Re: SBS 2003 R2 limited to 5 VPN connections although I have a 30

The problem is Leythos is correct, a port limited VPN is a great thing to do, but (almost) nobody does it. Even more advance firewall systems generally default to 'wide open' VPN and 9 out of 10 SMB consultants (let alone DIYers) would probably be surprised to hear about the idea.

Another nail in the idea's coffin is that the port limited VPN is likely to open just those ports which intrusion mechanisms target (ie./eg. Windows file sharing).

Also, RWW _is_ more secure than any form of VPN. To accept this idea is simple, starting from a simple premise.

Argument:
An SBS is likely to have port 443 available publicly. This is due to the likelihood that the owner would like to offer _at least_ OWA for either direct access by people or Windows Mobile devices.
ANY increase in the 'attack surface' is considered a lowering of security. If you do not _need_ to open VPN (or any other) ports you are inherently more secure by not doing so.
The only additional port used by the 'Connect to' process (RDPProxy) is port 4125 and though this would be forwarded from the firewall device to SBS at all times the port is protected (closed) by the SBS firewall until an authenticated user requests it open, at which time it is opened only to traffic from the requesting IP.

You can make RWW's RDPProxy even more secure by doing 2 things:
1) Remove the options on the connect screen that allow connection of remote drives and printers. These default to on so you also need to modify the pages to turn them off. This of course limits functionality. You might think about leaving the options available but modifying the default to off.
2) Implement (the only one I'm aware of is Dana's) 2 factor authentication to RWW.

"Charlie Russel - MVP" <charlie@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uU92DOCbJHA.4080@xxxxxxxxxxxxxxxxxxxxxxx
We'll have to agree to disagree. I wasn't questioning the security of the connection, nor the firewall itself. I still strongly prefer RWW with two factor authentication (AuthAnvil + RWWGuard). But I respect your position. Some day we should sit you and Dana down in the same room and get a full fledged debate going...

--
Charlie.
http://msmvps.com/blogs/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel

"Leythos" <spam999free@xxxxxxxxxx> wrote in message news:MPG.23c5accc101f0049897c4@xxxxxxxxxxxxxxxxxxxxxxx
In article <u9ByNQ3aJHA.3952@xxxxxxxxxxxxxxxxxxxx>,
charlie@xxxxxxxxxxxxxxxxxxxxxxx says...
I would disagree. Not that the connection isn't secure - I think it is. But
you've now granted level 3 access to an essentially uncontrolled external
PC. If it's owned, your network is owned. I much prefer RWW, which keeps any
external machines from being a direct part of my network.


Wrong, you're still thinking unrestricted access and firewall, which are
not the same.

VPN TO firewall appliance, non-Domain user/password (first combination)

VPN Rule permits ONLY TCP3389 between VPN User IP and Terminal Server,
no other ports.

Remote user connects using Remote Desktop to Terminal Server (or
workstation if you setup a rule for that) and has to login with Windows
user/password - second combination - not same as first).

Only TCP 3389 traffic can pass, requires two different passwords,
limited to TCP 3389 only....

Seems to me that this is MORE secure than RWW.

Most people don't know how to configure a firewall, nor do they know
much about VPN security. In every case we setup VPN connections to only
allow the ports needed, and that means 3389 is about the only port we
allow via VPN sessions.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)


.

Relevant Pages

  • Re: Remote Connection Issue
    ... > If you want to connect to connect to the SBS server box and the LAN client ... you can use the RWW site ... > all related settings in ISA, IIS and firewall automatically. ... >>through port number 3389 and a workstation on the LAN through port number ...
    (microsoft.public.windows.server.sbs)
  • RE: RWW and New Firewall Problem
    ... firewall, the network configuration was also changed. ... Once the connection is established on port ... client at port 3389. ... What you cannot visit in RWW, is the computer Terminal Server or just ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Connected on VPN - NOW what?
    ... I think my PIX firewall is blocking access using RWW. ... That said, if you also get a dedicated TS box on your network, you will ... No, you shouldn't, if you know how to do your port forwarding properly. ... OK - you can do that if your VPN is working. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Setup Problem
    ... It looks like part of the problem was that initially I only forwarded port ... There is also the SBS basic version firewall, ... We set up RWW by running Connect to Internet task from ToDo List, ... Created a new Web server certificate - I entered: ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Setup Problem
    ... It looks like part of the problem was that initially I only forwarded port ... The firewall log seems to indicate that my connection ... We set up RWW by running Connect to Internet task from ToDo List, ... Created a new Web server certificate - I entered: ...
    (microsoft.public.windows.server.sbs)
Quantcast