PPTP Authentication

  • Thread starter Thread starter Jennie
  • Start date Start date
J

Jennie

Hi,

I am a Network Administrator for a number of different
companies within a division. I have just implemented an
MPLS infrastructure so all the companies are on a WAN.

I am installing a VPN Concentrator as our current
solution is v.expensive but until this point i have a
need to offer VPN access to a further 150 users. I don't
currently use Microsoft but i am thinking of using PPTP
to authenticate as an interim solution.

The problem is i want the PPTP server to sit in the DMZ
of our firewall. I want it to authenticate users then
allow the traffic through to our network. As the server
will be authenticating users from a number of different
domains i don't want to join it to a current domain. The
PPTP server has to be in a domain though because of AD.

How can i get all my users to authenticate to this server
and then allow the traffic through once authenticated?
Do i use security groups and trusts or is the fact that
the PPTP server is on its own domain irrelevant as it
will only be authenticating and passing traffic through?

Any help is appreciated.

Thanks in advance!

Regards,

Jennie
 
The VPN server doesn't have to be in a domain. You can authenticate
against its local SAM database if it is a standalone, and use a local remote
access policy.

If it is in a domain, you can authenticate against AD. The RRAS server
doesn't have to be a domain controller. As long as it is a member of the IAS
and RAS server group in AD, it will offload the authentication to a DC in
AD.

I guess you already know that the username/password used for VPN
connection is used solely for that purpose. It does not log you on to the
domain and this username/password combination is not used for file access
credentials. It is only used to validate your permission to establish a
remote connection.
 
Hi Bill,

I am in the process of testing this now. Thanks for your
feedback.

Do i just filter the packets back onto my network once
they have authenticated?

Regards,

Jennie
 
That's where putting the VPN server in a DMZ gets tricky. The first
thing is to get the traffic to the private LAN. What IP addresses are you
going to give to the remote clients?

The best bet is probably to put the VPN clients in their own IP
subnet, and route that subnet through the RRAS server to the private
network. Then you need to get the name resolution working before you can
look at the filtering.
 
Back
Top