should remote clients connect to the VPN on the firewall or be passed to the server?

[JediFonger]

VPN can be served from the firewall/router or a server itself. coupla questions:

1. should VPN connections end at the firewall/router? if so, after connecting to the firewall/router, how would the remote client access domain resources (like windows 2003)? after all, firewall/router VPN connection != server domain connection. does the remote client need a separate logon? what if the remote client can't see ANY domain resources nor ping any of the network resources even though firewall policies have enabled internal network access from VPN connections?

2. should VPN connections be passed through the firewall via opening port 1723 and gre47 for somn like w2k3 to server VPN itself because it can authenticate win-logon and therefore access network? wouldn't this be a security risk of sorts? when w2k3 is setting up remote access for ONE nic connections, all domain resources get disabled. anyone experience this? is RAS made for TWO nics instead of one?

3. which method is better? pro/cons of both?

 

[XOR != OR]

I prefer to terminate vpn connections at the edge. Further, I like to feed my dns info through the edge of my networks. So when you connect, you can access that dns server, which has the records for my AD domain.

Once that's done, as long as the connecting machine is a member of the domain, you should be able to log in.

( I won't ask about resources and bandwidth, as I figure you already have that taken into account. But I will say remote desktop is a wonderful thing )

 

[Impulse25]

The one problem with passing the VPN tunnel through the firewall and terminating it on the server would be if anyone decided to do anything malicous, all their traffic would be encrypted and therefore, you would have no firewall logs of the activity.

If this is a business, I would definitely terminate the VPNs on the firewall for the logging alone as well as being able to easily specify what users have access to.

 

[YeOldeStonecat]

I prefer doing the VPN with a hardware appliance...

One less service your servers have to run...free them up for doing other server duties on your network. Plus keeps them from exposing a service through your firewall. VPN appliances tend to (if you shop and get good ones) do the job better, perform better.

 

[[wizard]]

The one problem with passing the VPN tunnel through the firewall and terminating it on the server would be if anyone decided to do anything malicous, all their traffic would be encrypted and therefore, you would have no firewall logs of the activity.

If this is a business, I would definitely terminate the VPNs on the firewall for the logging alone as well as being able to easily specify what users have access to.

agreed. it's not always about someone doing malicous, they could un-knowingly do something like shut the machine down instead of logging off or even pass a virus on without knowing.

I prefer doing the VPN with a hardware appliance...

One less service your servers have to run...free them up for doing other server duties on your network. Plus keeps them from exposing a service through your firewall. VPN appliances tend to (if you shop and get good ones) do the job better, perform better.

agreed. the vpn applicancess are very nice because they not only keep their own logs, you can restrict access to everything in and out of the box. i.e. only allow remote desktop to that 2k3 box. i've also seen ways to stop remote desktop from browsing the internet when your connected through a vpn appliance.

 

[YeOldeStonecat]

they could ... do something ... or even pass a virus on without knowing.

Which brings up another point of mine...

All my clients...as soon as I setup a VPN router for their staff to remote into the network...usually to do RDC or whatever to their desktops....I must setup their home. I ensure that the home network is behind a NAT router, and ensure that persons home PC goes through my checklist...windows updates, no <blank> local admin password, approved antivirus, standard best practice anti-ad/spyware software installed, machine is cleaned and rid of said junk, etc.

Because remember...once someone VPN's into the office network....they become part of that network. And some of the bad stuff out there spreads on its own across networks.

 

[da sponge]

I'd terminate at the firewall as well.

I use ISA 2004 and terminate at it. Access from the VPN is limited to internal web browsing & RDP because I can't easily validate home networking environs/health (at least until remote access quarantine becomes less fucking ridiculous).

 

[JediFonger]

that's what i thought as well.

with that in mind, how do you reconcile connecting to firewall/router, and then having the remote (wxpp) access the domain?

i've recently setup a D-Link DFL 200 VPN Server to accept incoming pptp connection to the firewall. i tested it using a wxpp remote client. the client connects, but i am unable to ping/access any local computers inside of the network.

the config is thus:
Company LAN, VPN Network:
- a Westell DSL modem connected to the DFL 200's WAN
- DFL 200's internal LAN is connected to the same switch all of the LAN is on.
- 1 AD w2k3 connected to the same switch.
- all other computers connected to the same switch.

 

[YeOldeStonecat]

. i tested it using a wxpp remote client. the client connects, but i am unable to ping/access any local computers inside of the network

By IP or netbios name?

 

[JediFonger]

all. i tried everything.

 

[YeOldeStonecat]

End user is trying from an IP range that's different from the IP of the office LAN?

Meaning...Office is something like 192.168.1.XXX....and the end user must be something different, like 192.168.0.xxx or 192.168.2.xxx...or 10.x.x.x....just NOT 192.168.1.xxx

 

[JediFonger]

the office LAN=10.0.0.1-10.0.0.250.
remote LAN connects and gets its IP from the server (DHCP) from 10.0.0.251-10.0.0.254. so yesh, they're on diff. LAN segments. but i still can't access office LAN resources @all.

 

[YeOldeStonecat]

the office LAN=10.0.0.1-10.0.0.250.
remote LAN connects and gets its IP from the server (DHCP) from 10.0.0.251-10.0.0.254. so yesh, they're on diff. LAN segments. but i still can't access office LAN resources @all.

No..what I meant was...the remote LAN...before that person even launches the VPN connection...they're own router does not setup their home LAN to be 10.0.0.xxx rigtht? I'm sure it's a 192.168.xxx.xxx...for a common home broadband router...but before even spending another second troubleshooting...need to confirm it.

 

[JediFonger]

that shouldn't matter. remote server can be anything on its LAN, because when you dial out, a new VPN connection will be established.

 

[YeOldeStonecat]

that shouldn't matter. remote server can be anything on its LAN, because when you dial out, a new VPN connection will be established.

Eh?

 

[JediFonger]

i'm talking about the remote computer dialing in now. you can use windows XP's pptp connection to establish connection between remote and VPN server. if you look in the network connection folder of the remote client, you'll have a LAN connection and a PPTP that's PPPoE over the LAN/broadband connection. the remote connection has a diff IP# than remote PC's internal network's IP#.