Move RRAS from SBS 2003 to Windows 2008 R2

svillardi
svillardi used Ask the Experts™
on
Hi Experts,

I am separating the major functions of an SBS 2003 server into a Win 2008 R2 server and an Exchange 2010 server.  I am looking for guidelines/best practices for moving RRAS used for VPN access.

I've created a new domain controller as a start.  Everything is sitting behind a Cisco 5510 router/firewall, with rules pointing to the old server.

Here are my questions:
Is it OK to move the VPN to the new DC or is that not recommended?  Should it be on another server instead?
Is there a simple way of moving the settings to a new server?  I saw some powershell stuff but it seemed easier to do it manually (according to youtube...lol)
How can I test the new settings without changing the firewall rules to port forward to the new server?  I want to make sure everything is working properly and not impact the users?  Can I change the PPTP port on the new server and forward the PPTP request to the new server?  If so, how do I change the setting on the client port?
How would you suggest migrating the remote user settings to use the new server?  I can't use a DNS alias because Exchange traffic comes over the same host.

Thanks for the assistance.

S.....
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
For security reasons it is not recommended to run RRAS on the DC, because you expose it to the Internet that way. But you can do so, of course ;-).

I would transfer those few settings required for RRAS manually.

You cannot change the PPTP port, it is fixed.So you will have a hard time testing with public IP. You do not have more than one public IP available? That would it make easy, as you can separate services that way.
If you cannot use different public IP addresses, you'll have to switch all users at once. Otherwise you can change the IP address on the client side one by one.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Two overarching comments.

1. Moving today to Server 2008 is already obsolete. Is there a reason why you cannot use Server 2012 R2?

2. VPN is BEST done with hardware VPN. Put in a Cisco or Juniper VPN box and divorce entirely from your servers. It just works better that way (in my experience with clients).

Author

Commented:
So, even for testing, I cannot change the port on the receiving server, create a new port forward setting for the request to point to the new server and then somehow set up a client to use that vpn.serveraddress.com:portnumber?

I can't do this without a way to test.  I only have one IP.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
How many users?  Put in a VPN box for your one IP first, move the users, and then upgrade the Server.

Author

Commented:
We aren't licensed for 2012 servers.

We are running a Cisco 5510 and I could set up Anyconnect, but getting this out to the users won't be easy.  At least I could test it easily...  But I don't know what licensing is there either.

This is a small business with non-technical users.  Trying to keep things as easy as possible for them.

Author

Commented:
60 users about.

Author

Commented:
But maybe a max of 10 at a time?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I am not a big fan of server RRAS. I prefer hardware VPN and you can easily do it for 25 users at a time.

However, that is just the way my clients have been doing this for a long time.
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
Though everything stated above by John is correct, we have to live with things we have at hand sometimes ... Juniper and Cisco (ASA) require to use IPSec or SSL VPN clients. A big change here.

So let us stay with the original question. And that is you cannot use both RRAS servers at the same time from the Internet.

The only way I see you testing this is from inside your LAN. Connect to the new RRAS server with its internal IP. Check the IPs and routing table created at that time. The test machine might loose connection to the LAN, but that does not matter - just terminate the PPTP connection to restore access.
I'd use the Cisco as your gateway and leave RRAS off an SBS2011 server, leave the DNS on the SBS. and just skip the extra load and complication.  Basically what john said.
your ASA should already have the port exceptions for the old server.

Author

Commented:
DNS and DHCP have already been moved to the new DC.
should be able to just change the scope option for gateway in the DHCP server to the ASA and be up and running. you'll have to tweak the port exceptions, and the VPN stuff, but should be pretty minor changes.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial