Solved

VPN Server Solution

Posted on 2011-09-20
17
602 Views
Last Modified: 2012-05-12
Hi,

Im looking into a VPN solution which can facilitate the following.

I have a client office with a file server and db server (windows based) with a few client xp machines.

Recently, we have opened a small remote office which has its own internet connection with one user. This user would like to connect to the office and access the network resources.

Initial though was a simple Windows VPN Server setup using one of the server in the office but this required me putting the server into the DMZ (the main office only has a simple BT Business Hub) and configuring security certificates etc.

Is there any open source software out there which could be installed onto one of the servers/pc in the office which can accept inbound connections from the remote client without the need for certificates/tricky configs etc?

I looked at OpenVPN but the config file got me beat - bit to complex.

Any ideas?

Thanks
D
0
Comment
Question by:daiwhyte
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 5
17 Comments
 
LVL 7

Accepted Solution

by:
OctInv earned 500 total points
ID: 36566047
I'm not quite sure why you would need to put a Windows VPN server in a DMZ?

I've not needed to do that before with a Windows server before, and also not had to set up any certificates.  Configure the server for VPN access only (no routing) using its default RRAS service installed by default on a windows server, open the firewall on the appropriate port you are using for the authentication protocol (PPTP or L2TP), and ensure the user creating the VPN knows the username and password to be used to log in to the server creating the VPN connection.
No extra software/hardware needed.

Hope this is the answer you were looking for.
0
 

Author Comment

by:daiwhyte
ID: 36566122
The server in question only has one network card installed, the VPN process error's stating I need two network cards. Any way round this?

0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566145
Yes,  the error is appearing possibly because you are enabling routing as well as enabling inbound VPN connections.  If the server was to provide a routing service, then 2 network cards are needed.  This is not neccessary for enabling only inbound VPN connections.
When setting up the VPN server, choose 'custom configuration' and only tick 'VPN'.

I would talk you through exactly how to do this - but you have not specified the version of Windows server you have.

Hope this helps.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:daiwhyte
ID: 36566158
I have Windows 2003 Server.

What ports would I need to forward from the firewall to the local host?
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566199
Go to configure RRAS by right clicking on the server name from within the MMC sanp-in.
Click Next and choose 'custom configuration', click next and tick only 'VPN'.  Click next and click finish.

Choosing the port depends on which method of authentication you are choosing for the VPN connections.
For example, if you were to chose 'PPTP', then you would need to open up port TCP 1723 and enable the 'GRE' protocol to be passed through the firewall.  This is protocol type of 47, rather than being on 'port 47', so don't get the two confused.  But most modern day business routers (like the one you have) will do this for you automatically if you just tell it that you want to pass through PPTP VPN connections to the IP address of your server.
L2TP is different - you need to open all of UDP ports, 500, 4500 and 1701.

Good luck
0
 

Author Comment

by:daiwhyte
ID: 36566507
Ok, some things not quote right but positvie things have happened.

Ive setup the server as VPN and I have connected to this server from a local machine so I guess the username/password are good. Ive configured the firewall to allow TCP Port 1723 through to the vpn server, I selected the option within the BT router for PPTP Server when configuring the custom rule.

However, Im not able to connect from a remote machine (Win 7 Home Prem). This machine also has another dialler configured to another network and this works (PPTP).

Not sure if the problem is with the firewall or the server not configure to PPTP - your first paragraph on your last post was confusing but I dont think its relevant since I was able to connect a local client to the VPN server.
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36566606
Sorry if i confused you, but it was relevant.  The first paragraph of my last post was just instructions on how to set up the VPN on a Windows Server 2003 build, but given it seems as though you set it up correctly though (after a successful internal test), all is good.
There could be a number of reasons for why it hasn’t worked from an external source though, so some more information would be helpful to troubleshoot this.  What error message are you getting when the user tries to connect?
0
 

Author Comment

by:daiwhyte
ID: 36566624
Checking my firewall logs, I can see the traffic is passing, see below.

src=xxx.xxx.xx.x dst=192.168.1.85 ipprot=6 sport=35503 dport=1723 Session Matches User Pinhole, Packet Passed
0
 

Author Comment

by:daiwhyte
ID: 36566666
Im getting Error 807
0
 

Author Comment

by:daiwhyte
ID: 36566761
Ok, Ive moved the vpn server onto another server because I read it the 807 error can be related to slow server response.

By doing so, I now see my credentials getting passed successfully but then I get Error 720 error.
0
 

Author Comment

by:daiwhyte
ID: 36566802
On the downside, Im not able to connect locally to the new server
0
 

Author Comment

by:daiwhyte
ID: 36566872
Forgot to mention, the new process fails on the final step "Registering machine on the network"
0
 

Author Comment

by:daiwhyte
ID: 36566933
Update

Disable IP6 and set the local VPN server to dish out IP rather than my dhcp and hey presto, it works!!!!
0
 

Author Comment

by:daiwhyte
ID: 36566993
Is it possible to lock down the VPN to only allow connections from nominated IP addresses?
0
 
LVL 7

Expert Comment

by:OctInv
ID: 36567065
Was just out having some lunch!
Happy it works for you.

Yes, that is possible, and I would recommend doing that from the firewall rather than from the advanced config of the RRAS, as any person trying to connect that you don't want to should be dropped before they enter the network, not as they hit the server.  Modify the firewall rule so that it drops connections from IP addresses other than the ones you specify.
Take in mind that the person connecting may not have a static public IP address.

Glad to have helped you.
0
 

Author Comment

by:daiwhyte
ID: 36567095
Thank you OctInv
0
 

Author Closing Comment

by:daiwhyte
ID: 36567101
Thank you
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question