Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN configuration with two WAN IPs

Posted on 2014-10-06
6
Medium Priority
?
264 Views
Last Modified: 2014-10-17
Need suggestions on how to set this up. We have two ISPs, each with static IPs. I have a Sonicwall TZ 210 doing failover utilizing the faster ISP as primary and slower ISP only when the primary ISP stops responding to probe attempts.

I'm planning on forwarding port 1723 to the Server 2008 box for VPN access which will authenticate through AD. We want to make the VPN work over a host name so if one ISP is down, it will go to the second static IP and connect. How should I set up the DNS for the domain (a or cname records, or go with dyn dns, or something else?).

How can I configure the Sonicwall to pass VPN connections through both internet sources -- run the public server twice, once for each WAN interface? Then I'll have to configure Routing and Remote Access to accept connections, which shouldn't be an issue unless it is also looking at the IPs.
0
Comment
Question by:dannymyung
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 668 total points
ID: 40365720
dynamic VPNs can be tricky as some routers cant handle it. If yours can you may need to consider DNS failover, which updates the DNS record automatically in the event of a failure.

best to set the router to handle the VPN if possible, as routing to the server may be unstable in a failover setup.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40366056
If it meets requirements, creating VPN. And vpn2. Is the only simple way to do this. If setup two connections for your users.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 668 total points
ID: 40366377
Why are you trying to setup a PPTP VPN? This isn't the year 2000 anymore, and there are better alternatives.

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.
Thanks
Big thanks are due to Marsh Ray, for advocating and collaborating on this work.
— Moxie Marlinspike, Jul 29, 2012
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:dannymyung
ID: 40367121
Sounds like setting up the VPN to be hosted by the firewall would be best, although, I'm still unsure how to configure that.

Kevin: I appreciate your input.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40367133
I agree that using the VPN functionality of the firewall is best.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 664 total points
ID: 40367146
if you run a radius server (windows calls it NPS http://technet.microsoft.com/en-us/library/dd365355%28v=ws.10%29.aspx), you can connect the sonicwall to that, as well as ldap for group membership (ldap is on by default with AD, better to enable ldaps http://www.cosonok.com/2014/04/enabling-ldap-over-ssl-with-windows.html), and use the vpn on the sonicwall using AD credentials and a VPN AD group.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question