Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

VPN configuration with two WAN IPs

Posted on 2014-10-06
6
Medium Priority
?
273 Views
Last Modified: 2014-10-17
Need suggestions on how to set this up. We have two ISPs, each with static IPs. I have a Sonicwall TZ 210 doing failover utilizing the faster ISP as primary and slower ISP only when the primary ISP stops responding to probe attempts.

I'm planning on forwarding port 1723 to the Server 2008 box for VPN access which will authenticate through AD. We want to make the VPN work over a host name so if one ISP is down, it will go to the second static IP and connect. How should I set up the DNS for the domain (a or cname records, or go with dyn dns, or something else?).

How can I configure the Sonicwall to pass VPN connections through both internet sources -- run the public server twice, once for each WAN interface? Then I'll have to configure Routing and Remote Access to accept connections, which shouldn't be an issue unless it is also looking at the IPs.
0
Comment
Question by:dannymyung
6 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 668 total points
ID: 40365720
dynamic VPNs can be tricky as some routers cant handle it. If yours can you may need to consider DNS failover, which updates the DNS record automatically in the event of a failure.

best to set the router to handle the VPN if possible, as routing to the server may be unstable in a failover setup.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40366056
If it meets requirements, creating VPN. And vpn2. Is the only simple way to do this. If setup two connections for your users.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 668 total points
ID: 40366377
Why are you trying to setup a PPTP VPN? This isn't the year 2000 anymore, and there are better alternatives.

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.
Thanks
Big thanks are due to Marsh Ray, for advocating and collaborating on this work.
— Moxie Marlinspike, Jul 29, 2012
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:dannymyung
ID: 40367121
Sounds like setting up the VPN to be hosted by the firewall would be best, although, I'm still unsure how to configure that.

Kevin: I appreciate your input.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40367133
I agree that using the VPN functionality of the firewall is best.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 664 total points
ID: 40367146
if you run a radius server (windows calls it NPS http://technet.microsoft.com/en-us/library/dd365355%28v=ws.10%29.aspx), you can connect the sonicwall to that, as well as ldap for group membership (ldap is on by default with AD, better to enable ldaps http://www.cosonok.com/2014/04/enabling-ldap-over-ssl-with-windows.html), and use the vpn on the sonicwall using AD credentials and a VPN AD group.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question