RE: Low budget VPN?????

From: Chisholm Wildermuth (cwildermuth@dbwebnet.net)
Date: 05/10/02

• Previous message: Bennett Todd: "Re: Wireless Technology (can it be secured and how)"
• Maybe in reply to: Joe McCray: "Low budget VPN?????"
• Next in thread: Chris Patterson: "RE: Low budget VPN?????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 10 May 2002 09:38:07 -0700
From: "Chisholm Wildermuth" <cwildermuth@dbwebnet.net>
To: "Peter Mueller" <pmueller@sidestep.com>

If this is the case:

" I believe the gentleman was referring to a VPN that would cause his
terminal services port to not remain open on the internet"

What we have done to circumvent this problem is this:

Setup RRAS to allow VPN connections and make sure it's working.

Setup RRAS packet filters to block outside connections to all ports except
the VPN (TCP 1723)(or additionally other ports needed to be connected to from
the real world)

Setup RRAS to allow connections to Terminal Server (TCP port 3389) from only
the IP addy's delegated when connecting to VPN.

This creates a situation where the Terminal Server will not show up and can
not be connected to publicly. The only port which will allow connections
from the real world is 1723 (VPN). So, to access Terminal Server you must
VPN first, then open a terminal session.

If someone needs more specifics on how to set it up, let me know.

Chisholm Wildermuth
Systems Engineer
dbWebNet, Inc.

-----------------------------------------------------------------------
The opinions expressed here are my own and do not necessarily reflect those
of my employer.

-----Original Message-----
From: Peter Mueller [mailto:pmueller@sidestep.com]
Sent: Thursday, May 09, 2002 12:07 PM
To: 'Melameth, Daniel D.'; joemccray@hardestworkingmanonline.com;
security-basics@securityfocus.com
Subject: RE: Low budget VPN?????

> Windows 2000 Terminal Server supports 128-bit encrypted sessions
> "out-of-the-box"...

and

> Other then pushing a GUI over SSH (which I'm considering), what
> would be a low or no cost VPN solution for me to log into my home
> network (Windows based so I can connect to MS Terminal Server).

. I would suggest an IPSEC
device, perhaps freeswan (http://www.freeswan.org) or kame
(http://www.kame.org). If these aren't options then perhaps L2TP/PPTP
tunneling or an SSH tunnel will do the trick..

good luck

Peter

---

• Previous message: Bennett Todd: "Re: Wireless Technology (can it be secured and how)"
• Maybe in reply to: Joe McCray: "Low budget VPN?????"
• Next in thread: Chris Patterson: "RE: Low budget VPN?????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: router - firewall ... Adzap, VPN, OpenSwan, ... > connections several ways: ... > the connection is to the Terminal Server, ... > We setup most offices with a VPN into a firewall appliance, ... (microsoft.public.windows.server.sbs) Re: router - firewall ... Adzap, VPN, OpenSwan, ... but because most users will have slow internet connections when ... the connection is to the Terminal Server, ... We setup most offices with a VPN into a firewall appliance, ... (microsoft.public.windows.server.sbs) Re: sporatic VPN problem ... It looks like it might have been the port count. ... I bleieve the router in the satelite office is a Linksys VPN router but I ... many connections as you're supporting. ... (microsoft.public.windows.server.sbs) Re: VPN Client ... To allow VPN, you actually need to open outbound 1723 port on remote client ... Microsoft CSS Online Newsgroup Support ... | not just the server side. ... (microsoft.public.windows.server.sbs) Re: RDP over VPN between two XP Pro machines ... there is no way to change the PPTP VPN port. ... > obscure port and then forward to my internal workstation on the standard RDP ... (microsoft.public.windowsxp.work_remotely)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)