Recent Posts

Tags

News

  • Search

    <input class="BlogSearch" type="text" name="searchBox" id="blogSearchText" value="" onkeypress="return blogSearch(event, this);"> <input type="button" value="Search" onclick="return blogSearch2('blogSearchText');" class="BlogSearchButton"> <script type="text/javascript"> function blogSearch(event, oInput) { var keyCode = (event) ? event.keyCode : keyStroke.which; if (keyCode == 13) { top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } return true; } function blogSearch2(oInputId) { var oInput = document.getElementById(oInputId); top.location = 'http://www.google.com/search?q=' + escape(oInput.value) + '+inurl%3Ajavier+site%3Amsmvps.com'; return false; } </script>

Community

Email Notifications

SBS Blogs

Helpful Sites

Archives

Javier's SBS Wonderland

Take the red pill and see how far down the rabbit hole goes...

Site to Site VPN while keeping ISA in the Mix

If you have a remote office or a branch it might be a good idea to have those users connected to your primary office permanently. You could even have an additional domain controller on the remote site or even make the users login via a Terminal Server on your primary location. To connect the two locations together you have a couple of options:

 

  1. Connect each computer individually using PPTP VPN to the SBS box directly.
  2. Use a PPTP VPN-capable router on the remote site and establish the VPN directly to the SBS box.
  3. Use 2 VPN routers (IPSec) to establish a site to site VPN.

Option #3 is fairly common. However, this method presents a problem when you want to keep using ISA. You cannot put the router in front of ISA anymore because you will terminate the VPN tunnel there and your users will not be able to access the resources in the LAN. So, what can you do? Well, there are a couple of ways to go around this problem… I will discuss one way:

 

You will need two VPN-capable routers (and know how to create a “normal” tunnel between them) and two public IPs on the site where ISA is located.

 

Your setup should look like this:

 

Basically, what you need is to give ISA and the VPN router in the main office 2 distinct public IPs and put them parallel to each other. Then turn off the DHCP on the VPN router on the main office and make sure is on the same subnet as the internal LAN and connect it to the same switch as the SBS internal NIC. Configure the VPN link between the 2 sites as you would in a "normal" situation and make sure your VPN router is blocking all incoming traffic. As with any VPN the remote LAN must be on a different subnet.

 

Now, the last step would be to tell the local LAN how to find the remote one (since SBS is the default gateway the computers will try to use that one instead of the VPN router). To correct this we must create a static route on the server… so go and run the following command on the SBS box "route add -p 10.0.0.0 mask 255.255.255.0 192.168.16.3" and you should be good to go.

 

There could be other variations in this scheme, but if you understand the steps involved here then its easy to modify this to do whatever you want.

Posted: Dec 08 2004, 10:04 PM by Javier | with 6 comment(s)
Filed under: , ,

Comments

Javier said:

Hello Javier,

Good to see you blogging, and as I'm looking at this post while I'm setting up a portal page of SBS MVP RSS feeds, I felt I should offer my opinion that although your solution should work, I would not recommend it... simply because I feel it violates one of the cardinal rules of firewalling, that you should never permit alternative paths into the corporate LAN.

This and other alternate entrypoints like unsecured or improperly secured WAPs, travelling/guest laptops which connect directly into the network are variations on the "infection by floppy" problems of the 1980's. It's very costly to implement safeguards if you believe in the traditional "trusted zone" firewall principle but make a mistake allowing an exploit through in some way and VPNs can be a highway into the LAN.

On this subject, I'm also actually very negative about traditional VPNs in general. If anyone is interested in <why> VPNs are a major danger to your network, what the alternatives are and specifically what I believe is the best solution (the application gateway), you can view a presentation I gave earlier this year by either going to the winsug.org site and looking for my presentation or going to my website at www.su-networking.com and becoming a registered user (no fee) for this and other whitepapers I've written.

Yours,
Tony Su



# December 10, 2004 5:14 PM

Javier said:

Hi Tony!

Good to hear from you, its been a while since we "talked". I have to agree with most of your comments. However, I must point out that this like any other solution depends on how you configure it. In my routers I can block all inbound and outbound traffic (except for the VPN) and I control the remote and main LANs. I'm actually more worried (like you mentioned) about the VPN per se.

A much better (secure) approach would be to put the VPN endpoint in front of ISA and publish the necessary ports (i.e. Terminal Services) and don't forward them on the router. This way the VPN tunnel only has access to what they need instead of the whole lan.

I will take a look at your site (sent you an email).
# December 11, 2004 9:23 AM

TrackBack said:

^_^,Pretty Good!
# April 15, 2005 5:10 PM

TrackBack said:

^_~,pretty good!csharpsseeoo
# May 18, 2005 9:36 PM

TrackBack said:

Site to Site VPN while keeping ISA in the Mixooeess
# July 22, 2005 12:18 AM

TrackBack said:

Site to Site VPN while keeping ISA in the Mixooeess
# August 2, 2005 7:57 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)