Solved

VPN configuration with two WAN IPs

Posted on 2014-10-06
6
235 Views
Last Modified: 2014-10-17
Need suggestions on how to set this up. We have two ISPs, each with static IPs. I have a Sonicwall TZ 210 doing failover utilizing the faster ISP as primary and slower ISP only when the primary ISP stops responding to probe attempts.

I'm planning on forwarding port 1723 to the Server 2008 box for VPN access which will authenticate through AD. We want to make the VPN work over a host name so if one ISP is down, it will go to the second static IP and connect. How should I set up the DNS for the domain (a or cname records, or go with dyn dns, or something else?).

How can I configure the Sonicwall to pass VPN connections through both internet sources -- run the public server twice, once for each WAN interface? Then I'll have to configure Routing and Remote Access to accept connections, which shouldn't be an issue unless it is also looking at the IPs.
0
Comment
Question by:dannymyung
6 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 167 total points
ID: 40365720
dynamic VPNs can be tricky as some routers cant handle it. If yours can you may need to consider DNS failover, which updates the DNS record automatically in the event of a failure.

best to set the router to handle the VPN if possible, as routing to the server may be unstable in a failover setup.
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 40366056
If it meets requirements, creating VPN. And vpn2. Is the only simple way to do this. If setup two connections for your users.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 167 total points
ID: 40366377
Why are you trying to setup a PPTP VPN? This isn't the year 2000 anymore, and there are better alternatives.

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.
Thanks
Big thanks are due to Marsh Ray, for advocating and collaborating on this work.
— Moxie Marlinspike, Jul 29, 2012
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:dannymyung
ID: 40367121
Sounds like setting up the VPN to be hosted by the firewall would be best, although, I'm still unsure how to configure that.

Kevin: I appreciate your input.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40367133
I agree that using the VPN functionality of the firewall is best.
0
 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
ID: 40367146
if you run a radius server (windows calls it NPS http://technet.microsoft.com/en-us/library/dd365355%28v=ws.10%29.aspx), you can connect the sonicwall to that, as well as ldap for group membership (ldap is on by default with AD, better to enable ldaps http://www.cosonok.com/2014/04/enabling-ldap-over-ssl-with-windows.html), and use the vpn on the sonicwall using AD credentials and a VPN AD group.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Routing between two networks? 10 50
set up ftp on aws server 2012 2 43
Need to disable SSL Cipher 7 50
Cannot see all of hard drive on HP Server 7 39
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now