Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 498
  • Last Modified:

Best Configuration for remote site access sbs 2003 and VPN router RV042

Current Conditions
Main site
Single static IP -> cable modem -> SBS 2003 -> 2 NICs one to internal, one to modem

Remote site
Single static IP -> cable modem -> VPN RV042 -> 2 computers individually connecting with SBS's VPN

I would like the Remote site to connect through the VPN Router to the main site using a site to site with a second VPN RV042.

In my searches I haven't found or have gotten conflicting information on the best / most secure way to configure my setup.

Should the VPN router be connected directly to the internal network via the internal switch?  This seems like the easiest solution as the VPN tunnel is just extending my internal network but it also feels like I'm locking a door and opening a window.

I have an unused NIC card on the server.
The server is running ISA 2004.

My VPN experience includes running the VPN wizard in SBS so I really want to make sure I've set it up right and safe the first time out.
Thanks for the assistance.
0
shutesie
Asked:
shutesie
  • 2
3 Solutions
 
Keith AlabasterCommented:
"My VPN experience includes running the VPN wizard in SBS so I really want to make sure I've set it up right and safe the first time out."

Good call - so you obviously will not be going anywhere near the production environment when you test this scenario. The SBS wizards only support two nic's - so using a 3rd nic is not an option unless you are also confident that you have the skills to do everything manually. This also assumes this is YOUR site (not a customers) and you will be around to pick up the pieces should something need doing in the future by someone else... because if they re-run any SBS wizards with three running nics in the box then everything will turn to smelly dog poo - and it will have been a big dog, straight after it's very big dinner.

Yes - the easiest route is connecting the box directly to the internal network but this is an option that generally best fits when the connection between the remote and local site is a private one, not when the connection is via the Internet.

Can't say I have ever tried what you are suggesting as when ISA is in the mix I always let ISA provide the VPN header function rather than an alternative device - the exception being Cisco pix or ASA.
0
 
pwindellCommented:
Should the VPN router be connected directly to the internal network via the internal switch?  

Simple answer,....YES.

This seems like the easiest solution as the VPN tunnel is just extending my internal network but it also feels like I'm locking a door and opening a window.

No it is not opening a window,...in fact it is not closing or opening anything.   Any VPN product is going to be capable of acting as it's own firewall,...if it can't then it isn't worth buying.

Normally with ISA/TMG you would would put the VPN Device off the side of the ISA/TMG with a 3rd Nic so that you keep all the Routing "synchronous",...but if SBS won't handle the third nic properly as Keiths says (and I trust his judgment) then you have to bring the VPN Device into the LAN independently with it's own LAN IP and its own External Public IP#.

You will end up jumping through hoops to keep the routing working. This most like will amount to static routes on every Host.  the best thing is to handle it with an internal LAN Router but SBS Networks with the 75 User limit typically don't have one.  

You can sometimes treat the VPN Device as the "central" LAN Router but that can get messy.  You would have to shift the VPN Device's Default Gateway to the SBS LAN IP rather than the External Public IP it currently use for the Default Gateway,...however this will break the VPN Tunnel if you don't replace it with a Static Route that helps it be able to properly find the VPN Device on the opposite end of the Tunnel by using the original Public Path it was using.

On the ISA/TMG you have to add the LAN IP Ranges from the Remote Site to the Internal Network Definition.  Then you also have to create an accompanying Static Route on the SBS Box to tell it (and hence the ISA/TMG) to use the Local VPN Device as the Gateway to the Remote Site.

There are a couple other ways to do a VPN,..but in the context of what you are asking and how you are asking it,...that would be how I sum it up.
0
 
Keith AlabasterCommented:
just to clarify, the SBS server is fine with three nics but you can no longer use the SBS wizards effectively - you would have to make all changes manually.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I realize that this question is quite old, but thought that it was a good one which should have a good answer.

There is great documentation on how to create a site-to-site VPN with SBS 2003 with ISA:
http://msmvps.com/blogs/javier/archive/2004/12/08/23045.aspx

Jeff
TechSoEasy
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now