Sign in with
Sign up | Sign in
Your question

Complex network and VPN quandary

Last response: in Networking
Share
December 1, 2009 7:46:28 AM

Morning all, first post, so go easy on me :) 

I have a situation where I need to add a VPN server or device to our network to facilitate iPhone (and other handset) connectivity to Exchange. Unfortunately, it's not that straight forward as I have some caveats as well as security concerns over this.

Firstly, I want to have the VPN server on a separate internet connection to our main company one. The main connection has a complex Sonicwall Firewall and VPN device on it both of which are on managed service contracts and hence cannot be altered. The Sonicwall VPN device uses a proprietary protocol which (surprise surprise) does not work on the iPhone. As far as I can find there is no app to facilitate this either.

I thought it may be possible to implement a Linux box to act as the VPN server, using a separate internet connection we have, that is also connected to our main comms, just as a backdoor option. And I think this is my main question....

Can I set up a linux box (or other machine) with a different gateway address to that of our exchange server (and hence all other servers and machines in the company) and still get VPN connectivity through that to Exchange? I'm sure I read somewhere that this would not work as the server has a different gateway address.

Alternatively is there a different method? I have a plethora of spare machines, xp pro etc. and I'm happy to install a linux box.

Any help gratefully received, thank you all.
December 1, 2009 2:16:08 PM

Bizness said:
Morning all, first post, so go easy on me :) 

I have a situation where I need to add a VPN server or device to our network to facilitate iPhone (and other handset) connectivity to Exchange. Unfortunately, it's not that straight forward as I have some caveats as well as security concerns over this.

Firstly, I want to have the VPN server on a separate internet connection to our main company one. The main connection has a complex Sonicwall Firewall and VPN device on it both of which are on managed service contracts and hence cannot be altered. The Sonicwall VPN device uses a proprietary protocol which (surprise surprise) does not work on the iPhone. As far as I can find there is no app to facilitate this either.

I thought it may be possible to implement a Linux box to act as the VPN server, using a separate internet connection we have, that is also connected to our main comms, just as a backdoor option. And I think this is my main question....

Can I set up a linux box (or other machine) with a different gateway address to that of our exchange server (and hence all other servers and machines in the company) and still get VPN connectivity through that to Exchange? I'm sure I read somewhere that this would not work as the server has a different gateway address.

Alternatively is there a different method? I have a plethora of spare machines, xp pro etc. and I'm happy to install a linux box.

Any help gratefully received, thank you all.


I'm not sure what class of Sonicwall you have, but if you have an E-class, then I have provided some useful info for your Sonicwall service provider.
E-Class Series
  • What version of Exchange are you running and do you have an ISA server in the DMZ in front of it?
  • Can you not use OWA or activesync to meet your needs? Activesync Setup how-to
  • If your Sonicwall is under a Svc agreement, then the company handling your Sonicwall can and should do any configs you request.

    I have included directions and the kb article from Sonicwall on the configs, and under that is a couple of Linux VPN solutions.

    Let us know how it goes.


    **************************************************************************************************
    EX SSL-VPN: What Level Of Support Is Provided For iPod Touch, iPhone, and iPhone 3G?
    Answer/Article

    Article Applies To:

    Affected SonicWALL Security Appliance Platforms:

    E-Class Secure Remote Access (EX SSL-VPN): All hardware platforms

    Affected Firmware versions: Version 8.9.0 and later.

    Affected Services: Aventail Management Console, Web Access Service, WorkPlace
    What level of support is provided for iPod Touch, iPhone, and iPhone 3G?

    At this time, there is no Connect Mobile client available for iPod Touch, iPhone, and iPhone 3G. SonicWALL is investigating what level of support it can provide for this client in a future release. For now, however, Mobile WorkPlace support is available for these users, as described below.
    Workaround

    A browser profile maps a user-agent string to a specific device type. By creating a browser profile in AMC for your Applie device, you can provide iPod Touch and iPhone users translated Web access to resources through Mobile WorkPlace.

    1. In AMC, click on Agent Configuration in the main navigation menu on the left.
    2. In the Other Agents section, under Web browser profiles, click Edit.
    3. Click New.
    4. In the User-agent string column, enter *iPhone* (for an Apple phone) or *iPod* (for an iTouch).
    5. Depending on the appliance version you have, for Device type select the following:
    1. 9.0.x and earlier: Smart Phone Advanced
    2. 10.0.x: Advanced mobile (Touch screen and JavaScript)
    6. (Optional) For Description enter Apple iPhone or Apple iPod Touch, depending on your device.
    7. Click OK, and then click Save.
    8. Apply your changes in AMC.

    iPhone users who log in to your appliance will now load Mobile WorkPlace, which will format WorkPlace to fit the iPhone's screen.
    KBID 5364
    Date Modified 2/13/2009
    Date Created 10/2/2008

    ********************Linux VPN **************

    1.) You better have permission to do this or you might find yourself in hot water.
    2.) Also realise that Open source means the source code is known and that you need to make sure that box is secure, and updated regularly!!! Failing to do so could result in a security breach!!!!
    3.) If you're not the network admin, you need to have a chat with him or her.

    You will need a public IP address for the WAN side of the Linux VNP Box, and static IP info for the LAN side.

    http://www.linux.org/docs/ldp/howto/Secure-BootCD-VPN-H...

    or you could get Ubuntu or another Debain based distro and do this...

    http://blog.rootshell.be/2008/11/07/iphone-linux-vpn/
    December 1, 2009 3:05:22 PM

    Thank you for the reply, I'll have a read and come back to you.

    Exchange is 2003 version included with SBS server.
    Related resources
    December 1, 2009 3:35:00 PM

    Thank you again for your help NTAdmin101. As mentioned above, the server at this company is running SBS including the bundled Exchange. Hence although we've approximately 6 servers now running off that SBS DC, we have ISA or DMZ at present.


    Existing Sonicwall Kit is...
    Firewall - Sonicwall Pro 2040
    VPN Device - Sonicwall SSL VPN 200

    ...so I think the Sonicwall KB article won't be relevent for our devices. :(  I have access to the VPN admin console of that VPN device and I've had a quick look in there for the AMC mentioned above, but can't find it.

    Yes, I am the IT Manager here, so effectively can do what I like. The company directors want me to just open the ports of the managed firewall to facilitate this but I'm against doing that as I do know we're attacked regularly and considerably, so want to keep the security effectively in the ownership of the company the firewall's rented from. Any issues, problems, down time, their fault and they pay for it.

    I've had a look at the article you posted regarding active sync, which is great but not much use until I can get the phone on the network. For example, I cover 3 - 4 different companies all of different sizes, number of users and hence technology complexity. For one of them, they have a simple Netgear router, with port 1723 open and forwarding, so I can easily logon to that network remotely via PPTP and have full iPhone functionality already. I know it's not wonderfully secure but in truth, they're a far smaller company with virtually no data and I'm less worried about the security side of that company. Unfortunately they're not really the ones with the handset syncing requirements.

    Thanks for the Linux link too, I had something similar that I've already followed but I'll try this one tomorrow too. I think that's my best way forward, but still leaves me asking the same question... Can I get a Linux box working on what will be a different gateway (another SDSL router) to that of my Exchange server and still be able to access Exchange from the phone? My earlier attempts failed and I believe I'll need an additional NIC in the Exchange server, on a different subnet with the Linux box to facilitate. Slightly beyong my knowledge I fear.

    I'll keep you posted.
    December 2, 2009 9:22:57 AM

    Epic fail on the Linux instruction set linked here. Found a new documentation listing on poptop.sourceforge.net which I'm giving a go today.
    December 4, 2009 7:31:57 PM

    I don't mess with the iPhone at all and its been years since my last job that put me into the Exchange world.

    Any though into using the web access feature of Exchange that would allow them to browse to the internet and log in that way? Granted, it wouldn't operate as a blackberry would and sync in that manner, but if the app loads on the phone you're good to go. On top of everyone could access their email while outside of the office if they're at home, etc. More security worries, but it may solve your problem for you.
    !