Vpn over win 2000 server

  • Thread starter Thread starter Ugo Mangini
  • Start date Start date
U

Ugo Mangini

Hi everybody.

here is my trouble:
I have a small lan, using 192.168.10.x 255.255.255.0 as ip addresses.
The connection to internet is based on an adsl router and a firewall (zywall
2)
At the moment, the firewall has lan Ip address 192.168.10.254 and wan Ip
address 192.168.1.254 while the router has lan Ip address 192.168.1.253 and
wan Ip asssigned by ISP.
The firewall routes traffic to the internet through a static routing table
so that traffic to 0.0.0.0 is routed to 192.168.1.253 (the router).
Everithing works fine.

What's the matter, you say?
Well, what I need is this:
I have one win2000 server with IP 192.168.10.1
I need to let anyone from the outside use terminal services upon that
server.
That's all.
Simple? ;-(

What I'd like to understand is:
1) do I need only one public ip address or more?
2) do I have to use 2 lan adapters on my win 2000 server (one with the lan
ip 192.168.10.1 and the other with the public Ip?)
3) May I configure a vpn using the dynamic ip address provided by ISP?
4) How can I configure the three (server, firewall, router) to manage the
vpn?

Thank you very much in advance for any help

bye
 
first, it is better to use vpn. then open port 1723 and IP protocol 47 (GRE)
forwarding to the TS.

--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.
 
I agree with Robert on this. You could just forward the terminal services
traffic from the router to the server, but it would be more secure to make a
VPN connection (by forwarding PPTP from the router to the server), then run
TS over the VPN connection.
 
First, thanks to both.

So, I need only:
1) ONE public Ip address on my server
2) allow routing of PPTP from router to server thru firewall
3) configure vpn directly on my win2000 server

is this correct?

If yes, just another question: I can't config vpn with a dynamic Ip address
given by my router?

thanks again

bye
 
Ugo Mangini said:
First, thanks to both.

So, I need only:
1) ONE public Ip address on my server
2) allow routing of PPTP from router to server thru firewall
3) configure vpn directly on my win2000 server
Click to expand...

one more:
4) I need TWO nic on my server or can I use two Ip's on the same nic?
 
No, you do not need a public IP on your server. The server has only
one NIC with a private IP. The client connects to the public IP of the
firewall.

The connection is extended to the server by using port forwarding. You
configure your router to forward TCP port 1723 to the server's LAN IP. All
PPTP traffic coming to the firewall is handled by the server. (Just as you
can forward tcp port 80 to a LAN IP to have a LAN machine host your web
site. As I said earlier, you could probably get TS to work simply by
forwarding TCP port 3389 to the server, but a VPN is a neater solution).
 
"Bill Grant" <bill_grant at bigpond dot com> ha scritto nel messaggio

You're very kind, but there's still a small question:

You mean that if i have the public ip on the wan port of the adsl router
(which I can't manage...)
and the I simply configure the firewall tho forward ip port 1723 to the
server every thing would work fine?

thanks again
bye
 
Ugo Mangini said:
You're very kind, but there's still a small question:

You mean that if i have the public ip on the wan port of the adsl router
(which I can't manage...)
and the I simply configure the firewall tho forward ip port 1723 to the
server every thing would work fine?
Click to expand...

I think that if my router is not able to manage ip port forwarding (or I
can't configure it) nothing would work.

A client connecting to the public ip on the router would get access only to
the router, not the firewall, nor the server...

That's why I was going to use my public ip on the firewall...

bye
 
That is basically right. If your router does not support port forwarding,
you are in big trouble. A VPN connection must be made to an interface which
can be reached through the Internet. So it cannot be on a private LAN.

If your router is the only machine with a public IP, that is where you
have to connect to. The VPN can only run on some other machine if you have
some way to get that traffic from the router to the VPN server.

Having two NICs in the server doesn't change this. You still must
connect to the router's public interface and somehow get the traffic to the
server. Having two NICs only works if one NIC has a registered public IP (or
you can forward from a router with a public IP).
 
Back
Top