Re: Secure Remote access - windows 2003

Hi

Jim - I did option 2. Manual routes on hosts that should be reachable
by VPN and it works just the way you mentioned. Thank you

Susan : To heighten security - a bit - instead of configuring
everything on the DC I have put a separate box which would have have
valid Internet IP and RRAS and then hosted the DC behind it .

Works well till now.

Thanks for all the help.

On 1/5/07, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
If the LAN hosts don't have a route through the RRAS server to the VPN clients, they can't respond to traffic that comes from the VPN clients.
You have two options:
1. adjust your network routing path to include a route to the VPN client subnet through the RRAS server
2. enter manual routes on only hose hosts that should be reachable by the VPN clients.

Personally, I'd go with #2; it's more management, but it provides a small measure of security since the VPN client cannot establish connection with the LAN host that is lacking such a route.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
Sent: Thursday, January 04, 2007 8:03 AM
To: James D. Stallard
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Secure Remote access - windows 2003

Looks like a routing problem to me too.

But I feel DHCP or static is NOT the issue. My static address pool is
10.10.10.1 -10.10.10.10.

On connection , Internet user is getting address 10.10.10.1 . When he tries to ping 192.168.0.201, an internal machine - what will be the source IP of that packet as seen by 192.168.0.201. If source IP is
10.10.10.1 then maybe I need to add a route for this 10.10.10.10 static pool on the internal host .201.

Any other suggestions?



On 1/4/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
> I'm not a routing expert, but I suspect you have configured your RRAS
> Server to assign addresses from a pool of addresses, rather than use DHCP.
>
> Under the Properties dialog for your server and in the IP tab you need
> to check the box labelled Enable IP Routing and also the radio botton
> Dynamic Host Configuration Protocol. You want to be using the existing
> internal DHCP server to allocate addresses to your inbound VPN clients.
>
> The good news is that if you decide to start from scratch it is a
> simple matter to disable and re-enable RRAS and re-do your
> configuration with the default settings.
>
> Not sure why you enabled IP forwarding in the registry, the (very)
> basic solution described does not require you to do so.
> Cheers
>
> James D. Stallard
>
> -----Original Message-----
> From: dubaisans dubai [mailto:dubaisans@xxxxxxxxx]
> Sent: 04 January 2007 14:48
> To: James D. Stallard
> Cc: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: Re: Secure Remote access - windows 2003
>
> Using the instructions I have successfully setup the L2TP/IPSEC tunnel
> up till the gateway. Now if I want to access the internal network what
> else should I do on the RRAS server. From Internet user machine I am
> able to ping both the Internet interface and the internal interface [
> 192.168.0.200] of the RRAS server. But I cannot ping any other
> internal machine [192.168.0.201].connected on the same LAN as internal network interface.
>
> On the RRAS server I have enabled IP forwarding in the through Registry..
> Address pool is configured and is getting allocated to Internet user
> when he connects.
>
> On 1/3/07, James D. Stallard <james@xxxxxxxxxxxxx> wrote:
> > You don't mention the number of users, but the budget suggests small
> > scale
> > :)
> >
> > Windows 2003, SP1 and R2 provide RRAS, which will do L2TP/IPSEC, and
> > with WXP SP2 as your client you have 2048bit Diffie-Hellman
> > encryption
> available.
> >
> > Setting up RRAS to perform this task is done in less than 20 minutes
> > and is easy to get through a firewall inbound (IE your firewall).
> > The problems you have to face are:
> >
> > . If you wish to use pre-shared keys (the "cheapest" way of doing
> > it) you will need to configure the PSK passphrase on each client
> > individually - easy with a small number of clients. Otherwise, you
> > will need to invest in a certificate authority.
> >
> > . This is only suitable for access by known machines, not for
> > internet café type environments.
> >
> > . This solution works great for the remote home user, but is less
> > successful for your travelling salesmen using the client's internet
> > connection as they generally have the relevant ports/protocols blocked.
> >
> > . The locally configured PSK may not be stored in a highly secure
> > manner on the client machines and could possibly become known in the
> > event a machine configured with it is stolen. You may find yourself
> > having to re-deploy a new PSK.
> >
> > I wrote a quick and dirty step-by-step here:
> > http://www.leafgrove.com/view_article.asp?id=19&cat=16&state=plus
> >
> > In case one of your configured laptops is stolen and an attempt is
> > made on your RRAS solution, pay attention to your account locking on
> > failed password settings. You want permanent locks on a small number
> > of attempts (say 5), thus forcing administrative intervention and
> > investigation in the event of an account becoming locked.
> >
> > Cheers
> >
> > James D. Stallard
> >
> > -----Original Message-----
> > From: listbounce@xxxxxxxxxxxxxxxxx
> > [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of dubaisans dubai
> > Sent: 02 January 2007 04:17
> > To: focus-ms@xxxxxxxxxxxxxxxxx
> > Subject: Secure Remote access - windows 2003
> >
> > I am planning to provide remote access from Internet to a windows
> > 2003 domain
> >
> > controller.User-ids, NTFS permissions are all configured.
> >
> > The objective is file sharing and access.
> >
> > Files will need to be copied. The machine has valid Internet IP
> > address and is
> >
> > sitting behind a Firewall.
> >
> > I would like to keep solution independent of Firewall.This will be
> > accessed by roaming users. I am thinking of something like 0penssh
> > for windows or maybe just GUI based Secure-FTP
> >
> > Challenges I am facing
> > ------------------------------------
> > Authentication should be strong. Something more than a password. [
> > No budget for RSA securiD :-))) ]
> >
> > Encryption for user-crentials/data access
> >
> > Options considered
> > ----------------------------------
> > I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File
> > copy is not simple and also you require Application Mode license.
> >
> > The number of remote users - less than 100
> >
> > Cost effective , easy to implement and easy to manage solution
> > sought
> >
> >
> >
> >
>
>
>
>

All mail to and from this domain is GFI-scanned.



Relevant Pages

  • Re: RRAS and RDP issue
    ... While the VPN configuration was not the issue, ... > look into the basic firewall setting in RRAS. ... > expand the server tree ) then expand the IP Routing ...
    (microsoft.public.windows.server.sbs)
  • RE: Secure Remote access - windows 2003
    ... Simplest solution is to use DHCP for the RRAS dial-in users as well. ... Internet user is getting address 10.10.10.1. ... Under the Properties dialog for your server and in the IP tab you need to ... Host Configuration Protocol. ...
    (Focus-Microsoft)
  • Re: Secure Remote access - windows 2003
    ... valid Internet IP and RRAS and then hosted the DC behind it. ... VPN clients, they can't respond to traffic that comes from the VPN clients. ... Internet user is getting address 10.10.10.1. ... > configuration with the default settings. ...
    (Focus-Microsoft)
  • Re: Access Internet through VPN
    ... RRAS is probably not configured to route ... you can change your RRAS configuration so that the VPN ... clients get IP addresses on your local LAN subnet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Not able to reconfigure RRAS on W2K3 Enterprise!
    ... ISA did the configuration within RRAS for me. ... Reinstalling ISA and RRAS did not help either!? ... that, try to use static address pool, can you access the VPN? ... On the Net they advise to Reinstall RASS. ...
    (microsoft.public.windows.server.networking)