VPN Access to NASDAQ

I am working with NASDAQ on establishing a VPN access to their servers.

They’ve sent me IPs for VPN Peer Address, FIX/QIX/CTCI NTF Host, INET NTF, PHLX NTF, NASDAQ Secure FTP.
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS

This is what they are asking for:

Customer’s Information
¿      VPN Peered Address                  
¿      Host Address                             
¿      Device Used for VPN                       (please note that the addresses the customer provides MUST be public IP addresses)
¿      Preferred Encryption:                
¿      Pre-shared key:                  Verbal

I have 5 Windows 2008 R2 servers and an Open BSD firewall.

Would it work to just open some ports in the firewall and set up one of the Windows 2008 servers for VPN as described at http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/ ?
In order to respond with the VPN Peered Address and Host Address (public IPs), do I just redirect some public IPs from the firewall to the Win 2008 server on which I enable VPN?
Who is Participating?
Are you looking to configure IPSEC from the openBSD box?

Do you need one computer to have access or your entire LAN?
HOST IP: is your external ip (http://whatismyip.com)
IPSec Information (Preferred): 3DES/SHA1/Diffie-Hellman Group 2/No PFS
Unless you wish to use an alternate encryption
VPN peer address might be your LAN IP/segment.

You could redirect/NAT public IP to an internal IP, deals with whether you want multiple computers or just one to have access through the VPN.
I.e. do you setup a site to site VPN (if that is an option, check with them) or a remote client VPN (where your designated system is the client and only it can access data through the VPN.)
mihaiszAuthor Commented:
Thanks arnold.
NASDAQ wants both the Host and Peer addresses to be Public.
I have 5 static IPs from My ISP that I use for my servers. Do I need to ask for other 2 in a different subnet?
You do not need to get any additional IPs, you can configure your router/firewall to use one/two of the five you have as a peering IP/host IP.

You need to double check with them what do they mean?
Are you setting up a site to site VPN such that anyone on your lan will be able to access their resources?
It might mean that you can setup a site to site while they will restrict access to the internal host (Host address).

Depending on how your setup is using the five IPs currently, you might have to make adjustments or get an additional pair.
Do you NAT any of the public IPs to an internal IP or are you using Port address ranslation (fort forwarding) such that you can have many services using the same public IP but is differentiated by the port of the service.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

mihaiszAuthor Commented:
Do you know somebody who can do the configuration for me today, or what would be the easiest way to find somebody?
I'd prefer a local expert (Seattle), but it could work also from a remote location.
There are experts here that might be, but I am unclear of what or how you are looking to achieve this setup which you need to clear up.

I.e. which system on your side will be the VPN end point?
Whether your openbsd router/firewall is the one that will be establishing the VPN connection.

You need to get a clear understanding from the other side to the meaning of their information request. And how it is supposed to work. i.e. do they setup two tunnels one where requests are coming from you and one where their responses are sent (one way tunnels)?
Do they use a tunnel within a tunnel which could explain the VPN peer and host peer. VPN peer establishes the first tunnel, and host peer is the computer that will use the VPN to access another secure resource.

mihaiszAuthor Commented:
arnold, thanks for your help!
This is what we ended up doing:
- configured IPSec on the OpenBSD box using your link
- got an additional set of /30 IPs from my ISP and added a public IP to the Windows machine inside the network (as the host address).
- opened 2 VPN tunnels, one to my office and one to NASDAQ.

Other options were: installing a CISCO rounter or placing a dedicated server on a SAVVIS network which has direct connection with NASDAQ.
mihaiszAuthor Commented:
'Partially' means more that I did not provide enough info (wasn't sure what/how to ask) and not that the expert's answers were not complete or hard to follow.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.