Different subnet questions

Steven Platt · Nov 15, 2005

I have recently setup a VPN and I would like to section these users off on
their own subnet. I am going to do this at my router. I was wondering if
the VPN needs to be in my domain in order to function correctly. I know
there are VPN access rules that allow specific windows groups to access but
I was wondering if I could do this on a local machine level (give local
groups rather than domain groups access). Also, is it possible to have a
domain with several subnets? If so, what do I need to look out for in doing
so? TIA.

-Steven-

Phillip Windell · Nov 15, 2005

Steven Platt said:
I have recently setup a VPN and I would like to section these users off on
their own subnet. I am going to do this at my router. I was wondering if
the VPN needs to be in my domain in order to function correctly.

No. There is no relationship.

I know
there are VPN access rules that allow specific windows groups to access

Not that I ever heard of.

I was wondering if I could do this on a local machine level (give local
groups rather than domain groups access).

Never heard of such a thing.

Also, is it possible to have a
domain with several subnets?

The is just simply no relationship between Domains and Subnets. Domains are
a Microsoft Windows Administration Entity. Subnets are a Layer3 Networking
Topology design based on the TCP/IP Protocol that has nothing to do with
Windows and existed back before MS even became a company.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Robert L [MS-MVP] · Nov 15, 2005

I am not sure the issues, but let me try.

1. VPN client doesn't need to logon the domain or to be the member of the domain. However, you do need to logon the domain username with the same password to access the network resources.

2. Assuming you are using windows server as VPN server, you can use IP pool that can be the different subnet.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have recently setup a VPN and I would like to section these users off on
their own subnet. I am going to do this at my router. I was wondering if
the VPN needs to be in my domain in order to function correctly. I know
there are VPN access rules that allow specific windows groups to access but
I was wondering if I could do this on a local machine level (give local
groups rather than domain groups access). Also, is it possible to have a
domain with several subnets? If so, what do I need to look out for in doing
so? TIA.

-Steven-

Steven Platt · Nov 15, 2005

Thanks to both of you. I have another question. I have an existing subnet of 10.10.21.0/24, this is where all my workstations/servers reside. I was thinking about putting my VPN server (Windows 2000) on that subnet and setting up the DHCP addresses as 10.10.22.0/24 for the VPN clients. My question is: how would the VPN clients know how to reach the 10.10.21.0/24 subnet? Am I correct in setting this up through my Cisco device or could RAS take care of it? The point of me doing all of this is because I need remote computers to access some shares on one of my servers but at the same time I would like to make sure they don't have access to other boxes on the 10.10.21.0/24 subnet. I am trying to be safe about this thing and I have no idea what could be on these remote computer (spyware/viruses). Maybe there is a way that I can setup one route to that fileserver on my 10.10.21.0/24 subnet and not give them a route anywhere else on that subnet. What am I missing here? Is what I speak of practiced/practical?

-Steven-
I am not sure the issues, but let me try.

1. VPN client doesn't need to logon the domain or to be the member of the domain. However, you do need to logon the domain username with the same password to access the network resources.

2. Assuming you are using windows server as VPN server, you can use IP pool that can be the different subnet.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have recently setup a VPN and I would like to section these users off on
their own subnet. I am going to do this at my router. I was wondering if
the VPN needs to be in my domain in order to function correctly. I know
there are VPN access rules that allow specific windows groups to access but
I was wondering if I could do this on a local machine level (give local
groups rather than domain groups access). Also, is it possible to have a
domain with several subnets? If so, what do I need to look out for in doing
so? TIA.

-Steven-

Phillip Windell · Nov 15, 2005

Thanks to both of you. I have another question. I have an existing subnet
of 10.10.21.0/24, this is where all my workstations/servers reside. I was
thinking about putting my VPN server (Windows 2000) on that subnet and
setting up the DHCP addresses as 10.10.22.0/24 for the VPN clients.

No, if it is on the 10.10.21.x subnet, then that is what the dialin user
should get an IP# from.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Kurt · Nov 15, 2005

I was wondering if the VPN needs to be in my domain in order to function

correctly

Don't know what you mean by the "vpn has to be in the domain". A VPN is just
an encrypted point-to-point connection. If you want to administer your users
with domain policy, then the users and computers in the other subnet would
need to be domain members (recommended).

I know there are VPN access rules that allow specific windows groups to
access but I was wondering if I could do this on a local machine level

I think you are referring to a remote access policy. This is for individual
connections, not a single VPN connection that all users on a subnet would
connect through. I would not suggest having each user/computer connect to a
RRAS server. MS VPN is verrrry slooooowww. I'd use a hardware device. Then,
you could control user's access through the tunnel by giving them different
default gateways. Many (most) VPN appliances have a built-in method of
authenticating - either an access control list of permitted IP addresses /
ranges, or a user login to enable the user with access through the tunnel.

Also, is it possible to have a domain with several subnets

Sure. Nothing special required. Obviously, users must have access to DNS,
WINS, Domain controllers, etc. You can make AD "Site-aware" and define
subnets to sites if you need to control replication over slow links, etc.

....kurt

Different subnet questions

Steven Platt

Phillip Windell

Robert L [MS-MVP]

Steven Platt

Phillip Windell

Kurt