Re: Establish external trust over a NAT device
- From: "Kurt" <lorentzenkurt@xxxxxxxxxxxxxxxxxx>
- Date: Sat, 19 Aug 2006 16:43:02 -0700
That's what I've been able to do in the past, which actually works very
well. I've never tried NAT (rather than ICS), but I'm sure the results would
be just as good. I suppose you could have a server on both ends and a client
on both ends and share both client connections. I have been known to grumble
when people answer the question, "How do I get ICS to work?" with, "Forget
it - buy a router." I don't want to sound like I'm doing the same thing by
suggesting hardware over Windows built-in functionality for a VPN solution.
But for a trust between sites (and the suggestion therefore of a relatively
continuous flow of traffic), I would still feel comfortable recommending a
pair of VPN capable routers. If you use identical hardware at both ends and
just accept the defaults there's really not much to configure except the
private network numbers and the shared secret. There's also the fact that
even a fairly cheap ($200) router will likely have much better throughput
which may or may not be an issue depending on availableWAN bandwidth. I WILL
give the Windows PPTP thing a try as a bi-directional solution though.
Thanks,
....kurt
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:et683H%23wGHA.3392@xxxxxxxxxxxxxxxxxxxxxxx
"Kurt" <lorentzenkurt@xxxxxxxxxxxxxxxxxx> wrote in message
news:12eekm9499pbd98@xxxxxxxxxxxxxxxxxxxxx
Thanks Herb,
Of course you are right. I probably should have said "usually". Of course
the PPTP tunnel itself is capable carrying any kind of traffic in either
or both directions, but most implementations I've seen pretty much spec a
server which allows multiple individual connections to be made. I have
successfully shared a PPTP client connection which allows the whole side
access, but I've not found where the windows client can do this as a part
of its regular decorum (at least not from the usual "wizard"). There are
some brands of routers that support PPTP client and server modes, but
even they generally recommend IPSec for fully bi-directional
network-to-network. I would be really interested in how to set this up
using a Windows RRAS server and a Windows client if you have any links.
On workstations it is merely by sharing the PPTP with ICS.
On Server you can (optionally) use the RRAS to do almost
the same but with better control, by creating the PPTP or
L2TP and routing over it with or without NAT on that connection.
You could actually do this by enabling ROUTING manually but
few people even realize that a workstation can be a router.
The major difference between the 'workstation' version and the
Server RRAS capabilities are the idea of "demand dial routes"
which kick in ONLY when the connection is in place AND
can be used by the routing software to CAUSE the connection
to be enabled.
This last requires giving the "dial" (connecting) router the
username (with password) in its connection configuration that
match an INTERFACE NAME and Account on the ANSWERING
router.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks,
...kurt
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:uEey8m2wGHA.5056@xxxxxxxxxxxxxxxxxxxxxxx
"Kurt" <lorentzenkurt@xxxxxxxxxxxxxxxxxx> wrote in message
news:12ectmtfi3gip01@xxxxxxxxxxxxxxxxxxxxx
For a tust to work you'll need a lot more than just netbios traffic.The
BEST way is to use NAT devices (also called routers) that will allow
you to set up an IPSec tunnel between networks, otherwise your trust
will be more or less useless because Windows PPTP VPNs connect hosts to
networks, not networks to networks.
While I agree with the first part about setting up a tunnel, the
latter part is wrong.
Both Windows PPTP and L2TP can be used to setup fully functioning
Router-Router connections which can be used to tunnel traffic.
IPSec tunnels are moderately HARDER to setup since this is not
covered in the RRAS Console and must be setup more or less
manually.
Of course the difficulty of setting up any kind of tunnel will vary on
a purpose built router, but Windows (especially Server) can do this
quite well.
Doesn't change the recommendation probably but the details were just
not correct.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
...kurt
"Leif P" <anon@xxxxxxxx> wrote in message
news:e$oLyyqwGHA.3964@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have seen several posts on the internet claiming that it is not
possible to create an external trust between 2 windows server 2003
domains over a NAT device.
I read this article: http://support.microsoft.com/kb/172227 as it
should be possible if the NAT device also replaces the NETBios owner
IP address.
Is it possible to create an external trust over a NAT device if the
NAT device replaces the owner IP address in the NETBios packets??
Leif P
.
- References:
- Establish external trust over a NAT device
- From: Leif P
- Re: Establish external trust over a NAT device
- From: Kurt
- Re: Establish external trust over a NAT device
- From: Herb Martin
- Re: Establish external trust over a NAT device
- From: Kurt
- Re: Establish external trust over a NAT device
- From: Herb Martin
- Establish external trust over a NAT device
- Prev by Date: Re: Establish external trust over a NAT device
- Next by Date: Re: Significance of Site Licensing server
- Previous by thread: Re: Establish external trust over a NAT device
- Next by thread: How to sync Sun one Ldap user profile to windows 2003 AD
- Index(es):
Relevant Pages
|
