Re: Secure Remote access - windows 2003

Using the instructions I have successfully setup the L2TP/IPSEC tunnel
up till the gateway. Now if I want to access the internal network what
else should I do on the RRAS server. From Internet user machine I am
able to ping both the Internet interface and the internal interface [
192.168.0.200] of the RRAS server. But I cannot ping any other
internal machine [192.168.0.201].connected on the same LAN as internal
network interface.

On the RRAS server I have enabled IP forwarding in the through
Registry. Address pool is configured and is getting allocated to
Internet user when he connects.

On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
You don't mention the number of users, but the budget suggests small scale
:)

Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and with
WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available.

Setting up RRAS to perform this task is done in less than 20 minutes and is
easy to get through a firewall inbound (IE your firewall). The problems you
have to face are:

. If you wish to use pre-shared keys (the "cheapest" way of doing it) you
will need to configure the PSK passphrase on each client individually - easy
with a small number of clients. Otherwise, you will need to invest in a
certificate authority.

. This is only suitable for access by known machines, not for internet café
type environments.

. This solution works great for the remote home user, but is less successful
for your travelling salesmen using the client's internet connection as they
generally have the relevant ports/protocols blocked.

. The locally configured PSK may not be stored in a highly secure manner on
the client machines and could possibly become known in the event a machine
configured with it is stolen. You may find yourself having to re-deploy a
new PSK.

I wrote a quick and dirty step-by-step here:
http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus

In case one of your configured laptops is stolen and an attempt is made on
your RRAS solution, pay attention to your account locking on failed password
settings. You want permanent locks on a small number of attempts (say 5),
thus forcing administrative intervention and investigation in the event of
an account becoming locked.

Cheers

James D. Stallard

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of dubaisans dubai
Sent: 02 January 2007 04:17
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003

I am planning to provide remote access from Internet to a windows 2003
domain

controller.User-ids, NTFS permissions are all configured.

The objective is file sharing and access.

Files will need to be copied. The machine has valid Internet IP address and
is

sitting behind a Firewall.

I would like to keep solution independent of Firewall.This will be accessed
by roaming users. I am thinking of something like 0penssh for windows or
maybe just GUI based Secure-FTP

Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No budget
for RSA securiD :-))) ]

Encryption for user-crentials/data access

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is not
simple and also you require Application Mode license.

The number of remote users - less than 100

Cost effective , easy to implement and easy to manage solution sought





Relevant Pages

  • RE: Secure Remote access - windows 2003
    ... a few questions before I start th eimplementation - I will setup the RRAS ... RRAS is very flexible as a small scale remote access ... All traffic between the client and the RRAS Server will be pushed down ... This is only suitable for access by known machines, not for internet ...
    (Focus-Microsoft)
  • RE: Secure Remote access - windows 2003
    ... Q2 - what is the routing path between the LAN hosts and the VPN server? ... Secure Remote access - windows 2003 ... Address pool is configured and is getting allocated to Internet user when he connects. ... with WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available. ...
    (Focus-Microsoft)
  • Re: Small business thinking about backing up data, having a server and 2-3 users - is SBS200
    ... USB but don't use anything USB on that server if you stick with that mb. ... I also have a spare PC here with XP Pro which I can play with as a client ... remote access to check it over and learn as we/I go. ... B - They would like to be able to use the internet securely on any of the ...
    (microsoft.public.windows.server.sbs)
  • RE: Secure Remote access - windows 2003
    ... WXP SP2 as your client you have 2048bit Diffie-Hellman encryption available. ... This is only suitable for access by known machines, not for internet café ... I am planning to provide remote access from Internet to a windows 2003 ...
    (Focus-Microsoft)
  • RE: Secure Remote access - windows 2003
    ... but I suspect you have configured your RRAS Server ... Host Configuration Protocol. ... Secure Remote access - windows 2003 ... From Internet user machine I am able to ping ...
    (Focus-Microsoft)