VPN Help?

[TwiceSliced]

I'm a hardware guy before I'm a software guy, but I've been asked to look into some basic VPN functionality for a server at work. It's running Windows SBS 2003 (only has one NIC, but I've set up a loopback connection for the time being), and every client is Windows XP... There's also an old Windows Server 2000 box sitting here that I'll be decommissioning or re-purposing soon.

Anyway, the goal is to have a user log on to their company laptop at a remote location as if they were logging into our domain. Is this possible? I've got it set up such that a remote user can connect to the Windows VPN using the "Log on using dial-up connection" option at the log-in screen, but they can't access any of the domain's resources. I'm guessing I'm either missing something obvious, or the loopback connection is the problem (and I should just install a second NIC).

Any ideas? Suggestions? Or should I just invest in something like this?

Thanks!

 

[Captain Colonoscopy]

I would definitely recommend a hardware VPN device. I am not familiar with the RV016 from linksys but I imagine it would do a good enough job. For a few hundred more you can get a Cisco ASA5505 which would be my personal recommendation since I'm a Cisco guy.

SBS2003 can only do PPTP VPN connections which are not nearly as secure as IPSec. At least that is my understanding anyway.

 

[marley1]

have the users use RWW that would be a better option in my opinion.

if they do want to use vpn, run the remote access role through server management, then enable dial in on the user account, and setup a vpn on their laptop and map drives over.

you do not need their remote machines to be on a domain, just have them authenticate with the pptp vpn and access files or exchange server.

better option would be RWW and allow the user to log into the work machine.

 

[gimp]

AD profiles are cached on the machine.

So once a user logs onto a laptop for the first time (hooked into the network), the profile is cached on the computer. This way, when the user disconnects from the network, they can still log on using their AD credentials.

You could then setup a VPN, and place a shortcut to their startup script to do the drive mapping.

This way, they connect to the VPN, run the startup script, and voila, network shares and resources are available.

 

[priteshvarsani]

Well for a proper VPN a second NIC is recomended.

You can set up IPSEC VPNs in windows 2003 im sure! Mind you i prefer to use PPTP if my only choice was windows.Setting up RRAS is not very hard at all in win2003 just make sure you get a second NIC

Where i work now we set up a cisco based vpn which allows clients to connect to a special VPN network containing a few terminal servers and a link to the intranet using a second NIC on our app server. I personally dont like the idea of accessing windows file shares over WAN links, its a much better user experience when a user just connects to a terminal server as there is less bandwidth used and it allows a user to reconnect and disconnect a session.

 

[TwiceSliced]

I would definitely recommend a hardware VPN device.

I plan to go with one eventually, but we're a not-for-profit, so budgeting can be... Interesting... At times.

have the users use RWW that would be a better option in my opinion.

if they do want to use vpn, run the remote access role through server management, then enable dial in on the user account

Already did both of those, but I'm looking for something a little more seamless. Also, since I'm specifically setting this up for our laptops that will be used at remote locations, it might be tough for them to log in to their work computer remotely when they have it with them

This way, they connect to the VPN, run the startup script, and voila, network shares and resources are available.

Yup, but the problem is that the remote computers can't seem to find the network resources they're trying to map.

Anyway, I've made some progress! The VPN connection is working fine, and the loopback connection is sufficient for now, but it seems as though I can only map resources with local IP addresses (192.168.x.x) and not names as they appear on the network (e.g. "server", "printer", etc... No, those are not the real names we're using); is that normal?

 

[jratzo]

Anyway, I've made some progress! The VPN connection is working fine, and the loopback connection is sufficient for now, but it seems as though I can only map resources with local IP addresses (192.168.x.x) and not names as they appear on the network (e.g. "server", "printer", etc... No, those are not the real names we're using); is that normal?

Yes unless the laptops are using your DNS servers.

 

[TwiceSliced]

Yes unless the laptops are using your DNS servers.

Thought so... I could've sworn I set the laptop I was testing with to do that, though... Then again, I've inherited a bit of a mess with the network setup here. Something to look into.

Thanks!