Recommendations Please

[chvchk]

I'm the administrator of a small-medium sized single site network. I have a computer on site that is currently a stand alone desktop used only for programming chips (we're an electronics manufacturer). This computer is supplied by and maintained by the customer. They've recently requested remote access to this single computer for software updates, etc.
What is the best solution to ensure this computer can be accessed without allowing access or visibilty to the rest of the network?
I've been led towards VLAN, PPTP and a few other solutions but I don't want this to be more complicated then it has to be.
Our network configuration is:

Server 2003 Active Directory with DHCP
D-Link DI-804HV Router
2 3COM 3300 Switches
Dell PowerConnect 5324 Switch
Dell PowerConnect 2024 Switch

The client I wish to access is XP Pro. My initial thought is to allow remote desktop to this machine and set the static IP to 192.168.2.x. The rest of the network is 192.168.1.x. But I'm not sure how to make this work exactly as I've never attempted to do this before.

TIA

 

[John Lewis]

First, I would say that remote desktop is the way to go for the actual remote control software. That is the easy part.

There are a couple of issues that you will need to deal with. You need to allow access to this specific machine without exposing your entire network. This is further complicated because the machine you need to provide access to (probably rather broad access) is on your private network. When someone is using that computer with remote desktop, they will have a certain amount of access to your LAN.

You absoulutely should place this machine on a separate subnet, but you do not have the proper router to do so. I am 99% certain that your router (most in that class - DLink, LinkSys, etc) only support two networks - a WAN connection and a single LAN connection. You do not have anything that would let your route traffic from the WAN to 2 separate LAN segments. Additional or replacement hardware for this purpose is going to be relatively expensive.

I am not a "Windows person", but I do believe you could add another network card with an IP on the new subnet to your Windows server and use it to accomplish this task. Your client would make a VPN connection to the Windows server, which you would configure to route all traffic coming over the VPN to the new subnet. Configuring the VPN server is fairly simple. Configuring the specific routing should not be too bad, but I'm not sure exactly how without a machine to play with. This scenerio would be very easily managed with a Linux box .

On a side note, I would not use a 192.168.2 address for the new subnet. I would also change the 192.168.1 to something else. When you start connecting networks (in this case over a VPN connection), routing is not possible unless the network addresses are different. Many people start with 192.168.1 and incerement the third octet by one, so 192.168.1-5 are fairly common. Avoiding those may avoid future problems.

 

[dixiecrat]

I would reccomend either Logmein or Hamachi, or a combination thereof. The former is a remote access program, the latter is a quick and easy VPN solution, and both are free. Definitely worth trying at the very least! Hamachi is most likely what you're looking for in this situation as it can be configured to only allow access to certain directories, etc.

 

[chvchk]

I ended up utilizing a wireless router that was being used as an AP for company laptops.
I set up another network using the wireless router as a gateway and used port forwarding to reach this computer.
I found out later that the OS is XP home so it won't serve RDP requests. So we're using VNC as our remote access application.
I still need to configure VPN between the wireless router and our DC so company laptop users can get onto the network.
I think I'll work on that after the holiday and spend some time on the VPN and Server 2003 forums when I get ready to configure the VPN.

Thanks all for your help!