Announcement

Collapse
No announcement yet.

Please comment on this VPN/Router - Svr - Wireless Network setup

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Please comment on this VPN/Router - Svr - Wireless Network setup

    I'm putting together a network for a small company and have thought of using the following models and design, but am unsure as to:
    • Whether the D-Link VPN would work through the SBS ISA WAN port to allow access to the network?
    • I haven't done the VPN or the wireless before.


    This is what I've come up with, any comments or discussion would be most welcome.

    INTERNET (ADSL2+)
    |
    ROUTER/VPN
    D-Link DSL-G804V
    |
    SERVER
    SBS2003
    (Running ISA & Exchange)
    2 NICs, one for LAN, one for WAN
    |
    SWITCH
    Netgear fs608 8 port switch
    |
    WIRELESS ACCESS POINT
    DAP-1353
    |
    COMPUTERS


    At present they are just running a basic router/modem --> SBS Server --> Switch. No VPN or wireless at this point.

    As a preference I'm wanting to have the server sit between the WAN & LAN so ISA can protect the network.

    Thanks very much.
    I've been using this online backup for all my photos, docs, spreadsheets, powerpoints & emails for years now & it works great.
    Go Here for their free 5GB: http://www.idrive.com/p=gavamm
    I upgraded to the Personal Plan for peace of mind for not much more than a cup of coffee.

  • #2
    Re: Please comment on this VPN/Router - Svr - Wireless Network setup

    Looks OK from here, using the ISA in SBS2003 to do your firewalling and filtering

    I've reported this for a move to the SBS forum as you will get a better response there
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Please comment on this VPN/Router - Svr - Wireless Network setup

      Ok, thanks, maybe SBS forum would be better.

      I'm not really sure what to do in ISA to allow network access once the router has established the VPN, surely it would still have the same restrictions in place given that any data trvelling over the VPN would still be coming in through ISA's WAN network port?
      I've been using this online backup for all my photos, docs, spreadsheets, powerpoints & emails for years now & it works great.
      Go Here for their free 5GB: http://www.idrive.com/p=gavamm
      I upgraded to the Personal Plan for peace of mind for not much more than a cup of coffee.

      Comment


      • #4
        Re: Please comment on this VPN/Router - Svr - Wireless Network setup

        We used to run ISA but found it a bit limited for our needs so we swapped to a hosted web solution ... anyway

        ISA is ideal for small companies all depends how you set it up..
        I would personally split the ISA and exchange on to two machines...

        ISA will just monitor the traffic you tell it to and authenticate against ad for web access and vpn...if I remember rightly you set it up saying..

        Bill has web rightd
        Bob has web rights
        Ed has no rights
        Fred has Web rights..

        You also tell it any vpn traffic is allowed through that port so vpn can sucessfully authenticate against AD...

        Been a while since I played with ISA tho

        ET

        Comment


        • #5
          Re: Please comment on this VPN/Router - Svr - Wireless Network setup

          Note this is SBS2003 so separating roles would require a lot of additional licenses!

          Just curious, what limitations did you find with ISA?
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Please comment on this VPN/Router - Svr - Wireless Network setup

            Maybe limitations isnt the right word ...we found it a bit faffy to do what we needed to do on it ..
            We used it a while back our MD's want usage reports and this, that and the other...the solution we use now is way easier to use more powerful and users can produce their own reports etc...

            Does that make sense

            Comment


            • #7
              Re: Please comment on this VPN/Router - Svr - Wireless Network setup

              With SBS 2003 Premium running ISA Server there's no need for a router/VPN device in-between the ADSL modem and the server. ISA is designed to be used as an edge firewall with SBS and would normally have a modem only with the external IP address on the external NIC of the ISA Server.

              ISA also sits on top of the Windows Routing and Remote Access service and can be used as a VPN endpoint. This has the advantage of remote users using their Windows logon and password for their VPN credentials. VPN traffic is treated as a seperate network by ISA so it can be easily locked down or restricted as required.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                Just for reference ISA is pointless on an SBS server unless the server is directly facing the internet which is a horrible security practice. With only one Nic it can only serve as a proxy.

                Comment


                • #9
                  Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                  Originally posted by scurlaruntings View Post
                  Just for reference ISA is pointless on an SBS server unless the server is directly facing the internet which is a horrible security practice. With only one Nic it can only serve as a proxy.
                  Horrible security practice if you don't have ISA Server, I agree. With ISA Server installed it is a very secure setup.

                  Under normal circumstances a DC or Exchange Server would never be at the network perimeter, an ISA Server would be a dedicated server at the network edge. SBS Premium is different and does support being at the edge.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                    ok, so the 2 options I've got so far are:

                    1. ISA will monitor the traffic you tell it to and authenticate against AD for web access and vpn. (though I'm guessing we would just authenticate VPN & no web?)
                    2. Setup a L2TP/IPSec VPN server with ISA/RRAS.
                    (I'm assuming I'd need to open ports on the modem/router as well for L2TP & IPSec.. UDP Ports to open: 500, 1701, 50, 4500?)

                    I don't know the steps to implement either, if anyone could help out I'd appreciate it
                    I've been using this online backup for all my photos, docs, spreadsheets, powerpoints & emails for years now & it works great.
                    Go Here for their free 5GB: http://www.idrive.com/p=gavamm
                    I upgraded to the Personal Plan for peace of mind for not much more than a cup of coffee.

                    Comment


                    • #11
                      Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                      I've found this link:

                      Title: How to setup VPN and NAT on Windows Server 2003 as a router
                      Link:
                      http://www.howtonetworking.com/VPN/2003vpn1.htm

                      Not sure how applicable this is for SBS though, nor how to setup ISA.
                      I've been using this online backup for all my photos, docs, spreadsheets, powerpoints & emails for years now & it works great.
                      Go Here for their free 5GB: http://www.idrive.com/p=gavamm
                      I upgraded to the Personal Plan for peace of mind for not much more than a cup of coffee.

                      Comment


                      • #12
                        Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                        I've just discovered this in the remote web workplace:

                        Download Connection Manager
                        You can download Connection Manager and use it to remotely connect a computer to your company's network.


                        I think this might resolve the remote access issue , I'll try it on the weekend.
                        I've been using this online backup for all my photos, docs, spreadsheets, powerpoints & emails for years now & it works great.
                        Go Here for their free 5GB: http://www.idrive.com/p=gavamm
                        I upgraded to the Personal Plan for peace of mind for not much more than a cup of coffee.

                        Comment


                        • #13
                          Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                          Originally posted by woodgrain View Post
                          I've just discovered this in the remote web workplace:

                          Download Connection Manager
                          You can download Connection Manager and use it to remotely connect a computer to your company's network.


                          I think this might resolve the remote access issue , I'll try it on the weekend.
                          Thats just the VPN client. You have to pre configure it from sevver managment and then ensure port 1723 is routable from the internet. The connection manager is just a preconfigured set of parameters that adds the relavent connection to your local PC. Providing you have set up the server to do this "configure remote access" in server managment you should be fine. Additionaly you can create the connection yourself on the local machine to point to the server.
                          Last edited by scurlaruntings; 21st August 2009, 08:34.

                          Comment


                          • #14
                            Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                            Originally posted by cruachan View Post
                            Horrible security practice if you don't have ISA Server, I agree. With ISA Server installed it is a very secure setup.

                            Under normal circumstances a DC or Exchange Server would never be at the network perimeter, an ISA Server would be a dedicated server at the network edge. SBS Premium is different and does support being at the edge.
                            MS do not support multihomed DC's in SBS 2008 because its a bad practice to put you're DC in the perimeter network ISA or not. Hence why the premium edition no longer comes with ISA. It should always be firewalled in my opinion.

                            Comment


                            • #15
                              Re: Please comment on this VPN/Router - Svr - Wireless Network setup

                              I know Microsoft have changed their tune on that one, but SBS 2003 Premium breaks so many MS best practice recommendations. Exchange on a DC, ISA on a DC, File and Print on a DC, ISA and Exchange on the same server etc etc.

                              Anyhoo, back on topic, this article should help you setup ISA as a VPN server. isaserver.org is probably the definitive resource on configuring ISA Server and it's well worth having a read through the articles and tutorials there. Helped me out of a few ISA jams in the past.
                              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                              sigpic
                              Cruachan's Blog

                              Comment

                              Working...
                              X