Conecting To PC Using VPN

[jpatto]

Im thinking of connecting a PC onto our domain which is outside of our building using VPN - would you guys think this is recommended if so what are the best practices to follow and how should this be done?

Thanks

[At0mic]

So many ways...

If the router at work supports true VPN (not pass-through), you could create a VPN account on the router and dial into it from home using the 2000/xp built it VPN client.

Or if your router at home has VPN as well, you could create a proper always on tunnel connecting your router to work. Although, this could have serious implications with regard to security if you’re not properly safe guarded.

Or you could use the windows server at work’s built in VPN server capability. But then the router at work would need VPN pass-through I think. You could then dial into it or VPN it to your router at home.

Remember to make sure that your home network in set to a different IP range than the work network.

[un4given1]

The BEST practice would be to forward port 1723 to your Windows 2003 server. Enable VPN on the server. The reason I say this is the best way is because that way you can use your Active Directory authentication. Also, if your domain is set up the way mine is, the server has both an internal and external network, and the external is hooked to the router. Enabling VPN on our router would require me to reconfigure our server to allow services through our external LAN on the server, which I believe would open us up too much. Anyways, that's my suggestion.

Later

[Marsden]

Get a hold of the Connection Manager Administration Kit (CMAK) wizard. Then, simply run the CMAK wizard, answering the questions and providing the information about your custom elements. The CMAK wizard then builds a service profile, which is a set of files which you distribute to your users so that they can easily install and run your custom version of Connection Manager.

Burn it to a CD and give it to your remote users to install on their machines ... it does not get much easier.

The CMAK wizard offers many new features, including some that help you do the following:

• provide routing table updates that apply only while clients are connected to your server ("split tunneling")

• Automatically configure Internet Explorer proxy settings for a client computer

• Enable clients to choose which virtual private network (VPN) server to use when they connect

• Include a pre-shared key for L2TP/IPSec authentication

• Encrypt a pre-shared key profile with a personal identification number (PIN) that the user must type in before the profile can be installed

Additionally, the CMAK wizard gives you greater customization and control when you build the service profile, including:

• More types of custom actions and full configuration of all custom actions from within the wizard

• An advanced customization pane in which you can edit .cms and .cmp files as the profile is built

• Improved interface and text throughout the wizard

[Bad boy Warrior]

I dont get this.....so if someone has a VPN connection does it mean a VPN connection is just for someone from outside of a network connecting into a network or domain? What woudl happen if i connect to my servers VPN connection from outside of my network? what resources would i have if everything how could i test to see this?

Thanks

p.s. Sorry jpatto for asking a question and not giving an answer for your question (although i guess you do have the answer) but sorry for using your thread.......

[At0mic]

I dont get this.....so if someone has a VPN connection does it mean a VPN connection is just for someone from outside of a network connecting into a network or domain? What woudl happen if i connect to my servers VPN connection from outside of my network? what resources would i have if everything how could i test to see this?

Thanks

p.s. Sorry jpatto for asking a question and not giving an answer for your question (although i guess you do have the answer) but sorry for using your thread.......

With a VPN you can do everything you would if you were connected normally through your LAN. Although obviously you would be limited to the speed of the connection. For example, don’t expect to be able to open large files through the VPN because it would be really really slow. Same with printing - don’t go printing anything to large.

A VPN is used for connecting branch offices together. For example, I work at training college and the main building has an Exchange Server, a central database running on a terminal server and an intranet. There are 5 other buildings within 30 miles which are connected to the main building using a VPN which gives them access to Exchange, terminal server and the intranet as if they were locally on the LAN. Occasionally they require the odd file that’s a bit big so we advise them to send VIA email or if its too big for that then I FTP it for them.

Each network is in a different IP range. The main site is 192.168.0.0 and we also have 192.168.1.0, 192.168.2.0, 192.168.3.0, 192.168.4.0 and 192.168.5.0 (all guarded by a heavy duty firewall). I set my home network to 192.168.9.0 so I can access each LAN.

Most sites have Win2000 servers joined to the main domain. They replicate through the VPN. Users simply log into the domain.

A few sites are setup as workgroups because they dont have a server. Each user account is set up locally on their PC. They also have a matching account in the active directry so they can access exchange, terminal server and everything else without even being on the domain.

Another use for a VPN is so you can access a remote network from home. For example, I can access all the college servers from home for administrative purposes. I can connect via terminal server and gain full use of the server as if I was sat in front of it. Sometimes when I’m on annual leave for example, I get a phone call from work and I can often fix problems from home.

If you wish to remotely use a PC which isn't running terminal services, you can install one of the many free VNC servers. I prefer TightVNC but you can also use RealVNC or UltraVNC.

Edited @ 05:33PM

[Bad boy Warrior]

Thanks for that atomic. Just 2 more questions if i can please.

1. So you cant use an internet connection AND vpn at the same time or can you? as when i did that i got locked out from my system whilst using RDP until i disabled Routing and Remote Access (this is what i used to create my VPN connection)

2

If you wish to remotely use a PC which isn't running terminal services, you can install one of the many free VNC servers. I prefer TightVNC but you can also use RealVNC or UltraVNC.

Im guessing this is the preferred way rather than paying MS for the extra Terminal Services license after the 60 or 120 day period- so these tools work exactly like TS but theyre free??

Thanks again

[jpatto]

p.s. Sorry jpatto for asking a question and not giving an answer for your question (although i guess you do have the answer) but sorry for using your thread.......

WHAT!!!!!!!!!!! no way i cant believe this - how could you...............ok ok im only joking dont worry about it

[At0mic]

1. So you cant use an internet connection AND vpn at the same time or can you? as when i did that i got locked out from my system whilst using RDP until i disabled Routing and Remote Access (this is what i used to create my VPN connection)

I dont have problems using both. If I'm at home, I access the internet with no probpems through my local lan. I can also have a VPN session open at the same time.

2. Im guessing this is the preferred way rather than paying MS for the extra Terminal Services license after the 60 or 120 day period- so these tools work exactly like TS but theyre free??

no the VNC tools I specified and TS are completely different pieces of software for completely different purposes. It all depends what you which to do.

VNC is a piece of software which allows you to operate a PC remotely. So if you remotely used somebodys PC, anybody sat infront of it would see what you are doing. You could also see what they are doing. VNC is for remote controlling a PC and thats it.

Terminal Server on the other hand is completely different. It allows any number of people to remotely log on to the TC computer. Each person would have their own remote session and use it like a normal PC. Also, somebody can opereate the TS computer all at the same time. Each person will share the TS computers resources so the CPU, RAM and network of the TS will determine how many people can access it. If the TS had Office XP and you had 10 people using it through TS, you would need 10 TS licenses plus 11 Office XP licences (one for the server itself) to be completely legal (unless you could prove that nobody accessed Office PC from the server?). TS licencing is so complicated I dont fully understand it myself.

My server at home has both VNC and TS installed so I have the choice of both depending on the situation.

VNC is cool because it's cross-platform compatible. You can remotely access a windows PC from a linux PC for example. Then again, there's an RDP client available for MAC, so MACS can access a Windows TS.

Its all pretty cool stuff