VPN in DMZ and browsing internal LAN

  • Thread starter Thread starter Dave
  • Start date Start date
D

Dave

Hi folks,

I need some help. I am about to set-up a new back-to-back DMZ using 2
firewalls. I need to get my VPN clients to be able to browse the
Internal LAN. My understanding is this....

External FW has IPSEC L2TP encapsulated end point.
External Firewall provides IP Address assignment of clients as
192.168.1.10-15/24.
External Firewall has route pointing to Internal Firewall and only VPN
clients can use it.
DMZ's IP Address subnet is 192.168.1.1-9/24.
The Internal Firewall has a rule which states anything comming from
192.168.1.10-15 can get through open ports (open ports are the ports
that windows uses for kerboros and netbios browsing etc etc..)

Could someone please confirm I'm doing this right?? I'm new to DMZ's
although not new to VPN's and windows 2000 etc. I will be happy to
provide more information if you require it. Is this a secure method or
is there a better way??
 
You will probably need WINS to get browsing working across a WAN.
Each segment builds a browse list by broadcasting, and these must be merged
to get a network-wide browse list. The master browsers use Netbios names to
find each other, so this merging usually fails in a routed network without
WINS.

You could use one WINS server for the combined network, or one in each
site replicating across the link. It depends on how many machines are
involved and how much load WINS traffic puts on your VPN link.
 
Thanks for your reply Bill,

I would have put WINS into place anyway as I noticed you have to have
that when using Windows RRAS VPN. Crap how the browse list can't use
DNS, oh well that's another story.

SO to configure WINS I would have to give each client a WINS server IP
Address. Would this WINS server be in the DMZ then have it replicate
with the WINS server in the Internal LAN. I would obviously have to
open ports up on the Internal FW to pass through WINS replication. I
suppose this would be the only way to get access to all machines
including the ones on the DMZ.

I should have said this but It's not an external site that's on the
other end of the VPN it's just individual users, I'm using VPN instead
of RAS. But I suppose that's of no great importance.
 
As long as all the routes are in place and the firewall is letting the necessary traffic through, I don't see a problem.

Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Back
Top