be requested / installed, or will the current certificate and FQDN suffice?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 33459618
A SSL VPN is completely different from IPSec. Sorry I didn't have a look yet on that link. A SSL VPN needs a valid certificate, on which both sides can agree as trusted. And in this particular (and most other) configurations, you are setting up a dial-in VPN - client-to-site, not site-to-site.
0
 

Author Comment

by:Rupert Eghardt
ID: 33459675
Thanks Qlemo,
I just went through the article you posted.  And you are correct, it does not involve setting up SSL, but IPSec tunnel mode.  I will configure this on the TMG and see how it goes.  I noticed the last phase is for configuring the VPN access rule and it relates to the site-to-site custom needs.  Could you perhaps give me an example for this access-rule?  I assume this rule destination will be the Win2008 server?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 33459691
The rule is allowing access *from* a network or single IP *to* a network or single IP. You need to put in whatever you think is correct ;-).
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now