I'm installing SBS 2003 R2. I want to provide remote access to an application running on the server. I had thought I could provide remote connection via VPN. Our software vendor tells me I must have Terminal Services on a separate server. They say that using VPN is hazardous and would only allow two simultaneous connections. Is this so?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
VPN v Terminal Server SBS 2003 2
- Thread starter Pictman
- Start date
-
1
- #2
NO. VPN and Terminal Services are different. They are recommending that you run your terminal server on a separate server from the application server. Which is probably a good idea. How many remote users will you have using the software?
- Thread starter
- #3
-
1
- #4
ShackDaddy
MIS
If your server hardware is powerful enough, you could just buy an additional OS license and run the second server (terminal server) on Windows Virtual Server or VMWare Server. You would also have to buy Terminal Server CALs: I think they run about $75 each.
You'd need to tune the memory requirements for the VM to make sure that everything had enough memory to do its job well. Unfortunately SBS has a 4gb cap for usable RAM, but it may be enough to do the trick in your environment: 1.5gb for the VM and 2.5gb left over for your SBS box to do its thing. You'd also want to throttle the SBS SQL usage...
Dave Shackelford
Shackelford Consulting
You'd need to tune the memory requirements for the VM to make sure that everything had enough memory to do its job well. Unfortunately SBS has a 4gb cap for usable RAM, but it may be enough to do the trick in your environment: 1.5gb for the VM and 2.5gb left over for your SBS box to do its thing. You'd also want to throttle the SBS SQL usage...
Dave Shackelford
Shackelford Consulting
Dave has a good idea here. This scenario might be used a lot with the release of SBS 2k8 since it will be 64-bit and a lot of small business LOB applications are 32-bit. The determining factor is support. Will your software be supported in a vitrual install? If it is, you could give this a try. If not, go with a second server. Either way, you're going to need Windows Server License and TS CAL's. A second server is probably a safer route to take though.
- Thread starter
- #6
Thanks, both, for that. I'm trying everything a step at a time. My current problem is as follows: I've run the Setup Remote Connection wizard within SBS2K3 supplying my static IP Address. I can ping the address remotely; but can't gain access remotely. The server and workstations on the LAN have internet access OK. Furthermore, while running the CIEW wizard I ticked the boxes for VPN, RWW, FTP etc during firewall setup. If anyone has any ideas I would be most grateful for any input. Thanks.
ShackDaddy
MIS
Your router may need to be set to allow traffic to the ports needed for VPN. You'd need to configure it to allow tcp 1723 to allow PPTP connections (that's the simplest VPN tunnel protocol).
Dave Shackelford
Shackelford Consulting
Dave Shackelford
Shackelford Consulting
- Thread starter
- #8
ShackDaddy
MIS
So is there a device between your server at the device that your ISP gave you? Does your server have a public internet address? If so, then you don't need to do anything besides run the Remote Access wizard.
Dave Shackelford
Shackelford Consulting
Dave Shackelford
Shackelford Consulting
- Thread starter
- #10
You will need to forward the ports for PPtP and LT2P and IPSEC to your server. You may be able to do this by simply setting IPSEC, PPTP & LT2P passthrough on your linksys. In theory, it should just pass the request on through to your SBS server.
ShackDaddy
MIS
You will need to log into the interface on your Linksys router and set up forwarding on those ports.
Dave Shackelford
Shackelford Consulting
Dave Shackelford
Shackelford Consulting
- Thread starter
- #13
ShackDaddy
MIS
Ok, what DOES work? Are you able to get to OWA? And to do that, did you configure anything on your LinkSys? When you look at the LinkSys config, do you see any rules for HTTPS/SSL that the server autocreated there for you?
Also you should know that there is something called "GRE" or "VPN Passthrough" that needs to be enabled on a LinkSys device or VPN won't work. Go through the LinkSys interface and see if you can find an option like that. If you need any help, let us know the model of the device, and we can look through the docs too to verify for you.
Dave Shackelford
Shackelford Consulting
Also you should know that there is something called "GRE" or "VPN Passthrough" that needs to be enabled on a LinkSys device or VPN won't work. Go through the LinkSys interface and see if you can find an option like that. If you need any help, let us know the model of the device, and we can look through the docs too to verify for you.
Dave Shackelford
Shackelford Consulting
- Thread starter
- #15
Hi again. The device I'm using is a Linksys AM200 Annexe A. I can't see anything you mentioned on the configuration pages. I have kept the firewall on this device disabled choosing to rely on the SBS 2k3 operating system. As I previously mentioned I can't get at the server from the internet even with all the firewalls disabled. Thanks for all the help you're giving.
ShackDaddy
MIS
So does your SBS Box have two interfaces, and one is public and one is private? Are you running ISA?
That LinkSys device is just a DSL Modem, not a router, so if you have the firewall turned off, you probably are using a public IP on your server. Is that right?
Dave Shackelford
Shackelford Consulting
That LinkSys device is just a DSL Modem, not a router, so if you have the firewall turned off, you probably are using a public IP on your server. Is that right?
Dave Shackelford
Shackelford Consulting
Why don't you just use the Remote Web Workplace feature on SBS. This allows for secure remote access to any desktop and/or server that is part of the domain and running remote desktop or terminal services. All you need on the client side is a web browser, no VPN to fool with.
- Thread starter
- #18
ShackDaddy
MIS
So the addresses you got from your ISP aren't even public? They are static private IPs?
What I'm going to say next assumes that nothing inbound is working: you're not getting mail directly delivered (POP3 Connector may work), you can't connect to OWA, etc. And someone else may disagree, and that's fine.
In my opinion there is too much complexity here. I would not use ISA unless you actually have a public IP to use on the external interface. As it is, you have a layer of NAT before you even get to ISA and then another layer of NAT there.
I recommend removing ISA, disabling your external NIC and rerunning the Internet/Email Connection Wizard. Then you'd have your server communicating with both your local clients and the internet on a single interface. Then, once you've configured the firewall to pass the required ports to your internal server IP, some of this stuff will work.
Just a final qualifier: I don't like ISA and never use ISA because it adds a layer of complexity that's too close to the server. I always prefer firewall devices because it makes troubleshooting easier. Someone who knows and appreciates ISA better than I do may have different advice for you.
Dave Shackelford
Shackelford Consulting
What I'm going to say next assumes that nothing inbound is working: you're not getting mail directly delivered (POP3 Connector may work), you can't connect to OWA, etc. And someone else may disagree, and that's fine.
In my opinion there is too much complexity here. I would not use ISA unless you actually have a public IP to use on the external interface. As it is, you have a layer of NAT before you even get to ISA and then another layer of NAT there.
I recommend removing ISA, disabling your external NIC and rerunning the Internet/Email Connection Wizard. Then you'd have your server communicating with both your local clients and the internet on a single interface. Then, once you've configured the firewall to pass the required ports to your internal server IP, some of this stuff will work.
Just a final qualifier: I don't like ISA and never use ISA because it adds a layer of complexity that's too close to the server. I always prefer firewall devices because it makes troubleshooting easier. Someone who knows and appreciates ISA better than I do may have different advice for you.
Dave Shackelford
Shackelford Consulting
I agree with Dave. Running ISA in a back-to-back configuration is very difficult to work with.
You should run one or the other. ISA is very secure; however, many people do not understand it and it can cause issue when working with 3rd party software support. They all think ISA is a proxy server. Which was the case in the early versions (ISA 2000) but not with ISA 2004 and 2006. You are also putting your server on the edge or perimiter of your network in this scenario. Not the best idea.
AS Dave said, creating the separation make the troubleshooting process easier.
If you really want to run in that type of configuration or even with a DMZ you should probably visit isaserver.org. Lots of good information on how to use ISA in this scenario.
You should run one or the other. ISA is very secure; however, many people do not understand it and it can cause issue when working with 3rd party software support. They all think ISA is a proxy server. Which was the case in the early versions (ISA 2000) but not with ISA 2004 and 2006. You are also putting your server on the edge or perimiter of your network in this scenario. Not the best idea.
AS Dave said, creating the separation make the troubleshooting process easier.
If you really want to run in that type of configuration or even with a DMZ you should probably visit isaserver.org. Lots of good information on how to use ISA in this scenario.
- Status
Similar threads
- Locked
- Question