New Install - Is a VPN router reqd/advisable to access SBS 2k3 (R2)??

[lanrat]

Please can someone advise on a "best practice" in this case.

I know that sbs2k3 (r2)Premium includes an ISA server and *can* be setup with 1 of the 2 NICs *directly* facing the broadband modem and then be setup to handle VPN connections without the need for an endpoint VPN router but...

Would it be more advisable to have the extra security of NAT and VPN via -
a) a broadband router that supports IPsec tunnels OR
b) a VPN (endpoint) router eg linksys vr4000

I really need the advice before I commit to additional purchases, thanks. Mark H.

 

[ShackDaddy]

I would go with A) and a single-nic solution. There are those who disagree, but I will say that it's in line with Microsoft's more recent strategies for network security.

I've done both, and have found solution A to be easier to manage and troubleshoot. I've also found direct VPNs to the server more reliable than those terminating at a concentrator/firewall. At least on lower end equipment.

Reliability of appliance-terminating VPNs goes up with the cost of the appliance, but ease of configuration tends not to. When terminating the VPN on the server, you don't have to install any sort of special client on the workstation if you don't wish to.

ShackDaddy
Shackelford Consulting

 

[lanrat]

Appreciate the advice ShackDaddy :^) I already had a 2nd nic installed in the Dell PE840 I purchased though (based on the MS FAQ's I had read).
So would you suggest I remove it before deployment?
Will the lack of a VPN client on workstations/laptop not impact no. of connections or restrict the method of connection? I'm a noobie to vpn & sbs so please pardon the basic Q's

MH

 

[ShackDaddy]

You don't have to remove the NIC, just disable it in the Network Connections folder.

Every Win2000/XP/Vista OS has a built-in Microsoft VPN client. You set it up when you run the "Create a new Connection" wizard and choose to "Connect to the network at my workplace". It doesn't restrict anything. It's the simplest way to set up VPN.

By default an SBS server is set up to allow 5 concurrent VPN connections, but to raise that number is simple. You use the Routing and Remote Access Admin console in the Admin Tools, find the Ports folder and get properties. Choose to configure PPTP ports and raise the number of ports from 5 to however many you want. Just know that the RRAS system immediately allocates a DHCP address for each potential port, so if you have 10 ports, there will be 10 addresses in your lease pool that will say that they are owned by your server's RRAS system.

ShackDaddy
Shackelford Consulting

 

[lanrat]

Duh! - I don't know why I didn't think of the WinXP "built-in VPN Client" - I've used it before to connect directly to a desktop PC, so that makes sense to me.

Re the single NIC though - does this config not produce a bottleneck in that we double the traffic through that 1 NIC during external connections since both internal and external traffic has to be routed through it as opposed to a 2 NIC system where one handles internal (LAN) traffic only and the 2nd external traffic?

 

[ShackDaddy]

You have at least a 100mb NIC. I doubt your external pipe is bigger than 3mb, if you are lucky. Think about it: you're not going to saturate your NIC. Only internal traffic has the remote potential to saturate, but I doubt you'd be able to generate that much traffic without trying very very hard and using special traffic-generating tools to do it.

Plus, if you're on the single NIC, you're not running ISA, and you aren't handling the internet-bound traffic from the clients, so there's even less traffic.

So on that, if you want to use ISA, make sure you are setting up with a dual-NIC configuration.

ShackDaddy
Shackelford Consulting

 

[lanrat]

I thought I was the only one posting on a Sunday ;^)

When you put it like that I see what you mean (i.e. NOT running ISA) - however, I thought running ISA was part of the reason for not needing the endpoint VPN router and keeping both the server and LAN at large more secure?

Am I missing something?

 

[ShackDaddy]

Most broadband routers have integrated firewalls. If you only pass the https, rdp and VPN ports, you can have a fairly secure network with a single-NIC SBS server behind it. That server can handle inbound VPNS in the same way regardless of whether ISA is installed on it.

So...if you want to skip using a VPN concentrator, you can use the SBS VPN stuff. You can home VPNs on the server with or without ISA.

Let's just assume you are going to run ISA. You need to have both NICs enabled, and you don't need anything but a simple broadband router in front of it. You can lock down all but the minimum ports on that router if you don't care about seeing all the "hack attempts" in your ISA logs for all the dropped ports. And you can land VPN connections on the server through ISA. I believe that the basic wizards for ISA will set up everything you need for OWA, RWW and VPN.

ShackDaddy
Shackelford Consulting

 

[lanrat]

Got it!! I really appreciate the detailed explanation -

I've only got as far as the "Task-List" with my 1st time "test" install (2 nics for now) on a dummy network. So I have a fair way to go before I'll be ready to start with the VPN phase (test or otherwise) but I needed to clarify these issues during the planning/costing stage of the rest of the infrastructure so I'd have no additional last minute hardware cost overuns. Thanks again for all the advice. Cheers :^)