We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

VPN Access to NASDAQ

Medium Priority
747 Views
Last Modified: 2012-08-14
I am working with NASDAQ on establishing a VPN access to their servers.

They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS

This is what they are asking for:

Customer’s Information
¿      VPN Peered Address                  
¿      Host Address                             
¿      Device Used for VPN                       (please note that the addresses the customer provides MUST be public IP addresses)
¿      Preferred Encryption:                
¿      Pre-shared key:                  Verbal

I have 5 Windows 2008 R2 servers and an Open BSD firewall.

Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/ ?
 
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks arnold.
NASDAQ wants both the Host and Peer addresses to be Public.
I have 5 static IPs from My ISP that I use for my servers. Do I need to ask for other 2 in a different subnet?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You do not need to get any additional IPs, you can configure your router/firewall to use one/two of the five you have as a peering IP/host IP.

You need to double check with them what do they mean?
Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).

Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.

Author

Commented:
Do you know somebody who can do the configuration for me today, or what would be the easiest way to find somebody?
I'd prefer a local expert (Seattle), but it could work also from a remote location.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
There are experts here that might be, but I am unclear of what or how you are looking to achieve this setup which you need to clear up.

I.e. which system on your side will be the VPN end point?
Whether your openbsd router/firewall is the one that will be establishing the VPN connection.

You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.


Author

Commented:
arnold, thanks for your help!
This is what we ended up doing:
- configured IPSec on the OpenBSD box using your link
- got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
- opened 2 VPN tunnels, one to my office and one to NASDAQ.

Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.

Author

Commented:
'Partially' means more that I did not provide enough info (wasn't sure what/how to ask) and not that the expert's answers were not complete or hard to follow.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.