[aklug] Re: OT(?): Remote Access VPN

From: Damien Hull <dhull@section9.us>
Date: Tue Oct 20 2015 - 13:40:42 AKDT

I'll jump in here and add my 2 cents. Which is about all I have left.

1. Don't use the Windows server as the VPN end point
2. In a small office situation you should use the gateway/firewall for
this.
3. You can authenticate through RADIUS which ties into AD. This is a role
in Server 2008
4. I would recommend an off the shelf solution rather than rolling your
own.

I'm in the middle of deploying Meraki MX80's. May not be the right solution
for you but they seem to be working well for us. Dropping in Firewall
number 2 this Friday. I'm deploying a total of 4. Might be adding number 5
if we get another office.

And I know someone will kill me in my sleep for recommending something
other than an opensource solution. I do have opensource solutions on my
network. Just not the firewall.

That's my 2 cents.

On Tue, Oct 20, 2015 at 11:18 AM, Christopher Howard <
christopher.howard.asi@gmail.com> wrote:

> Hey guys... so I took up a job at a small business which is basically a
> Windows shop (hey, gotta eat...) and I wanted to set up a simple Remote
> Access VPN so the boss could access the network files while abroad. They've
> got a WS2008 running their AD and DHCP on the intranet (but it isn't the
> gateway). So, my first thought was to see if it had built in VPN
> functionality. It does, but I ran into some trouble -- apparently in WS2008
> the remote access VPN functionality is tied into the IP routing
> functionality (which were aren't using). So, when I activated the RRAS,
> there was some strange conflict with DHCP and it instantly disconnected
> everyone's access to the network storage shares! Fortunately, I was able to
> reverse things before causing too much pandemonium, but obviously now I'm a
> bit nervous...
>
> So, now I am trying to figure out if it is worth monkeying around with
> this some more to get it working, or if I should look at some other
> approach. Maybe just put a small Linux box on the network and run a FOSS
> VPN server from it? (I'm imagining complications down the road trying to
> get user authentication tied into the AD system if we eventually get
> multiple users.) I looked on our gateway router but didn't see any kind of
> VPN functionality.
>
> Any sage advice from the seasoned admins?
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Oct 20 13:41:04 2015

This archive was generated by hypermail 2.1.8 : Tue Oct 20 2015 - 13:41:04 AKDT