SBS2K8 VPN Setup

[gramb0t]

Well Hello there, Long time listener first time caller.

I have inherited a network that I fear was setup with the best intentions but not executed with the greatest of technical prowess.

Originally, the DMZ was set to point to the server, (SBS2K8 server with windows 7 workstations (and a smattering of XP machines for good measure). This was an effective way of letting the server handle the VPN requests but alas, i believe there is a more beautifull solution.

The router that we are using is a DIR-825, the server is setup to be the local domains DHCP server and thats working fine. What I need to know from you knowledgable folks is what settings are needed on the router to create a secure tunnel to the server?

tl;dr

SBS2K8 Server
(RAS has been setup on server)
DIR-825 Router
Static IP from ISP

Thanks in advance,

Gramb0t
(not a real bot, but a real boy!)

 

[thiggins]

Sorry, not following you. The DIR-825 does not have a VPN endpoint and can't originate or terminate a tunnel. It just has VPN passthrough.

 

[YeOldeStonecat]

Some questions first...
*What is the VPN for? Part time road warriors, or full time satellite offices?
*To access <what> kind of resources on the server?

"Server in the DMZ"? EEK!! Secure that server....how long has it been exposed like that?

 

[gramb0t]

YeOldeStonecat - The VPN will be for road warriors to access the network from hotel WIFI to access server shares, also to get into the intranet to access calendars and task lists that change daily.

Eventually I will be expanding to a satelite office at another location and will be looking at a solution to that problem, but for now I need remote desktop/server access.

Computers change around and for the most part, everyone works off the shares so Remote Desktop would only be used for a mapped network drive leading back to the file server.

To simplify further, they want access to a single server share wherever they are.

As far as I can tell, the DMZ has been like that for as long as their network has been running, Id say the better part of a year!

As for the router not having a VPN endpoint, can I not just port forward to the VPN solution provided by SBS2K8? I thought all I need is a PPTP tunnel.

Forgive me if I sound silly at all, I am teaching myself SBS2K8 and learning about RAS at the same time. This has been quite the project.

 

[YeOldeStonecat]

Trying to picture your setup more....

When you say "remote desktop to a mapped share on the server"....what are they remote desktop'ing into? You don't want them to remote desktop directly to the server. Eh eh.

If they're remote desktopping to their workstations at the office, you don't need a VPN for that, you have the Remote Web Workplace portal....all done via web browser.
https://remote.publicfqdn.com/remote where "publicfqdn" is whatever name and SSL cert you gave your server during the installation of the OS.
Done over port 443.

Also...Sharepoint is a fantastic way to hit the servers file shares for documents, also via web browser, and accessed via RWW. No VPN required.

Calendars and Task Lists...assuming they're done via Exchange/Outlook...just setup Outlook Anywhere....so their Outlook can securely hit the servers Exchange Server across the internet. That's how I'm accessing my office now..and I'm sitting on Amtrak Acela Express traveling to NYC. No VPN required.

The reason I'm trying to steer you away from the VPN for "road warriors"....sometimes, due to network equipment where your road warriors are currently at...will give them issues with VPNs. Lots of "routers" don't allow multiple VPN connections to pass through them, and if you go to a hotel..hit up the wireless...and launch your VPN, you may find it fails to connect or gives issues...if other users at the hotel are doing the same thing. To simply access simple Office document shares on the servers, workstations or terminal servers at the office, or Exchange Server...there are easier, faster, and slicker solutions...RWW, Sharepoint, OWA, Outlook Anywhere. All built into the many cool features of SBS.

 

[gramb0t]

RWW, this is intriguing.

In the office we are using this (for task lists and such) but I think I may have hit a little snag:

When installing, the FQDN was pointed to a domain that we OWN but DO NOT host on our servers. Can I still use the RWW, on a remotely hosted domain? What certificates/connections do I need from the other host (anything I need to do on that end will be done, we are in close contact).

EDIT: I can access remote.FQDN.com and get to the RWW portal, aswell as get into the internal website, But I am unable to access from external networks.

 

[YeOldeStonecat]

Is your active directory name ending in .com? Or .local? (hopefully)

Regardless, it's not a show stopper, you can get creative in whipping up a new DNS A-Record/CNames for your servers public IP address, just call it something else or give it a different suffix. Your website hosted somewhere else will be a www record pointing to the web hosts server. But you can create another record for "remote.mydomain.com" and point it to your networks public IP address. And then from home, https://remote.mydomain.com/remote brings you to the RWW portal, assuming you've opened/forwarded port 443. And you run the connect to the intenet wizard and snag an SSL cert for it (I usually name those the same as the creative name I gave the DNS name)

You can test from home without even doing a DNS name for it..just type in your networks public IP address, https://10.11.12.13/remote

 

[gramb0t]

Ok So,

I have called the host, they are pointing remote.mydomain.com to My static IP address.

My active directory is a .local ending (though this kind of messed me up as I need to add a mac((OS X)) to the network soon).

So all I need to do to get the SSL cert. is run the internet wizard on each workstation?

Your saving my life right now and I think Im going to have to name my kid yeoldestonecat, he's going to hate me for it, but it's worth it man.

Thanks for all your help!

UPDATE: I've opened port 443 on the router, i can now access the RWW portal through the static IP BUT, now the 987 (https://10.11.12.13:987) which is the internal webpage (akin to http://companyweb/default.aspx while connected to the LAN)

 

[YeOldeStonecat]

So all I need to do to get the SSL cert. is run the internet wizard on each workstation?

Should not have to do this....workstations would have access to the internet rather automatically when they were first setup on the domain. By default users added to SBS, and onto the workstation, would be allowed to remote access their workstation.

 

[gramb0t]

Remote access still remains a unicorn to me...

I have access to the RWW portal inside the building with no problem, I have my host forwarding my FQDN to my IP address but I am getting 404 errors when trying to access from an external network.

Frustrating...

I have the following ports openend on my router and pointing to the servers internal lan IP:

987 TCP
443 TCP

any clue as to what I am doing wrong?

 

[YeOldeStonecat]

What's connected to the WAN side of your router?
So you created an a-record for "remote.mydomain.com" which points to the static WAN IP you get from your ISP?
The ports are forwarded to the LAN IP of the server
So from the outside..in your browser..you type in "https://remote.mydomain.com/remote"
Don't forget the "S" after http.

If you didn't purchase a 3rd party certificate..you'll get a certificate error but just click on "Continue to this website anyways".

http://blogs.technet.com/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx

 

[Monkey]

There is an article on technet that gives you the port numbers:

http://technet.microsoft.com/en-us/library/sbs-2008-remote-access-management%28WS.10%29.aspx

You haven't mentioned that port 80 is being forwarded to the server, or 3398 if your are using the activex control for remote desktop.

 

[YeOldeStonecat]

There is an article on technet that gives you the port numbers:

http://technet.microsoft.com/en-us/library/sbs-2008-remote-access-management%28WS.10%29.aspx

You haven't mentioned that port 80 is being forwarded to the server, or 3398 if your are using the activex control for remote desktop.

Just 443 and 987 are needed to access RWW. You never...ever..want to open/forward port 80 to any active directory server...only to a very well locked down web server. Port 80 is hugely exploited on the internet..your server will fall. Port 3389 is not needed if you use RWW, only needed if you want to access Remote Desktop host directly from the internet with a Remote Desktop client. RWW will automatically proxy your RDP traffic for you. Scroll down on the above link you posted and see that they even added that to the end of that page.