ISA or Hardware, VPN or PCAnywhere

TheMSsForum.com: The Microsoft Software Forum

Hi guys

I have a little setup question and I was wondering what was the general
feeling regarding different setups.

I have started to build a server for a customer who needs a new network. The
server is running SBS 2000 minus ISA at the moment using exactly the same
practices as when I build my SBS 2000 server. Both servers have a hardware
firewall currently attached, both using Nat, both using internal ip of range
10.0.0.1 - 255. I would like to be able to remotely configure their server
from my network saving a fair drive, for the day to day administrational
tasks. First thought was to use PCAnywhere - so I went about setting up both
firewalls to let though tcp port 5631 and udp port 5632 to their respective
10.0.0.x internal ip address. Now for some reason, I am having a lot of
bother with this, and whist on the phone to a Symantec engineer, it was
suggested that it would be easier to connect using VPN, then PCAnywhere
across the VPN using internal IP addresses.

Good idea I though, but I have spent a fair amount of time already 'trying'
different ways of connecting to my customers server, and I decided that its
time to see if anyone else has any ideas how to solve the dilemma with less
drama than I've seen already!

A couple of related questions:

1. Do you setup the VPN between to the two SBS servers (and will SBS allow
this), or is it ok to set it up from one client machine to the other server?
2. Does it matter that they are a) both using the same address range, and b)
using different AD domain names?
3. Should I be relying on the hardware firewall to accept incoming VPN
connections, or should I have junked it years ago and had faith in the ISA
for VPN connections as well as general security?

Any ideas, best practices, tips or words of caution gratefully received.

Many thanks
James
tgl
Top

Re: ISA or Hardware, VPN or PCAnywhere by John

John
Tue Aug 12 06:57:22 CDT 2003

See Inline for my views.
Cheers

John

On Tue, 12 Aug 2003 12:38:19 +0100, <james(at)graphics-line.co.uk>
wrote:

Hi guys

I have a little setup question and I was wondering what was the
general
feeling regarding different setups.

I have started to build a server for a customer who needs a new
network. The
server is running SBS 2000 minus ISA at the moment using exactly the
same
practices as when I build my SBS 2000 server. Both servers have a
hardware
firewall currently attached, both using Nat, both using internal ip of
range
10.0.0.1 - 255. I would like to be able to remotely configure their
server
from my network saving a fair drive, for the day to day
administrational
tasks. First thought was to use PCAnywhere - so I went about setting
up both
firewalls to let though tcp port 5631 and udp port 5632 to their
respective
10.0.0.x internal ip address. Now for some reason, I am having a lot
of
bother with this, and whist on the phone to a Symantec engineer, it
was
suggested that it would be easier to connect using VPN, then
PCAnywhere
across the VPN using internal IP addresses.

>>> Yes , just open the PPTP port for VPN and then use Terminal services in remote admin mode. Download the XP Remote Desktop client for easier use..pretty layout.



Good idea I though, but I have spent a fair amount of time already
'trying'
different ways of connecting to my customers server, and I decided
that its
time to see if anyone else has any ideas how to solve the dilemma with
less
drama than I've seen already!

A couple of related questions:

1. Do you setup the VPN between to the two SBS servers (and will SBS
allow
this), or is it ok to set it up from one client machine to the other
server?
>>> You will just VPN from one workstation to the other SBS server ideally. Hopefully your router/firewall will allow PPTP/VPN pass-thru to occur and then allow SBS to authentificate your connection.

2. Does it matter that they are a) both using the same address range,
and b)
using different AD domain names?
>>> Not for what you are doing. As the workstation will get an IP and it's new default g/w from the SBS you connect to.

3. Should I be relying on the hardware firewall to accept incoming VPN
connections, or should I have junked it years ago and had faith in the
ISA
for VPN connections as well as general security?
>>> ISA seems many times superior to the boxes running linux or cisco ios but it's all down to configuration.
>>> A cisco poorly setup isn't half the firewall a of D-link and a correctly setup ISA is one of the most complete firewalls available.
>>> Don't believe any other firewall can do Application inspection on MS rpc like the ISA.

Any ideas, best practices, tips or words of caution gratefully
received.
>>> Put the second NIC in the SBS's and kick in the ISA. You can still maintain the router/firewalls if they will allow pass-thru or forwarding of the PPTP traffic.


Many thanks
James
tgl


Top

Re: ISA or Hardware, VPN or PCAnywhere by Wolfgang

Wolfgang
Tue Aug 12 07:47:15 CDT 2003

John Bade wrote:


> >>> Yes , just open the PPTP port for VPN and then use Terminal services in remote admin mode. Download the XP Remote Desktop client for easier use..pretty layout.

PPTP is not considered safe anymore. There are numerous articles on the
web if you google.

I would suggest using a dedicated VPN from the XP machine to a VPN
endpoint and then tunnel the RDP through the VPN.

> 3. Should I be relying on the hardware firewall to accept incoming VPN
> connections, or should I have junked it years ago and had faith in the
> ISA
> for VPN connections as well as general security?
> >>> ISA seems many times superior to the boxes running linux or cisco ios but it's all down to configuration.

Right. It's easier to misconfigure ISA then the standard hardware
firewall box.

> >>> Don't believe any other firewall can do Application inspection on MS rpc like the ISA.

What do you mean by application inspection? Maybe I have missed that
part.

> Any ideas, best practices, tips or words of caution gratefully
> received.
> >>> Put the second NIC in the SBS's and kick in the ISA. You can still maintain the router/firewalls if they will allow pass-thru or forwarding of the PPTP traffic.

And that I would not do. Mostly firewalls are placed on dedicated
machines _in front_ of the machines to be protected. Layered defense.
That is IMO the major flaw in the ISA/SBS concept. You pack everything
into one machine. One little error and your whole server is compromised.

I like the idea of having a dedicated hardware firewall providing
interface services and being sized for the network. Behind that you have
your servers running and you can manipulate them and even replace them
if needed without completely cutting off your systems from the web.
Additionallly you distribute the load to several machines.

So, in James' case I would set up one small hardware appliance.
Configure it properly and use a VPN client for connection. Then I would
tunnel the XP RD through the tunnel and administer the server.

I've had very good experience with that. The additional advantage of
that is that he can alos administer it while traveling. I use a
Watchguard system with their MUVPN CLient. That is configured on the XP
machine. Wherever I dial it up (even with my mobile) I can connect to
the server and maintain it. Ok, I am using GPRS which is somethign like
30 kbit/sec via the mobile, but it works like a charm.

Regards

Wolfgang
Top