RDP VPN combo
Everlife
Member Posts: 253 ■■■□□□□□□□
Hi guys,
I haven't had too much experience with VPNs as we've always used the Remote Web Workplace built into SBS. We recently came across a SonicWall Pro Series 4060 during a liquidation of a company.
What I'd like to do is set this up as a hardware firewall to create a DMZ between our DC running ISA2004. I would then like users to create a VPN connection to the SonicWall then access Remote Web Workplace from the DMZ.
The question I have is this... Is all traffic tunneled through the VPN, meaning the user wouldn't need access to port 3389 on their local network? So if the user is accessing port 3389 from the sonicwall to the DC, do they need access to that port on their end or is it all tunneled through the VPN ports once it leaves the SonicWall?
To make this a bit easier to understand, let me map it out.
Here is the topology I am thinking of creating...
Sonicwall
|
| DMZ
|
DC running ISA 2004
|
|
|
Client
Sonicwall: Hosts VPN connections
DC: Hosts ISA and Remote Web Workplace
Steps involved in process:
1) User creates VPN connection to Sonicwall
2) User accesses RWW website hosted on DC
3) User remotes into his/her computer
While this would also help beef up our security, I was also hoping this would help solve the problems of users encountering port 3389 being blocked on some of the hotel connections they are connecting through.
As you can see I'm horrible with VPNs, I just haven't had much time to play with them.
Thanks for the help!
I haven't had too much experience with VPNs as we've always used the Remote Web Workplace built into SBS. We recently came across a SonicWall Pro Series 4060 during a liquidation of a company.
What I'd like to do is set this up as a hardware firewall to create a DMZ between our DC running ISA2004. I would then like users to create a VPN connection to the SonicWall then access Remote Web Workplace from the DMZ.
The question I have is this... Is all traffic tunneled through the VPN, meaning the user wouldn't need access to port 3389 on their local network? So if the user is accessing port 3389 from the sonicwall to the DC, do they need access to that port on their end or is it all tunneled through the VPN ports once it leaves the SonicWall?
To make this a bit easier to understand, let me map it out.
Here is the topology I am thinking of creating...
Sonicwall
|
| DMZ
|
DC running ISA 2004
|
|
|
Client
Sonicwall: Hosts VPN connections
DC: Hosts ISA and Remote Web Workplace
Steps involved in process:
1) User creates VPN connection to Sonicwall
2) User accesses RWW website hosted on DC
3) User remotes into his/her computer
While this would also help beef up our security, I was also hoping this would help solve the problems of users encountering port 3389 being blocked on some of the hotel connections they are connecting through.
As you can see I'm horrible with VPNs, I just haven't had much time to play with them.
Thanks for the help!
Comments
-
slinuxuzer Member Posts: 665 ■■■■□□□□□□First let me say I have little to no experience with sbs, so I am not familiar with the RWW website of which you speak.
The optimal situation in my mind is once your clients connect to their vpn connections is to rdp directly to their XP machines. This of course would require them to be able to resolve the names of the machines they wish to remote into via dns or these machines have reservations; static address etc. When they make the vpn connection they should get a private ip address and it would be virtually the same as if they were switched into the office (might be slower).
For your rdp port problem, you can change the port that Rdp is served on easily in the windows registry (many websites can be found via google) and if you have to change this on multiple machines you could get familiar with exporting and reimporting registry keys.
When connecting to a Rdp port other than default 3389, in the Rdp client specify
192.168.0.1:4000 (4000 being the new port you setup) or server1:4000
As far as a Dmz, I don't think that that is need as a Dmz is usally where you would place Web, ftp, public dns, and other servers that need to be publically accessible, and then place a firewall or some other form of packet filter between the Dmz and your private network.
With the type of vpn your talking about your clients will be tunneled in and should be able to ping and of your private side address 192.168.0.0/24 or whatever.
Also with sonic walls if I remember there is a special piece of client software.
Also you may need to log into the sonic wall and see if there are Vpn license's there/needed/adequate amount.
I don't care for sonic wall very much. -
Everlife Member Posts: 253 ■■■□□□□□□□Thanks for the info slinuxuzer.
RWW is an IIS based site custom built for Small Business Server. It allows the user a simple interface in which to access their email through Outlook Web Access, as well as providing a listing of all computers available on the domain to be remoted into. As of now we have this site linked to a PTR record with our ISP allowing the users to access it by using a specific web address. Once they get to the page, they log in to an SSL based site using their domain logins.
If you've never dealt with SBS, count yourself lucky. It is an extremely poorly designed system and an absolute mess security wise (in the default configuration your SBS server is your DC, DHCP, DNS, Firewall, IIS server, Exchange Server, etc etc.) The SonicWall would create barrier between the SBS server and the outside world allowing me to host the RWW (IIS based website) to only those users who successfully establish a VPN connection.
As to the RDP problem, I want users to continue to use RWW as many of them enjoy the interface. Changing the ports of the RDP may create a problem as I'd have to do some work on the ASP web pages within the RWW site to figure out how I would change the interface to reflect the port change.
The reason I wanted the DMZ was because I have an FTP server on another IP I'd like to move behind the SonicWall and free up that IP address. I failed to mention it in the previous scenario.
I've checked the licensing on our Sonicwall and it was licensed for around 500 VPN users (we have about 40.) We should be set on that aspect, I'll have to check into the SonicWall specific VPN client.
Whatever the case, thanks for the info slinuxuzer. I'll take some time and think about eliminating the RWW and just doing the direct RDP. That might definitely be the way to go.
Thanks!