VPN configuration with two WAN IPs

Need suggestions on how to set this up. We have two ISPs, each with static IPs. I have a Sonicwall TZ 210 doing failover utilizing the faster ISP as primary and slower ISP only when the primary ISP stops responding to probe attempts.

I'm planning on forwarding port 1723 to the Server 2008 box for VPN access which will authenticate through AD. We want to make the VPN work over a host name so if one ISP is down, it will go to the second static IP and connect. How should I set up the DNS for the domain (a or cname records, or go with dyn dns, or something else?).

How can I configure the Sonicwall to pass VPN connections through both internet sources -- run the public server twice, once for each WAN interface? Then I'll have to configure Routing and Remote Access to accept connections, which shouldn't be an issue unless it is also looking at the IPs.
Who is Participating?
SteveConnect With a Mentor Commented:
dynamic VPNs can be tricky as some routers cant handle it. If yours can you may need to consider DNS failover, which updates the DNS record automatically in the event of a failure.

best to set the router to handle the VPN if possible, as routing to the server may be unstable in a failover setup.
Aaron TomoskyTechnology ConsultantCommented:
If it meets requirements, creating VPN. And vpn2. Is the only simple way to do this. If setup two connections for your users.
kevinhsiehConnect With a Mentor Commented:
Why are you trying to setup a PPTP VPN? This isn't the year 2000 anymore, and there are better alternatives.


1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.
Big thanks are due to Marsh Ray, for advocating and collaborating on this work.
— Moxie Marlinspike, Jul 29, 2012
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

dannymyungAuthor Commented:
Sounds like setting up the VPN to be hosted by the firewall would be best, although, I'm still unsure how to configure that.

Kevin: I appreciate your input.
I agree that using the VPN functionality of the firewall is best.
Aaron TomoskyConnect With a Mentor Technology ConsultantCommented:
if you run a radius server (windows calls it NPS http://technet.microsoft.com/en-us/library/dd365355%28v=ws.10%29.aspx), you can connect the sonicwall to that, as well as ldap for group membership (ldap is on by default with AD, better to enable ldaps http://www.cosonok.com/2014/04/enabling-ldap-over-ssl-with-windows.html), and use the vpn on the sonicwall using AD credentials and a VPN AD group.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.