Solved

VPN configuration with two WAN IPs

Posted on 2014-10-06
6
240 Views
Last Modified: 2014-10-17
Need suggestions on how to set this up. We have two ISPs, each with static IPs. I have a Sonicwall TZ 210 doing failover utilizing the faster ISP as primary and slower ISP only when the primary ISP stops responding to probe attempts.

I'm planning on forwarding port 1723 to the Server 2008 box for VPN access which will authenticate through AD. We want to make the VPN work over a host name so if one ISP is down, it will go to the second static IP and connect. How should I set up the DNS for the domain (a or cname records, or go with dyn dns, or something else?).

How can I configure the Sonicwall to pass VPN connections through both internet sources -- run the public server twice, once for each WAN interface? Then I'll have to configure Routing and Remote Access to accept connections, which shouldn't be an issue unless it is also looking at the IPs.
0
Comment
Question by:dannymyung
6 Comments
 
LVL 27

Accepted Solution

by:
Steve earned 167 total points
ID: 40365720
dynamic VPNs can be tricky as some routers cant handle it. If yours can you may need to consider DNS failover, which updates the DNS record automatically in the event of a failure.

best to set the router to handle the VPN if possible, as routing to the server may be unstable in a failover setup.
0
 
LVL 39

Expert Comment

by:Aaron Tomosky
ID: 40366056
If it meets requirements, creating VPN. And vpn2. Is the only simple way to do this. If setup two connections for your users.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 167 total points
ID: 40366377
Why are you trying to setup a PPTP VPN? This isn't the year 2000 anymore, and there are better alternatives.

https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted.

2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else.

In many cases, larger enterprises have opted to use IPSEC-PSK over PPTP. While PPTP is now clearly broken, IPSEC-PSK is arguably worse than PPTP ever was for a dictionary-based attack vector. PPTP at least requires an attacker to obtain an active network capture in order to employ an offline dictionary attack, while IPSEC-PSK VPNs in aggressive mode will actually hand out hashes to any connecting attacker.

In terms of currently available solutions, deploying something securely requires some type of certificate validation. This leaves either an OpenVPN configuration, or IPSEC in certificate rather than PSK mode.
Thanks
Big thanks are due to Marsh Ray, for advocating and collaborating on this work.
— Moxie Marlinspike, Jul 29, 2012
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:dannymyung
ID: 40367121
Sounds like setting up the VPN to be hosted by the firewall would be best, although, I'm still unsure how to configure that.

Kevin: I appreciate your input.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40367133
I agree that using the VPN functionality of the firewall is best.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 166 total points
ID: 40367146
if you run a radius server (windows calls it NPS http://technet.microsoft.com/en-us/library/dd365355%28v=ws.10%29.aspx), you can connect the sonicwall to that, as well as ldap for group membership (ldap is on by default with AD, better to enable ldaps http://www.cosonok.com/2014/04/enabling-ldap-over-ssl-with-windows.html), and use the vpn on the sonicwall using AD credentials and a VPN AD group.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question