Setting up a server based VPN connection

I

ivan_gromov

Gawd
Joined
Oct 6, 2006
Messages
973
Hi, I am looking to set up a VPN connection to one of our servers, never done it before. What suggestions might you have? Any good articles i can read? I found stuff on configuring the Client, but not the server, HELP!!!
 
In Windows server 2003 there are options for remote access (VPN, for example) under RRAS, which stands for Routing and Remote Access Server. Install, enable, and configure via wizards and you should be good. It's similar to configuring the windows VPN client, except you're choosing server settings. Make sure you have a certificate authority, either your own, or a third party like verisign, so you can issue certs to clients to make the connection a little more secure. Obviously your network has to be configured for such things, s

Other than that, I'd highly suggest picking up a VPN hardware interface. Much more secure, easy to configure (relatively speaking), and they work very well. Cisco VPN hardware, at least the older stuff, is dirt cheap. I STILL use a PIX501 for a couple VPN connections to my building and it hasn't failed me yet.

Recommendation: buy a PIX 501 VPN firewall. Cost: ranges from $100 to $300 ( I wouldn't pay any more than $300 for such a dated piece of hardware).


http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/vpnconn.mspx

check that for some info on RRAS and site-to-site VPN's. Not entirely the answer to your question, but it should point you in the right direction.
 
Sieravor said:
In Windows server 2003 there are options for remote access (VPN, for example) under RRAS, which stands for Routing and Remote Access Server. Install, enable, and configure via wizards and you should be good. It's similar to configuring the windows VPN client, except you're choosing server settings. Make sure you have a certificate authority, either your own, or a third party like verisign, so you can issue certs to clients to make the connection a little more secure. Obviously your network has to be configured for such things, s

Other than that, I'd highly suggest picking up a VPN hardware interface. Much more secure, easy to configure (relatively speaking), and they work very well. Cisco VPN hardware, at least the older stuff, is dirt cheap. I STILL use a PIX501 for a couple VPN connections to my building and it hasn't failed me yet.

Recommendation: buy a PIX 501 VPN firewall. Cost: ranges from $100 to $300 ( I wouldn't pay any more than $300 for such a dated piece of hardware).


http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/vpnconn.mspx

check that for some info on RRAS and site-to-site VPN's. Not entirely the answer to your question, but it should point you in the right direction.
Click to expand...


Thank you very much, I will tkae a look at that whenever i have some free time today. I am still waiting to get the password for our firewall to play around with some settings, I know it has a VPN tab on there. I have tried configuring RRAS couple of days back, but I got interrupted, and did not read through it. What sort of information do I need in order to get VPN configured? I need a public IP address, right? Besides configuring the server, I know I have to forward some ports in firewall, and you suggest getting a VPN card, anything besides that?
 
Not a VPN card, but a dedicated piece of hardware to manage your VPN tunnels. Instead of using a software based VPN solution, these devices are designed to work primarily as VPN servers. While software solutions do work, the hardware options are more reliable and more secure.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

As for information you'll need to know:

1.) Your external IP address
2.) The method of authentication, be it through certificates (RSA), or pre-share key exchange
3.) The range of IP addresses they will be given when they connect to the server

Basically for number 1 you just need to know what info they'll be entering into the Destination section of the VPN client. For number 2, you need to know how they're going to be authenticating with the VPN server. This is usually through login/pass combo's, but before that even occurs, they have to establish the secure tunnel. This is done by either deciding on a key that you share will all your users before hand, or it can be generated on the fly by way of a certificate or some other authentication medium that is loaded on the clients machines. I prefer pre-share because it's alot easier and your clients can connect from any machine in the world, not just the single machine that has the certificate installed on it. For number 3, you just need to make sure that the VPN tunnel is going to give them an IP address that is on the same subnet as the machines on your internal network. there is little point in joining them (virtually) to your network through the VPN if they are unable to see anything on the network.

Basically the RRAS wizard will guide you through most of the setup. Just remember to write down all the important info, like your encryption protocols, timeout settings, etc, etc.
 
Sieravor said:
Not a VPN card, but a dedicated piece of hardware to manage your VPN tunnels. Instead of using a software based VPN solution, these devices are designed to work primarily as VPN servers. While software solutions do work, the hardware options are more reliable and more secure.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

As for information you'll need to know:

1.) Your external IP address
2.) The method of authentication, be it through certificates (RSA), or pre-share key exchange
3.) The range of IP addresses they will be given when they connect to the server

Basically for number 1 you just need to know what info they'll be entering into the Destination section of the VPN client. For number 2, you need to know how they're going to be authenticating with the VPN server. This is usually through login/pass combo's, but before that even occurs, they have to establish the secure tunnel. This is done by either deciding on a key that you share will all your users before hand, or it can be generated on the fly by way of a certificate or some other authentication medium that is loaded on the clients machines. I prefer pre-share because it's alot easier and your clients can connect from any machine in the world, not just the single machine that has the certificate installed on it. For number 3, you just need to make sure that the VPN tunnel is going to give them an IP address that is on the same subnet as the machines on your internal network. there is little point in joining them (virtually) to your network through the VPN if they are unable to see anything on the network.

Basically the RRAS wizard will guide you through most of the setup. Just remember to write down all the important info, like your encryption protocols, timeout settings, etc, etc.
Click to expand...

Alright, I will recreate and go via wizard, I don't remember it having too many steps though. As far as pre-shared keys go, do I have to setup anything via my DHCP server? I have added to server ,achine in AD Users and Computers to RRAS security group, I am assuming that all of the settings in that group are default.
 
You must log in or register to reply here.
Back
Top