Add VPN role to main server in a small network?

[DWalker07]

Can a company with a very small network (8 connected computers) have the only server also act as a VPN server?

I'm a programmer, but not a networking expert. My company has a small network, with Windows Server 2003 hosting some shared files. This server is connected to the main Ethernet switch, as are all of the client computers. The Internet router is also connected to this Ethernet switch.

All computers can see each other (where security allows it) and can see the shared files on the server, and all computers can get to the Internet.

Can I add the VPN role to the server?

I get confused by statements like this in the VPN documentation: "[Ensure that] this computer has two network interfaces, one that connects to the Internet and one that connects to the private network." http://technet.microsoft.com/en-us/library/cc736357(v=ws.10)

I could easily add a second Ehternet card to the server, but wouldn't both of them need to connect to the Ethernet switch? That's where the Internet connection is found -- through the Ethernet switch -- and it's also where the private network is found.

Other descriptions of VPN say much the same thing -- there's apparently "an interface" that connects to the Internet, where the VPN connections are going to come from, and a different interface that connects to the private network. Since I would think that all network interface cards should be cabled to the Ethernet switch, this confuses me. I don't want to radically redesign my network if I don't have to. I understand different subnets, if that helps.

In my case, all of the "resources" that the users connecting through the VPN to this server will need, are found on the server, not inside the private network. But the private network computers still need access to the server as presently configured.

If anyone can clarify the issue about the two network interfaces, that would be great. Thanks.

 

[TriplexDread]

Sounds a bit beyond me tbh. There maybe a few here that can help or maybe the link below can give you some pointers?

http://www.techrepublic.com/article...business-server-2003-r2-remote-access/6155394

 

[Silverhazesurfer]

Yes, it is possible. There are a few things you need to configure for it to work. But the short answer is yes.

Virtual Private Networks
http://technet.microsoft.com/en-us/network/bb545442.aspx

How to install and configure a Virtual Private Network server in Windows Server 2003
http://support.microsoft.com/kb/323441

This should get you started.

I get confused by statements like this in the VPN documentation: "[Ensure that] this computer has two network interfaces, one that connects to the Internet and one that connects to the private network." http://technet.microsoft.com/en-us/l...736357(v=ws.10)

The typical way, in a corporate setup, is to designate a server to run routing and remote access, since that is what is necessary for VPN. Two NICs in your server can allow you to configure one that is an incoming connection from the outside world. This is what will be connected to the managed switch that pipes VPN requests to the server via one of the 65k ports available. The other NIC will pipe the data from the internal network to the VPN clients via RRAS. Without getting too in depth.

If you only have a few computers, perhaps the best solution is a VPN switch. You can pick up many for the price of a small router. Netgear makes one but I have not used them in a while due to many of the issues I had with them at the time.

Hope this helps a little bit.

 

[DWalker07]

Thanks for those replies.

The link in the reply from Triplex didn't help a lot; ours is Server 2003, not Server 2003 R2, and the screens don't quite look like that.

For Silverhaze, I appreciate the reply. I know a little bit about how most (larger) companies set up their networks. But in our network, all of the user computers AND the one Internet router are all connected to the SAME (unmanaged) switch.

In those links you sent, it looks like the server is used as a tunneling box for all Internet traffic from the Corporate Intranet. I don't want to radically change our network like that; I want to keep it simple (or what looks like simple).

The second link that you gave says "For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server." What's confusing about this: I can't tell from the wording whether or not I *need* for the remote access server to "forward traffic properly inside" my network. My network traffic is all routed properly at the moment since all computers are on the same network. (And the external users who would use the VPN only need to access folders on the server, not folders on the internal network.)

From a mathematical, logical standpoint, I understand the syntax of "for X to work, you must do Y", but I might not want or need for X to work, and the prose doesn't cover that possibility at all. (Maybe I do need for X to work, but I don't THINK I do, and the document doesn't help me decide.)

So, are those steps mandatory for the VPN itself to work? I'm a computer programmer, but I hate the odd language that Microsoft uses in some of its articles. (Kinda like the basic instructions for setting up Active Directory for Windows 2000 Server that always said "If you have an external, public Web site address, enter it here", without giving ANY clue what to enter if you DON'T have an external, public Web site address, or don't want it to be tied in with your company AD. AAAArgh. Now I know that a typical thing to enter in that spot is something like "contoso.local", not "contoso.com". The old docs never gave that advice.)

Even if I had two NICs, I always thought that a multihomed server needed its NICs to be on different subnets. If they were -- we only have one Internet router (well, there is a backup router, but it's not generally connected and it's configured in the same subnet)... the internal computers and the one server and the Internet router are all on the same subnet.

Our server is not acting as a NAT box, and our users COULD get to the Internet even if our server was down. The server is plugged into the Ethernet switch just like the client computers are.

Most of the examples around the web -- for any technology -- assume large networks. It's very hard to find examples that apply to companies with, say 5 or 6 computers and one server, and it's companies of that size that need examples the most (since they won't have a permanent, multi-person in-house network staff). :-(

Yes, we could buy a VPN switch -- even thought I have heard about people having "issues" with them, and it seems like the built-in systems ought to be able to handle the job. I'm disappointed if the built-in stuff is not sufficient.

Thanks.

 

[Silverhazesurfer]

But in our network, all of the user computers AND the one Internet router are all connected to the SAME (unmanaged) switch.

Then it should be easy to route the traffic properly from your switch. If you have an unmanaged switch, I advise you to buy one that IS so that you can shape data on the network properly.

So, are those steps mandatory for the VPN itself to work?

Considering that they came from Microsoft, the one who made the Server OS, Yes.

Our server is not acting as a NAT box, and our users COULD get to the Internet even if our server was down. The server is plugged into the Ethernet switch just like the client computers are.

Well, the configuration required would essentially turn it into a NAT box. Which is the purpose of the dual NIC configuration.

Most of the examples around the web -- for any technology -- assume large networks. It's very hard to find examples that apply to companies with, say 5 or 6 computers and one server, and it's companies of that size that need examples the most (since they won't have a permanent, multi-person in-house network staff). :-(

In a small network setup, I keep it simple and add a small device that can handle what you want. Truthfully, you should buy a larger, managed switch that has the capability to handle VPN connections. With only 8 computers, I cannot imagine your load is very high.

Yes, we could buy a VPN switch -- even thought I have heard about people having "issues" with them, and it seems like the built-in systems ought to be able to handle the job. I'm disappointed if the built-in stuff is not sufficient.

If you want simplicity, you have contradicted yourself in this statement. Configuring a Server to do what you want means MANY changes to your network that you don't want to do. The easiest way to accomplish what you want with the setup that you have is to go buy a VPN client box. Configure it to connect to clients from outside and the router to pass the proper ports, and you're in business. Configuring the Server to do that basically requires you to do exactly what you don't want to do....rebuild the network.

It is what it is. Unfortunately, hardware is not as easy to work around as programming. This is how you can do it. The easy way, or the hard way.

 

[DWalker07]

Thanks for that detailed reply. It explains some things that I wasn't quite sure of before. I appreciate it.

 

[Silverhazesurfer]

no problem, mate. that's what we are here for.