Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Move RRAS from SBS 2003 to Windows 2008 R2
Hi Experts,
I am separating the major functions of an SBS 2003 server into a Win 2008 R2 server and an Exchange 2010 server. I am looking for guidelines/best practices for moving RRAS used for VPN access.
I've created a new domain controller as a start. Everything is sitting behind a Cisco 5510 router/firewall, with rules pointing to the old server.
Here are my questions:
Is it OK to move the VPN to the new DC or is that not recommended? Should it be on another server instead?
Is there a simple way of moving the settings to a new server? I saw some powershell stuff but it seemed easier to do it manually (according to youtube...lol)
How can I test the new settings without changing the firewall rules to port forward to the new server? I want to make sure everything is working properly and not impact the users? Can I change the PPTP port on the new server and forward the PPTP request to the new server? If so, how do I change the setting on the client port?
How would you suggest migrating the remote user settings to use the new server? I can't use a DNS alias because Exchange traffic comes over the same host.
Thanks for the assistance.
S.....
I am separating the major functions of an SBS 2003 server into a Win 2008 R2 server and an Exchange 2010 server. I am looking for guidelines/best practices for moving RRAS used for VPN access.
I've created a new domain controller as a start. Everything is sitting behind a Cisco 5510 router/firewall, with rules pointing to the old server.
Here are my questions:
Is it OK to move the VPN to the new DC or is that not recommended? Should it be on another server instead?
Is there a simple way of moving the settings to a new server? I saw some powershell stuff but it seemed easier to do it manually (according to youtube...lol)
How can I test the new settings without changing the firewall rules to port forward to the new server? I want to make sure everything is working properly and not impact the users? Can I change the PPTP port on the new server and forward the PPTP request to the new server? If so, how do I change the setting on the client port?
How would you suggest migrating the remote user settings to use the new server? I can't use a DNS alias because Exchange traffic comes over the same host.
Thanks for the assistance.
S.....
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
For security reasons it is not recommended to run RRAS on the DC, because you expose it to the Internet that way. But you can do so, of course ;-).
I would transfer those few settings required for RRAS manually.
You cannot change the PPTP port, it is fixed.So you will have a hard time testing with public IP. You do not have more than one public IP available? That would it make easy, as you can separate services that way.
If you cannot use different public IP addresses, you'll have to switch all users at once. Otherwise you can change the IP address on the client side one by one.
I would transfer those few settings required for RRAS manually.
You cannot change the PPTP port, it is fixed.So you will have a hard time testing with public IP. You do not have more than one public IP available? That would it make easy, as you can separate services that way.
If you cannot use different public IP addresses, you'll have to switch all users at once. Otherwise you can change the IP address on the client side one by one.
Two overarching comments.
1. Moving today to Server 2008 is already obsolete. Is there a reason why you cannot use Server 2012 R2?
2. VPN is BEST done with hardware VPN. Put in a Cisco or Juniper VPN box and divorce entirely from your servers. It just works better that way (in my experience with clients).
1. Moving today to Server 2008 is already obsolete. Is there a reason why you cannot use Server 2012 R2?
2. VPN is BEST done with hardware VPN. Put in a Cisco or Juniper VPN box and divorce entirely from your servers. It just works better that way (in my experience with clients).
So, even for testing, I cannot change the port on the receiving server, create a new port forward setting for the request to point to the new server and then somehow set up a client to use that vpn.serveraddress.com:port
I can't do this without a way to test. I only have one IP.
I can't do this without a way to test. I only have one IP.
How many users? Put in a VPN box for your one IP first, move the users, and then upgrade the Server.
We aren't licensed for 2012 servers.
We are running a Cisco 5510 and I could set up Anyconnect, but getting this out to the users won't be easy. At least I could test it easily... But I don't know what licensing is there either.
This is a small business with non-technical users. Trying to keep things as easy as possible for them.
We are running a Cisco 5510 and I could set up Anyconnect, but getting this out to the users won't be easy. At least I could test it easily... But I don't know what licensing is there either.
This is a small business with non-technical users. Trying to keep things as easy as possible for them.
I am not a big fan of server RRAS. I prefer hardware VPN and you can easily do it for 25 users at a time.
However, that is just the way my clients have been doing this for a long time.
However, that is just the way my clients have been doing this for a long time.
Though everything stated above by John is correct, we have to live with things we have at hand sometimes ... Juniper and Cisco (ASA) require to use IPSec or SSL VPN clients. A big change here.
So let us stay with the original question. And that is you cannot use both RRAS servers at the same time from the Internet.
The only way I see you testing this is from inside your LAN. Connect to the new RRAS server with its internal IP. Check the IPs and routing table created at that time. The test machine might loose connection to the LAN, but that does not matter - just terminate the PPTP connection to restore access.
So let us stay with the original question. And that is you cannot use both RRAS servers at the same time from the Internet.
The only way I see you testing this is from inside your LAN. Connect to the new RRAS server with its internal IP. Check the IPs and routing table created at that time. The test machine might loose connection to the LAN, but that does not matter - just terminate the PPTP connection to restore access.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial