VPN Issues

  • Thread starter Thread starter Ola
  • Start date Start date
O

Ola

Hello all,

I am trying to setup a VPN for a small company of 10. I
also have the issue of high turnover of employees in this
small company because income is commission based. So I am
trying to achieve two different things.

1. VPN access to the employees - They need access to
network data while on the road sometimes. The question
here is do I need 2 NIC's to setup a VPN. I have never
setup a VPN before, however, I have opened port 1723 on
my router to allow PPTP to my server. So other than
running RAS on the server and running VPN Client on the
workstations, what else do I need. You should also note
that the company is using a fractional T1 line, so there
is no phone number to dial into.

2. I need to be able to add and delete users remotely. If
I am able to get to the server by resolving question 1
above, would I be able to accomplish question 2, or do I
need more to be able to use Active Directory Users and
Computers?

Thanks in advance

Ola
 
Ola,

Install and configure RRAS on the server (if they are using Win2k/Win2k3).
To do that refer to Windows Help documentation or even try this link
http://www.microsoft.com/technet/itsolutions/network/evaluate/featfunc/msras
ov.mspx.

As for the accounts that will be used in connecting in connecting to the VPN
server:
- if the company has Active Directory installed make use of it
- if there the VPN server is not in a workgroup use local accounts on the
VPN server.

Hope this helps.
 
Since you are using NAT you not need to use a second nic. Just port forward 1723 tcp
to your rras server and also enable protocol 47 or commonly referred to as pptp
passthrough. Make sure that the users are using complex passwords which you can
enforce with password policy as pptp is not as secure a l2tp and all that is needed
is password to access the vpn from the internet unless you can restrict which IP
addresses the router will accept traffic from which can be difficult with roaming
users. It is also possible to lockout remote access users from bad password attempts,
though that requires a registry mod and if you use it I would suggest a five minute
lockout period to deter hack attempts while still allowing user access without
administrator intervention. Keep in mind that unless you are using a wins server or
lmhosts file, that browsing the network from the vpn connection will be problematic
at best and users may need to connect as in \\xxx.xxx.xxx.xxx\sharename where
xxx.xxx.xxx.xxx is the lan IP address of the computer they want to access. I suggest
you enable wins on the network if it is not already used. You should be able to
access Active Directory Users and Computers over the vpn or use Terminal Services in
Remote Administration mode through the vpn tunnel. Again keep in mind that pptp is
not the most secure method compared to l2tp or a device that has ipsec endpoints and
would require client software on the remote computers. L2tp would require client
computer and server certificates and a direct connection to the internet since l2tp
will not work over NAT in W2K, though it will in Windows 2003 if the clients have the
NAT-T upgrade installed and the firewall is configured properly. An ipsec endpoint
device and client software will add cost to the installation with the device costing
a couple hundred bucks and probably a hundred bucks for each vpn client software
license. The links below may be helpful. --- Steve

http://www.microsoft.com/serviceproviders/whitepapers/vpn.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;300434
http://support.microsoft.com/default.aspx?scid=kb;en-us;176321
http://support.microsoft.com/default.aspx?scid=kb;EN-US;150800
http://support.microsoft.com/default.aspx?scid=kb;en-us;292822
http://support.microsoft.com/default.aspx?scid=kb;en-us;q310302&sd=tech
 
Back
Top