VPN Access to NASDAQ
I am working with NASDAQ on establishing a VPN access to their servers.
They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS
This is what they are asking for:
Customer’s Information
¿ VPN Peered Address
¿ Host Address
¿ Device Used for VPN (please note that the addresses the customer provides MUST be public IP addresses)
¿ Preferred Encryption:
¿ Pre-shared key: Verbal
I have 5 Windows 2008 R2 servers and an Open BSD firewall.
Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/ ?
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS
This is what they are asking for:
Customer’s Information
¿ VPN Peered Address
¿ Host Address
¿ Device Used for VPN (please note that the addresses the customer provides MUST be public IP addresses)
¿ Preferred Encryption:
¿ Pre-shared key: Verbal
I have 5 Windows 2008 R2 servers and an Open BSD firewall.
Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/ ?
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You do not need to get any additional IPs, you can configure your router/firewall to use one/two of the five you have as a peering IP/host IP.
You need to double check with them what do they mean?
Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).
Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.
You need to double check with them what do they mean?
Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).
Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.
ASKER
Do you know somebody who can do the configuration for me today, or what would be the easiest way to find somebody?
I'd prefer a local expert (Seattle), but it could work also from a remote location.
I'd prefer a local expert (Seattle), but it could work also from a remote location.
There are experts here that might be, but I am unclear of what or how you are looking to achieve this setup which you need to clear up.
I.e. which system on your side will be the VPN end point?
Whether your openbsd router/firewall is the one that will be establishing the VPN connection.
You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.
I.e. which system on your side will be the VPN end point?
Whether your openbsd router/firewall is the one that will be establishing the VPN connection.
You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.
ASKER
arnold, thanks for your help!
This is what we ended up doing:
- configured IPSec on the OpenBSD box using your link
- got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
- opened 2 VPN tunnels, one to my office and one to NASDAQ.
Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.
This is what we ended up doing:
- configured IPSec on the OpenBSD box using your link
- got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
- opened 2 VPN tunnels, one to my office and one to NASDAQ.
Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.
ASKER
'Partially' means more that I did not provide enough info (wasn't sure what/how to ask) and not that the expert's answers were not complete or hard to follow.
ASKER
NASDAQ wants both the Host and Peer addresses to be Public.
I have 5 static IPs from My ISP that I use for my servers. Do I need to ask for other 2 in a different subnet?