New VPN Setup

  • Thread starter Thread starter Ola
  • Start date Start date
O

Ola

Hello all,

I am trying to setup a VPN for a small company of 10. I
also have the issue of high turnover of employees in this
small company because income is commission based. So I am
trying to achieve two different things.

1. VPN access to the employees - They need access to
network data while on the road sometimes. I have never
setup a VPN before, however, I have opened ports 1723 and
47 on my router to allow PPTP to my server. So other than
running RAS on the server and running VPN Client on the
workstations, what else do I need. You should also note
that the company is using a fractional T1 line, so there
is no phone number to dial into. I have a netopia R9100-T
Router with VPN capability.

2. I need to be able to add and delete users remotely. If
I am able to get to the server by resolving question 1
above, would I be able to accomplish question 2, or do I
need more to be able to use Active Directory Users and
Computers?

Thanks in advance

Ola
 
Hi,

Q1 : you need to open TCP port 1723 and Protocol 47 (GRE) ... which is not
TCP port 47. GRE is at the same level as TCP not over.

Q2:You can TSE one of you DC and add the user (or remove him) with the local
MMC. In this case your policy will only authorize TSE if you are member of
'remote VPN administrators' AD group... or use the MMC installed on your
machine, but I think that you will need to open RPC.

With Windows 2003 you cannot say 'authorize RPC' ... there is no application
filter (ISA 2004 hase these kind of application filter) so you will need to
open TCP 135 and highports.

Hope it helps.

FE
 
You might have tried to answer my questions, but I am a
little lost with the acronyms that you are using.

What are TSE and MMC? And how do I accomplish what you
are saying?

I have Port 1723 forwarded to my server from a linksys
router, and according to linksys, that is all I need to
do for both GRE and PPTP?

My configuration now has to be on the Server and the
Laptop/Workstation

For my server, I figured running RAS is all I need to do
and configuring the client I thought, should not be too
difficult, however, when you were talking about TSE and
MMC, do I get to them through the VPN connection as well
and again, what do the acronyms stand for?

Thanks a lot in advance.

Ola
 
TSE - Terminal Service/Remote Desktop
MMC - Microsoft Mananagement Console [you can invoke it by running mmc.exe]

TCP port 1723 and IP Protocol 47 (GRE) is required for PPTP connection the
reason being the encrypted VPN data travels as the payload of an
IP packet with a GRE header. If anything blocks GRE in either direction, no
data will flow and the connection fails. Hence ensure that the router (or
some other router/firewall in the path) does not block GRE.
 
So in what you all are saying, if Terminal Services is
running on my win2k, and I can VPN to this Server from a
remote location, then I can run my Terminal Services
Client on my remote desktop/laptop as well as MMC, then I
can manage user accounts from the remote location?
Meaning I would not need to run something like
PCAnywhere.. (Would I need VPN TSE and MMC?)

Sorry for sounding foolish, but I just want to be crystal
clear.

Sounds a little confusing but is that the whole idea?

Thanks

Ola
-----Original Message-----
TSE - Terminal Service/Remote Desktop
MMC - Microsoft Mananagement Console [you can invoke it by running mmc.exe]

TCP port 1723 and IP Protocol 47 (GRE) is required for PPTP connection the
reason being the encrypted VPN data travels as the payload of an
IP packet with a GRE header. If anything blocks GRE in either direction, no
data will flow and the connection fails. Hence ensure that the router (or
some other router/firewall in the path) does not block GRE.
--
Thanks,
Sharoon
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

You might have tried to answer my questions, but I am a
little lost with the acronyms that you are using.

What are TSE and MMC? And how do I accomplish what you
are saying?

I have Port 1723 forwarded to my server from a linksys
router, and according to linksys, that is all I need to
do for both GRE and PPTP?

My configuration now has to be on the Server and the
Laptop/Workstation

For my server, I figured running RAS is all I need to do
and configuring the client I thought, should not be too
difficult, however, when you were talking about TSE and
MMC, do I get to them through the VPN connection as well
and again, what do the acronyms stand for?

Thanks a lot in advance.

Ola

remove
him) with the local if
you are member of filter)
so you will need to So I
am 1723
and remotely.
If do
I
Click to expand...


.
Click to expand...
 
If this server is enabled for remote administration, you can use the TS
client or Remote Desktop to administer the server. You get the server
desktop running on your client machine. The program actually runs on the
server itself (just like Terminal Services for application programs).

Ola said:
So in what you all are saying, if Terminal Services is
running on my win2k, and I can VPN to this Server from a
remote location, then I can run my Terminal Services
Client on my remote desktop/laptop as well as MMC, then I
can manage user accounts from the remote location?
Meaning I would not need to run something like
PCAnywhere.. (Would I need VPN TSE and MMC?)

Sorry for sounding foolish, but I just want to be crystal
clear.

Sounds a little confusing but is that the whole idea?

Thanks

Ola
-----Original Message-----
TSE - Terminal Service/Remote Desktop
MMC - Microsoft Mananagement Console [you can invoke it by running mmc.exe]

TCP port 1723 and IP Protocol 47 (GRE) is required for PPTP connection the
reason being the encrypted VPN data travels as the payload of an
IP packet with a GRE header. If anything blocks GRE in either direction, no
data will flow and the connection fails. Hence ensure that the router (or
some other router/firewall in the path) does not block GRE.
--
Thanks,
Sharoon
---------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.

You might have tried to answer my questions, but I am a
little lost with the acronyms that you are using.

What are TSE and MMC? And how do I accomplish what you
are saying?

I have Port 1723 forwarded to my server from a linksys
router, and according to linksys, that is all I need to
do for both GRE and PPTP?

My configuration now has to be on the Server and the
Laptop/Workstation

For my server, I figured running RAS is all I need to do
and configuring the client I thought, should not be too
difficult, however, when you were talking about TSE and
MMC, do I get to them through the VPN connection as well
and again, what do the acronyms stand for?

Thanks a lot in advance.

Ola


-----Original Message-----
Hi,

Q1 : you need to open TCP port 1723 and Protocol 47
(GRE) ... which is not
TCP port 47. GRE is at the same level as TCP not over.

Q2:You can TSE one of you DC and add the user (or remove
him) with the local
MMC. In this case your policy will only authorize TSE if
you are member of
'remote VPN administrators' AD group... or use the MMC
installed on your
machine, but I think that you will need to open RPC.

With Windows 2003 you cannot say 'authorize RPC' ...
there is no application
filter (ISA 2004 hase these kind of application filter)
so you will need to
open TCP 135 and highports.

Hope it helps.

FE


message
Hello all,

I am trying to setup a VPN for a small company of 10. I
also have the issue of high turnover of employees in
this
small company because income is commission based. So I
am
trying to achieve two different things.

1. VPN access to the employees - They need access to
network data while on the road sometimes. I have never
setup a VPN before, however, I have opened ports 1723
and
47 on my router to allow PPTP to my server. So other
than
running RAS on the server and running VPN Client on the
workstations, what else do I need. You should also note
that the company is using a fractional T1 line, so
there
is no phone number to dial into. I have a netopia
R9100-T
Router with VPN capability.

2. I need to be able to add and delete users remotely.
If
I am able to get to the server by resolving question 1
above, would I be able to accomplish question 2, or do
I
need more to be able to use Active Directory Users and
Computers?

Thanks in advance

Ola



.
Click to expand...


.
Click to expand...
Click to expand...
 
Back
Top