Configuring a windows 2003 vpn server

Hi,
Just started process of setting up a vpn server on one of our windows 2003 servers and had a questions regarding the setup of the 2 nic cards on the server.  I know that one of the cards is supposed to be set to handle internal network and the other one is for dedicated access to internet.  This server is currently accessible on the internet and we use remote desktop to log into it by having the ip address forwarded thru our netscreen 5gt router connected to T1 line.  Do i have to port forward another route to this same server to allow vpn connection or is that something that i do on the nic card of server itself since it is already accessible on the internet?  I'm concerned that if i change settings of the nic card on the server, then users might not be able to access it anymore via remote desktop.  My other thought is since we have the netscreen which has vpn capabilities, could we just configure it instead of setting up a vpn server using one of the internal servers?  thanks.
dankyle67Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sanga CollinsSystems AdminCommented:
THe changes need to be made on the ns5gt. If the server is sitting behind a firewall then it probably has a NAT public IP that allows you to RDP from the outside WAN. Log into this device and on the policy that allows traffic to the server. Add the ports for Windows  server VPN. you should not have to change anything on the primary or secondary network card of the server
0
dankyle67Author Commented:
I just completed the install of the vpn server role on the 2003 server but i guess you are correct in that i have to map the ip of the internal server address now on the netscreen.  This is pretty straightforward when i have set up a policy in the past to enable remote desktop to pass thru the netscreen using 3389 port.  Would you know how i can do this for the vpn traffic on the netscreen?  thanks.
0
Sanga CollinsSystems AdminCommented:
You can actually modify the existing policy for remote desktop on the netscreen and add the ports for Windows server VPN.

do you know if you are using a VIP or a MIP for NAT the public IP to the windows server?
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

dankyle67Author Commented:
I am using MIP.  I actually was able to log into the vpn server and aside from the speed, it looks like its working.  What i did was to run the new policy wizard on the netscreen and specified the vpn policy to map to the internal ip address of the vpn server and used port 1723.  My question is that since i am using the 2nd nic card on the server as the one configured to use the vpn, since its only a 100mb card versus the 1st nic card which is running at gigabit speed, what do you suggest as far as getting it to run faster using the gigabit adapter.  The problem is that you need one card for internal lan and one card for the public ip address.
0
Sanga CollinsSystems AdminCommented:
Well since internet speeds are not normally over 30mb then it will not matter. The gigabit NIC is only useful if you have gigabit switches and maybe a Fiber optic or MetroE, other than that switching the NIC cards around willnot result in noticeable improvement in VPN speed.

PS in windows server with 2 NIC, try as much as possible not to change the configuration, it just leads to pain and suffering since even Active directory will start behaving badly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dankyle67Author Commented:
Ok sounds good and thanks for all the help.  Last question, since all i did on the netscreen was to forward the ip address to local server ip, where is the tunneling aspect of the vpn or rather the security being handled?  Is it all on the internal vpn server?
0
Sanga CollinsSystems AdminCommented:
Yes, that takes place on the internal VPN server. What you did on the netscreen is basically allow VPN users to connect to the VPN endpoint (the server) It is possible to do aVPN directly to the netscreen, but it is not as easy to manage users and allow multiple connections. For these features a VPN hardware such as sonicwall SSL VPN or VPN software such as Windows Server VPN role will work best
0
dankyle67Author Commented:
Yea i saw the documentation for netscreen and lots of work.  I heard sonicwall was good as you mentioned but for now i think this setup using windows VPN will be fine.  thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.