Re: SBS VPN Strengthening


"TimeTraveller" <TimeTraveller@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ObicCKzLGHA.1124@xxxxxxxxxxxxxxxxxxxxxxx
Hi All,

Have SBS 2003 along with Server 2003 at various sites, a question I am
getting asked more and more is:

Can we have IPSEC VPN possibly with Certificates for authentication
(thinking L2TP here).

So the Q is.

How straightforward and what needs to be done at both the server side and
the client side.

Particularly if the client PC never directly connects to the Server
network as they are miles from the install site.

How to get the certs to the clients etc.

Have a think along these lines and lets have a thorough HOW TO on this.

PPTP is just a dead duck now and far too hackable.

I dont want to implement 3rd party router solutions and would much rather
use the MS RRAS server etc.

Thanks for your thoughts

TT



I am not sure how you would do all this in SBS itself but going the route
you prefer to avoid in concert with your windows servers......

You could can have your SBS server act as a certificate authority for a
number of external firewall/vpn devices. A Juniper Netscreen for instance.
You did not mention how your clients would be connecting. For remote offices
that are part of you business, you would install the Netscreens at each
location and they would establish the VPN between those offices. The
Netscreens would update their certificates using a URL that pointed to your
server acting as a certificate authority.

For remote users in the field you would use a software VPN client to perform
the same VPN functions as the Netscreen devices, but for single user
machines. Again Cert deployment would be performed using a URL to you
certificate server.

If you wanted an easier deployment you could even used a preshared key based
IPSEC VPN for each location that would not require certificates at all.

I am not sure about SBS's own VPN capabilities but in the configurations I
described, if you have one central location that numerous remote offices and
remote users need to connect to, only the central location would require a
static IP for it's Internet access. If remotes offices also connect to
remote offices you could use a hub and spoke method VPN or use static IPs at
each remote office and create multiple VPNs between offices.

Hopefully this give you some ideas vs. creating confusion.


.

Relevant Pages

  • Re: SBS VPN Strengthening
    ... to my other clients, so a software only configuation would be preferred. ... Have SBS 2003 along with Server 2003 at various sites, ... each location and they would establish the VPN between those offices. ... connect to remote offices you could use a hub and spoke method VPN or use ...
    (microsoft.public.windows.server.sbs)
  • Re: Connect users from remote branch office to SBS
    ... If you do want to go the hardware VPN route, the easiest would be to join ... the servers at HQ first and then take them to the remote offices. ... The number of connections with RWW depend on how many CALs ... If i choose this option how do i attach the server at office one to ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN Problem, PC not Authenticating with Server
    ... is the VPN server, SBS or router? ... Regarding the configuration of L2TP VPN, please also refer to the following ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Problem, PC not Authenticating with Server
    ... do you mean you have configured L2TP/IPSec VPN ... is the VPN server, SBS or router? ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: multiple office vpn question
    ... I basically need a vpn where all ... They will connect to the server from ... > branch offices but the server has to be able to print at remote office ... Remote offices can access all of main office ...
    (comp.security.firewalls)