Sign in with
Sign up | Sign in
Your question

W2k3 server with only one network card, VPN ok?

Last response: in Networking
Share
Anonymous
October 28, 2004 6:56:07 PM

Archived from groups: comp.dcom.vpn (More info?)

Hi there,

I learnt from documents that to run VPN on a win2k/2k3 server, it needs two
network cards: one connected to the Internet, and one to the LAN. That's
fine, and I understand this. However, our 2k3 server has only one NIC, and
we configured the VPN, and it's working fine. Saying that, I'd still like to
know if there's any problem (mainly security issues I guess) with this
solution. Hope your Experts can explain to me. Thanks!

This is what we have. We have about 20 machines with one win2k3 server, all
networked. The server functions as the domain controller, terminal server,
file server, etc.. And we have an ADSL modem with built in router for the
broadband connection. I think this is a typical network structure in today's
small businesss company.

Now we have a new branch in a different suburb, and people there would like
to access the data and use the terminal service in the main branch. So we
configured the 2k3 server to add VPN services. We then modified the
modem/router configuration to open the VPN port (actually, this is the only
port opened). Everything is working fine to me. But back to my question
above, is there any security pitfall with this? Or, do you guys have any
other smarter ideas to achieve this?

Thanks!!

Lei
Anonymous
October 28, 2004 6:56:08 PM

Archived from groups: comp.dcom.vpn (More info?)

Lei Hu wrote:
> Hi there,
>
> I learnt from documents that to run VPN on a win2k/2k3 server, it needs two
> network cards: one connected to the Internet, and one to the LAN. That's
> fine, and I understand this. However, our 2k3 server has only one NIC, and
> we configured the VPN, and it's working fine. Saying that, I'd still like to
> know if there's any problem (mainly security issues I guess) with this
> solution. Hope your Experts can explain to me. Thanks!
>
> This is what we have. We have about 20 machines with one win2k3 server, all
> networked. The server functions as the domain controller, terminal server,
> file server, etc.. And we have an ADSL modem with built in router for the
> broadband connection. I think this is a typical network structure in today's
> small businesss company.
>
> Now we have a new branch in a different suburb, and people there would like
> to access the data and use the terminal service in the main branch. So we
> configured the 2k3 server to add VPN services. We then modified the
> modem/router configuration to open the VPN port (actually, this is the only
> port opened). Everything is working fine to me. But back to my question
> above, is there any security pitfall with this? Or, do you guys have any
> other smarter ideas to achieve this?
>
> Thanks!!
>
> Lei

This setup is fine. You usually need 2 network cards if the server is
providing the internet accesss to the rest of the network (acting as the
router).



--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
October 28, 2004 8:25:12 PM

Archived from groups: comp.dcom.vpn (More info?)

Thanks Mile!! Because we've already had a router, and no need to use the
server as router. So, our one NIC solution is technically ok and safe, isn't
it?

"Mike Drechsler - SPAM PROTECTED EMAIL"
<mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
news:cX%fd.3471298$ic1.354320@news.easynews.com...
> Lei Hu wrote:
>> Hi there,
>>
>> I learnt from documents that to run VPN on a win2k/2k3 server, it needs
>> two network cards: one connected to the Internet, and one to the LAN.
>> That's fine, and I understand this. However, our 2k3 server has only one
>> NIC, and we configured the VPN, and it's working fine. Saying that, I'd
>> still like to know if there's any problem (mainly security issues I
>> guess) with this solution. Hope your Experts can explain to me. Thanks!
>>
>> This is what we have. We have about 20 machines with one win2k3 server,
>> all networked. The server functions as the domain controller, terminal
>> server, file server, etc.. And we have an ADSL modem with built in router
>> for the broadband connection. I think this is a typical network structure
>> in today's small businesss company.
>>
>> Now we have a new branch in a different suburb, and people there would
>> like to access the data and use the terminal service in the main branch.
>> So we configured the 2k3 server to add VPN services. We then modified the
>> modem/router configuration to open the VPN port (actually, this is the
>> only port opened). Everything is working fine to me. But back to my
>> question above, is there any security pitfall with this? Or, do you guys
>> have any other smarter ideas to achieve this?
>>
>> Thanks!!
>>
>> Lei
>
> This setup is fine. You usually need 2 network cards if the server is
> providing the internet accesss to the rest of the network (acting as the
> router).
>
>
>
> --
> WARNING! Email address has been altered for spam resistance.
> Please remove the -deletethispart-. section before replying directly.
> Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Related resources
Can't find your answer ? Ask !
Anonymous
October 28, 2004 8:25:13 PM

Archived from groups: comp.dcom.vpn (More info?)

Lei Hu wrote:
> Thanks Mile!! Because we've already had a router, and no need to use the
> server as router. So, our one NIC solution is technically ok and safe, isn't
> it?
>
> "Mike Drechsler - SPAM PROTECTED EMAIL"
> <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
> news:cX%fd.3471298$ic1.354320@news.easynews.com...
>
>>Lei Hu wrote:
>>
>>>Hi there,
>>>
>>>I learnt from documents that to run VPN on a win2k/2k3 server, it needs
>>>two network cards: one connected to the Internet, and one to the LAN.
>>>That's fine, and I understand this. However, our 2k3 server has only one
>>>NIC, and we configured the VPN, and it's working fine. Saying that, I'd
>>>still like to know if there's any problem (mainly security issues I
>>>guess) with this solution. Hope your Experts can explain to me. Thanks!
>>>
>>>This is what we have. We have about 20 machines with one win2k3 server,
>>>all networked. The server functions as the domain controller, terminal
>>>server, file server, etc.. And we have an ADSL modem with built in router
>>>for the broadband connection. I think this is a typical network structure
>>>in today's small businesss company.
>>>
>>>Now we have a new branch in a different suburb, and people there would
>>>like to access the data and use the terminal service in the main branch.
>>>So we configured the 2k3 server to add VPN services. We then modified the
>>>modem/router configuration to open the VPN port (actually, this is the
>>>only port opened). Everything is working fine to me. But back to my
>>>question above, is there any security pitfall with this? Or, do you guys
>>>have any other smarter ideas to achieve this?
>>>
>>>Thanks!!
>>>
>>>Lei
>>
>>This setup is fine. You usually need 2 network cards if the server is
>>providing the internet accesss to the rest of the network (acting as the
>>router).
>>
>>
>>
>>--
>>WARNING! Email address has been altered for spam resistance.
>>Please remove the -deletethispart-. section before replying directly.
>>Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

It's safe enough. You are still trusting that there is no vulnerability
in that protocol that a hacker could exploit but you would be doing that
in either configuration.

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
October 30, 2004 12:13:00 AM

Archived from groups: comp.dcom.vpn (More info?)

Hello again, Mike and Others,

Now I've found another problem with my configuration stated in my original
post. I know this has something to do with the notorious browser.

With the configuration, the system is initially working fine. However, once
there's a user dial in via VPN, the server's name disappears from "My
Network Places" of other workstations. I need to reboot the server to let
its name back again. Even though a workstation cannot see the server's name
in "My Network Places", it can still ping the server using its name. It's
really strange. Is this because I use only one NIC? Any idea?

Thanks!

"Mike Drechsler - SPAM PROTECTED EMAIL"
<mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
news:cX%fd.3471298$ic1.354320@news.easynews.com...
> Lei Hu wrote:
>> Hi there,
>>
>> I learnt from documents that to run VPN on a win2k/2k3 server, it needs
>> two network cards: one connected to the Internet, and one to the LAN.
>> That's fine, and I understand this. However, our 2k3 server has only one
>> NIC, and we configured the VPN, and it's working fine. Saying that, I'd
>> still like to know if there's any problem (mainly security issues I
>> guess) with this solution. Hope your Experts can explain to me. Thanks!
>>
>> This is what we have. We have about 20 machines with one win2k3 server,
>> all networked. The server functions as the domain controller, terminal
>> server, file server, etc.. And we have an ADSL modem with built in router
>> for the broadband connection. I think this is a typical network structure
>> in today's small businesss company.
>>
>> Now we have a new branch in a different suburb, and people there would
>> like to access the data and use the terminal service in the main branch.
>> So we configured the 2k3 server to add VPN services. We then modified the
>> modem/router configuration to open the VPN port (actually, this is the
>> only port opened). Everything is working fine to me. But back to my
>> question above, is there any security pitfall with this? Or, do you guys
>> have any other smarter ideas to achieve this?
>>
>> Thanks!!
>>
>> Lei
>
> This setup is fine. You usually need 2 network cards if the server is
> providing the internet accesss to the rest of the network (acting as the
> router).
>
>
>
> --
> WARNING! Email address has been altered for spam resistance.
> Please remove the -deletethispart-. section before replying directly.
> Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
October 30, 2004 12:13:01 AM

Archived from groups: comp.dcom.vpn (More info?)

Lei Hu wrote:
> Hello again, Mike and Others,
>
> Now I've found another problem with my configuration stated in my original
> post. I know this has something to do with the notorious browser.
>
> With the configuration, the system is initially working fine. However, once
> there's a user dial in via VPN, the server's name disappears from "My
> Network Places" of other workstations. I need to reboot the server to let
> its name back again. Even though a workstation cannot see the server's name
> in "My Network Places", it can still ping the server using its name. It's
> really strange. Is this because I use only one NIC? Any idea?
>
> Thanks!
>
> "Mike Drechsler - SPAM PROTECTED EMAIL"
> <mike-newsgroup@-DELETETHISPART-.upcraft.com> wrote in message
> news:cX%fd.3471298$ic1.354320@news.easynews.com...
>
>>Lei Hu wrote:
>>
>>>Hi there,
>>>
>>>I learnt from documents that to run VPN on a win2k/2k3 server, it needs
>>>two network cards: one connected to the Internet, and one to the LAN.
>>>That's fine, and I understand this. However, our 2k3 server has only one
>>>NIC, and we configured the VPN, and it's working fine. Saying that, I'd
>>>still like to know if there's any problem (mainly security issues I
>>>guess) with this solution. Hope your Experts can explain to me. Thanks!
>>>
>>>This is what we have. We have about 20 machines with one win2k3 server,
>>>all networked. The server functions as the domain controller, terminal
>>>server, file server, etc.. And we have an ADSL modem with built in router
>>>for the broadband connection. I think this is a typical network structure
>>>in today's small businesss company.
>>>
>>>Now we have a new branch in a different suburb, and people there would
>>>like to access the data and use the terminal service in the main branch.
>>>So we configured the 2k3 server to add VPN services. We then modified the
>>>modem/router configuration to open the VPN port (actually, this is the
>>>only port opened). Everything is working fine to me. But back to my
>>>question above, is there any security pitfall with this? Or, do you guys
>>>have any other smarter ideas to achieve this?
>>>
>>>Thanks!!
>>>
>>>Lei
>>
>>This setup is fine. You usually need 2 network cards if the server is
>>providing the internet accesss to the rest of the network (acting as the
>>router).
>>
>>
>>
>>--
>>WARNING! Email address has been altered for spam resistance.
>>Please remove the -deletethispart-. section before replying directly.
>>Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)

Browsing Network Neighborhood is unreliable over a VPN connection. As
long as you can connect using the name things are fine.



--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
October 30, 2004 2:37:18 PM

Archived from groups: comp.dcom.vpn (More info?)

Yes, I know it's not reliable over a VPN connection, but what I mean is that
once there's a VPN dialin and even it's disconnected, the workstations
inside the LAN (not the VPN client) cannot see the server in Network
Neighborhood.

> Browsing Network Neighborhood is unreliable over a VPN connection. As
> long as you can connect using the name things are fine.
>
Anonymous
October 30, 2004 2:37:19 PM

Archived from groups: comp.dcom.vpn (More info?)

Lei Hu wrote:
> Yes, I know it's not reliable over a VPN connection, but what I mean is that
> once there's a VPN dialin and even it's disconnected, the workstations
> inside the LAN (not the VPN client) cannot see the server in Network
> Neighborhood.
>
>
>>Browsing Network Neighborhood is unreliable over a VPN connection. As
>>long as you can connect using the name things are fine.
>>
>
>
>
You may find the resources at this website useful:
http://unknownegg.org/tech/

--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
Anonymous
November 5, 2004 12:35:21 PM

Archived from groups: comp.dcom.vpn (More info?)

Hello All,

First I would like to say I have been messin with VPN configurations
for the past 4-5 weeks. I have tried every configuration in the
book. Well I think I have. First I want to start off with the HW.

--Server Windows 2003 Server Enterprise with 2 NIC cards.
--Linksys RV042 VPN router
--Cable Modem with a dynamic IP well its pretty static.

So with all this HW I would like to setup a VPN server to accept
connections from the outside world to do work on the local network
and use local resources. The one problem that I face is I would want
the person who is connecting to the local network to use there
connection to get to the internet, but be able to access local
resources, meaning hard disks, etc. I hope you guys can point me in
the right direction. Like I said I have been at this forever, so if
you can let me know how to do this that would be great. Also I am on
a 192.168.100.x and a 192.168.200.x networks with 2 types of routers
if you needed to know that too.

C
*-----------------------*
Posted at:
www.GroupSrv.com
*-----------------------*
Anonymous
November 5, 2004 10:12:15 PM

Archived from groups: comp.dcom.vpn (More info?)

On 5 Nov 2004 09:35:21 -0600, junk@cdw14-dot-com.no-spam.invalid
(cdw5510) wrote:

>Hello All,
>
>First I would like to say I have been messin with VPN configurations
>for the past 4-5 weeks. I have tried every configuration in the
>book. Well I think I have. First I want to start off with the HW.
>
>--Server Windows 2003 Server Enterprise with 2 NIC cards.
>--Linksys RV042 VPN router
>--Cable Modem with a dynamic IP well its pretty static.
>
>So with all this HW I would like to setup a VPN server to accept
>connections from the outside world to do work on the local network
>and use local resources. The one problem that I face is I would want
>the person who is connecting to the local network to use there
>connection to get to the internet, but be able to access local
>resources, meaning hard disks, etc. I hope you guys can point me in
>the right direction. Like I said I have been at this forever, so if
>you can let me know how to do this that would be great. Also I am on
>a 192.168.100.x and a 192.168.200.x networks with 2 types of routers
>if you needed to know that too.
>
>C
>*-----------------------*
> Posted at:
> www.GroupSrv.com
>*-----------------------*

Split-Tunnelling

Question:
- Do you want to force the users to surf the internet via your
network / proxy , or surf the internet via their connection ?

Either way, Split-Tunnelling is how you do it; Be careful though,
if you setup a secure tunnel to your network and allow the remote
user access to the internet; You are potentially opening a hole.

David
Anonymous
November 12, 2004 8:39:50 AM

Archived from groups: comp.dcom.vpn (More info?)

cdw5510 wrote:
> Hello All,
>
> First I would like to say I have been messin with VPN configurations
> for the past 4-5 weeks. I have tried every configuration in the
> book. Well I think I have. First I want to start off with the HW.
>
> --Server Windows 2003 Server Enterprise with 2 NIC cards.
> --Linksys RV042 VPN router
> --Cable Modem with a dynamic IP well its pretty static.
>
> So with all this HW I would like to setup a VPN server to accept
> connections from the outside world to do work on the local network
> and use local resources. The one problem that I face is I would want
> the person who is connecting to the local network to use there
> connection to get to the internet, but be able to access local
> resources, meaning hard disks, etc. I hope you guys can point me in
> the right direction. Like I said I have been at this forever, so if
> you can let me know how to do this that would be great. Also I am on
> a 192.168.100.x and a 192.168.200.x networks with 2 types of routers
> if you needed to know that too.
>
> C
> *-----------------------*
> Posted at:
> www.GroupSrv.com
> *-----------------------*
I am not familiar with the hardware you are using, but somewhere you
have to configure the following:

1 Local hosts or networks that need to be accesses by the remote site
2 Local hosts or networks that can route traffic to the remote site

For example:
LOCAL CONFIG
Local network 192.168.0.0/24 ----------> Remote network 192.168.1.0/24

REMOTE CONFIG:
local network 192.168.1.0 -----------> Remote network 192.168.0.0/24

These must be the internal addresses an be EXACT mirrors images.

When my VPN router sees I am sending data from a network address within
the 192.168.0.0/24 address space AND destined to an address in the
192.168.1.0/24 network it will send it over the VPN tunnel. If the
destination address is other that the remote network you have defined,
the traffic should be routed through your/their ISP. I think the bottom
line is that if you avoid using 0.0.0.0 for your local and remote
networks, you should get what you are after by default.
Anonymous
November 12, 2004 9:18:20 PM

Archived from groups: comp.dcom.vpn (More info?)

cdw5510 wrote:
> Hello All,
>
> First I would like to say I have been messin with VPN configurations
> for the past 4-5 weeks. I have tried every configuration in the
> book. Well I think I have. First I want to start off with the HW.
>
> --Server Windows 2003 Server Enterprise with 2 NIC cards.
> --Linksys RV042 VPN router
> --Cable Modem with a dynamic IP well its pretty static.
>
> So with all this HW I would like to setup a VPN server to accept
> connections from the outside world to do work on the local network
> and use local resources. The one problem that I face is I would want
> the person who is connecting to the local network to use there
> connection to get to the internet, but be able to access local
> resources, meaning hard disks, etc. I hope you guys can point me in
> the right direction. Like I said I have been at this forever, so if
> you can let me know how to do this that would be great. Also I am on
> a 192.168.100.x and a 192.168.200.x networks with 2 types of routers
> if you needed to know that too.
>
> C
> *-----------------------*
> Posted at:
> www.GroupSrv.com
> *-----------------------*

I am not familiar with the hardware you are using, but somewhere you
have to configure the following:

1 Local hosts or networks that need to be accesses by the remote site
2 Local hosts or networks that can route traffic to the remote site

For example:
LOCAL CONFIG
Local network 192.168.0.0/24 ----------> Remote network 192.168.1.0/24

REMOTE CONFIG:
local network 192.168.1.0 -----------> Remote network 192.168.0.0/24

These must be the internal addresses an be EXACT mirrors images.

When my VPN router sees I am sending data from a network address within
the 192.168.0.0/24 address space AND destined to an address in the
192.168.1.0/24 network it will send it over the VPN tunnel. If the
destination address is other that the remote network you have defined,
the traffic should be routed through your/their ISP. I think the bottom
line is that if you avoid using 0.0.0.0 for your local and remote
networks, you should get what you are after by default.
!