Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: VPN and firewall setup

  1. #1
    Senior Member
    Join Date
    Jan 2004
    Posts
    124

    Question VPN and firewall setup

    I'm starting thread for the first time so don't expect much of it.

    I need advice on the following:

    I want to make VPN connection from home (using dial-up) to server at work (using 256 kbps link).
    At work I have w2k server with RRAS enabled (curently it is working as NAT for the rest of private range LAN), DHCP, no domain. Server is connected to ISP with some kind of wireless link with speed of 256 kbps). There is also software firewall with statefull inspection installed (Visnetic Deerfield Firewall).
    At home I have w2k pro with 56k modem and same firewall.
    Firewall can support only PTPP.

    The question is: what ports (and for what address range) should I leave open on server at work and on computer at home?
    the goal is that when I connect from home I have acces for shared folders, and maybie terminal service on server so I can admnister it from home.

    Someone might say that I should search for previous posts, but when I type in VPN in search box there are over 400 threads, and I have much time for read them all.

    Any kind of short advice, or reference to another post/thread or article is appriciated.

    thank you
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  2. #2
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    if all you need is shared folders then I would set up remote desktop on one of the boxes.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    You can:

    1) Take the poor man's route and tunnel VNC (or UltraVNC if you want a Norton Commander type file transfer) over SSH. If this is the case, port 22 on the remote and you don't need to worry about outbound ports. If all you want is remote desktop, the newest release of RealVNC does encryption. This too, is an easy implementation.

    2) Use Microsoft's built in PPTP stuff. I don't really like this solution but some do. There is an open source version of course: http://www.poptop.org/

    There are three key parts to the PPTP protocol.

    The Control Connection over TCP (destination port is 1723, source port can be any available port). THIS IS NOT AUTHENTICATED IN ANY WAY.
    The IP tunnel used to transport GRE encapsulated packets (protocol 47 (note, this is not TCP or UDP PORT 47, but a specific, unique protocol).
    The PPP packets that are encapsulated inside of the GRE tunnel carried by IP. Note that only the DATA packets are encrypted (when encryption is actually used, which is left open to the implementer and not actually part of the PPTP RFC, only protocol numbers 0x21 through 0xFA (just the data usually) would then be encrypted, this means all the other PPP traffic (for example LCP) would not be encrypted.

    3) Buy two devices that can setup point-to-point tunnels. This can get expensive. Same goes for client/server VPN solutions.

    Anyway, based on your choice, I will provide the technical detail but if you want an excellent read on VPNs, I suggest this: http://www.sans.org/resources/malwarefaq/pptp-vpn.php

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    TH13:
    thanks for advices, and article about VPN is looking great.... I'll take some time to read it during this day...

    I know that PPTP is less secure than L2TP, but at this point it is good solution for my needs.

    At this point I'll set up everything for PPTP and test it from home tonight.

    This is only phase one, that is why I want only to create acces to shared folders (they are on another server in the LAN). If this phase of testing is OK, I'll try to run some network apps (SQL client - server). The bottom line is that I want to make myself able to admin servers from home, and to make my boss able to check sales reports in our app from home...

    can anyone tell me if these two tasks could be performed over dial-up? Is 56k enough?

    I don't like using VNC on my servers, but if it is only confortable solution, I guess I could leave one of the workstations at work running over night.

    TH, consider that you have some antipoints from me for great post, but AO sistem is not letting me to do it. I have to "spread" my atipoints more...
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  5. #5
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    OK,

    I have set up everything at work. RRAS is using PPTP. Firewall is set up to pass trafic on protocol #47, Port for PPTP is enabled, trafic for private range is enabled.

    At home I did the sam thing.

    I got connection, but when I start browsing shared folders it opens just shared folder, and when I try to open anything it hangs, I see trafic in my FW log but after aprox 1 min it just close that window... When I try to reopen it it pops "network path is not awalaible"

    I guess that 56k is to slow for this, so today I'm seting VNC and terminal services.

    Any ideas how to optimize file browsing?

    thanks
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  6. #6
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    Hm, After testing this over weekend I have descovered following:
    No matter what I use, VNC, Terminal Service client or Folder browsing, network trafic dies after aprox 1 min. After another 1 min connection disconnects. When I connect again, I have the same thing, it works 1 min and then it just dies...

    I'm searching microsoft MSDN and Google for tips on optimizing TCP/IP. Any ideas someone?
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Re: VPN and firewall setup

    Originally posted here by ikalo
    Someone might say that I should search for previous posts, but when I type in VPN in search box there are over 400 threads, and I have much time for read them all.
    Hi jkalo! Welcome to AO. Looks like you've made some progress. Unfortunately, I'm not familiar with any of the items you've described, really, so I don't have any advice to offer on that front.

    I would suggest you start searching with many more keywords. At this site, if you search for VPN, you'll probably get a link to 50% or more of all threads ever created, at least in the Security section.

    Try searching for VPN RRAS Visnetic Deerfield etc. Might narrow down the results somewhat...and if you get too few, start removing terms.

    Best of luck.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    ikalo even under very good conditions ppp is painfully slow but if your computer has become infected with spyware/adware or you phone line are not that good it's impossible. use spybot S&D and adaware to scan your computer for maleware. after that if it still doesn't work and you insist on using ppp invest in pcAnywhere from symantec. if at all possible get a high speed connection for use with any of the above suggestions. the benifits you'll receive far outweigh the costs.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    Zencoder:
    Thanks for the advice on searching.

    Tedob1:
    pcAnywhere could be an option but it has some disadvantages. Like I said already in my post I don't want to allow desktop access to server. Also I want to make this usable for several persons. High Speed connection is currently not avalaible at my home (ADSL is not implemented in my country yet and I don't have good position for wireless).
    The idea is that I (or my boss) can check what is going on from home... speed is not important.

    I have already found some stuff about tweeking TCP/IP for operating over WAN, but that is still only in general... MSDN here I come.

    [edit]
    Spyware is not problem because I keep my box clean. Also, spyware is not problem because when VPN connection is established it is default gateway for all trafic. NAT on the server is not routing anything from VPN to internet. And if it does, my firewall would log any traffic.
    [/edit]
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  10. #10
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well....running apps over VPN...is not gonna work...from my experience anyway

    VNC...will work to a remote desktop..then terminal server into the server to admin.

    PCAnywhere...has issues with rebooting machines and then needing someone to reset on the host...pain...I would never put it on a server!

    gotomypc...remote desktop app ...then terminal server into the server to administrate.

    or use the XP Pro remote desktop feature...again to a ws then terminal server to admin the server.

    To run or administrate apps...I suggest using terminal server...which comes with 2000\2003 server (single seat),.....and works very well.

    As for not wanting to remote desktop..why??

    Remote desktop to a ws...then terminal server into the server from inside your LAN...better then having the terminal server exposed to the internet...IMHO of course

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •