VPN Access to NASDAQ

Posted on 2011-04-18
Medium Priority
Last Modified: 2012-08-14
I am working with NASDAQ on establishing a VPN access to their servers.

They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS

This is what they are asking for:

Customer’s Information
¿      VPN Peered Address                  
¿      Host Address                             
¿      Device Used for VPN                       (please note that the addresses the customer provides MUST be public IP addresses)
¿      Preferred Encryption:                
¿      Pre-shared key:                  Verbal

I have 5 Windows 2008 R2 servers and an Open BSD firewall.

Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/ ?
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
Question by:mihaisz
  • 4
  • 3
LVL 81

Accepted Solution

arnold earned 2000 total points
ID: 35421226
Are you looking to configure IPSEC from the openBSD box?

Do you need one computer to have access or your entire LAN?
HOST IP: is your external ip (http://whatismyip.com)
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS
Unless you wish to use an alternate encryption
VPN peer address might be your LAN IP/segment.

You could redirect/NAT public IP to an internal IP, deals with whether you want multiple computers or just one to have access through the VPN.
I.e. do you setup a site to site VPN (if that is an option, check with them) or a remote client VPN (where your designated system is the client and only it can access data through the VPN.)

Author Comment

ID: 35438400
Thanks arnold.
NASDAQ wants both the Host and Peer addresses to be Public.
I have 5 static IPs from My ISP that I use for my servers. Do I need to ask for other 2 in a different subnet?
LVL 81

Expert Comment

ID: 35438429
You do not need to get any additional IPs, you can configure your router/firewall to use one/two of the five you have as a peering IP/host IP.

You need to double check with them what do they mean?
Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).

Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


Author Comment

ID: 35441271
Do you know somebody who can do the configuration for me today, or what would be the easiest way to find somebody?
I'd prefer a local expert (Seattle), but it could work also from a remote location.
LVL 81

Expert Comment

ID: 35441516
There are experts here that might be, but I am unclear of what or how you are looking to achieve this setup which you need to clear up.

I.e. which system on your side will be the VPN end point?
Whether your openbsd router/firewall is the one that will be establishing the VPN connection.

You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.


Author Comment

ID: 35456833
arnold, thanks for your help!
This is what we ended up doing:
- configured IPSec on the OpenBSD box using your link
- got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
- opened 2 VPN tunnels, one to my office and one to NASDAQ.

Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.

Author Closing Comment

ID: 35456839
'Partially' means more that I did not provide enough info (wasn't sure what/how to ask) and not that the expert's answers were not complete or hard to follow.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses
Course of the Month13 days, 10 hours left to enroll

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question