| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
Use RRAS to create a Remote Access Connetion (not site-to-site). The dialup
interface in RRAS will let you specify it as "persistant. The Windows Firewall is no big deal. The Firewall Protects by not letting things be available that the OS is trying to make available,...but if the OS isn't trying to make something available that should not be available then there is nothing for the Firewall to protect in the first place. Moral of the story,...don't have services running on the box that you don't want people to connect to. In the Properties of the Nic uncheck (unbind) F&P Sharing, Client for MS Networks, QoS, etc. Just leave TCP/IP enabled and that is all. Get RRAS to dial the persitant connection. Use either PPTP or L2TP,..do not use IPSec. Make sure ISA has the Access Rules in place to handle the traffic to/from that server. From ISA's perspective this is just a Remote Access VPN User. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/IS...cessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/downlo...7/ts_rules.doc Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.asp Microsoft ISA Server Partners: Partner Hardware Solutions http://www.microsoft.com/forefront/e...epartners.mspx ----------------------------------------------------- "Ryan" <(E-Mail Removed)> wrote in message news  7A0C5EC-4BEA-48EB-AF97-(E-Mail Removed)...> Our main office runs ISA 2004 SP2 on Server 2003 Standard SP2 behind a > Cisco > router. > > We are leasing an offsite Windows Server 2003 Standard SP2 to replicate > our > data for DR purposes. Under the current budget we can only afford a single > server and can not afford a device to run the VPN connection back to our > main > office ISA server. My question is what is the most secure and reliable > setup > with this configuration? > > Would I enable RRAS on the remote server and setup a demand dial interface > with L2TP VPN back to our main office ISA server? The remote server has a > single NIC with 3 public IP's configured. If I enable RRAS I have to then > disable the Windows Firewall/ICS service, and a I lose my software > firewall. > What do I do to protect this server? In past setups I've only configured a > site to site connection to another ISA server or VPN appliance such as a > SonicWall or PIX. > > My other thought was to keep the Windows Firewall in place and use the > PPTP > client that I've setup for all remote users to connect the server. This > seems > a little hokie, and also I'm not sure how I would keep a persistent > connection? Thanks in advance for you advice. > > Ryan |
|
|
|
|
|||
|
Guest
Posts: n/a
|
Phillip,
Thank you for the response, your explaination puts my mind at ease when disabling the firewall service to enable RRAS. I am unfamiliar with utilizing/depending on the windows firewall, normally use an appliance or ISA. One other question, after unbinding the services you listed below from the NIC would it provide better security if I also set IP Filtering on for TCP/IP to only accept traffic from the external interface of my ISA server? Thanks, Ryan "Phillip Windell" wrote: > Use RRAS to create a Remote Access Connetion (not site-to-site). The dialup > interface in RRAS will let you specify it as "persistant. > > The Windows Firewall is no big deal. The Firewall Protects by not letting > things be available that the OS is trying to make available,...but if the OS > isn't trying to make something available that should not be available then > there is nothing for the Firewall to protect in the first place. Moral of > the story,...don't have services running on the box that you don't want > people to connect to. In the Properties of the Nic uncheck (unbind) F&P > Sharing, Client for MS Networks, QoS, etc. Just leave TCP/IP enabled and > that is all. > > Get RRAS to dial the persitant connection. Use either PPTP or L2TP,..do not > use IPSec. Make sure ISA has the Access Rules in place to handle the > traffic to/from that server. From ISA's perspective this is just a Remote > Access VPN User. > > > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > Understanding the ISA 2004 Access Rule Processing > http://www.isaserver.org/articles/IS...cessRules.html > > Troubleshooting Client Authentication on Access Rules in ISA Server 2004 > http://download.microsoft.com/downlo...7/ts_rules.doc > > Microsoft Internet Security & Acceleration Server: Partners > http://www.microsoft.com/isaserver/partners/default.asp > > Microsoft ISA Server Partners: Partner Hardware Solutions > http://www.microsoft.com/forefront/e...epartners.mspx > ----------------------------------------------------- > > "Ryan" <(E-Mail Removed)> wrote in message > news 7A0C5EC-4BEA-48EB-AF97-(E-Mail Removed)...> > Our main office runs ISA 2004 SP2 on Server 2003 Standard SP2 behind a > > Cisco > > router. > > > > We are leasing an offsite Windows Server 2003 Standard SP2 to replicate > > our > > data for DR purposes. Under the current budget we can only afford a single > > server and can not afford a device to run the VPN connection back to our > > main > > office ISA server. My question is what is the most secure and reliable > > setup > > with this configuration? > > > > Would I enable RRAS on the remote server and setup a demand dial interface > > with L2TP VPN back to our main office ISA server? The remote server has a > > single NIC with 3 public IP's configured. If I enable RRAS I have to then > > disable the Windows Firewall/ICS service, and a I lose my software > > firewall. > > What do I do to protect this server? In past setups I've only configured a > > site to site connection to another ISA server or VPN appliance such as a > > SonicWall or PIX. > > > > My other thought was to keep the Windows Firewall in place and use the > > PPTP > > client that I've setup for all remote users to connect the server. This > > seems > > a little hokie, and also I'm not sure how I would keep a persistent > > connection? Thanks in advance for you advice. > > > > Ryan > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
That would work. Just remember to test this before pushing it to a large
group of users. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Ryan" wrote: > Phillip, > > Thank you for the response, your explaination puts my mind at ease when > disabling the firewall service to enable RRAS. I am unfamiliar with > utilizing/depending on the windows firewall, normally use an appliance or > ISA. One other question, after unbinding the services you listed below from > the NIC would it provide better security if I also set IP Filtering on for > TCP/IP to only accept traffic from the external interface of my ISA server? > > Thanks, > > Ryan > > "Phillip Windell" wrote: > > > Use RRAS to create a Remote Access Connetion (not site-to-site). The dialup > > interface in RRAS will let you specify it as "persistant. > > > > The Windows Firewall is no big deal. The Firewall Protects by not letting > > things be available that the OS is trying to make available,...but if the OS > > isn't trying to make something available that should not be available then > > there is nothing for the Firewall to protect in the first place. Moral of > > the story,...don't have services running on the box that you don't want > > people to connect to. In the Properties of the Nic uncheck (unbind) F&P > > Sharing, Client for MS Networks, QoS, etc. Just leave TCP/IP enabled and > > that is all. > > > > Get RRAS to dial the persitant connection. Use either PPTP or L2TP,..do not > > use IPSec. Make sure ISA has the Access Rules in place to handle the > > traffic to/from that server. From ISA's perspective this is just a Remote > > Access VPN User. > > > > > > -- > > Phillip Windell > > www.wandtv.com > > > > The views expressed, are my own and not those of my employer, or Microsoft, > > or anyone else associated with me, including my cats. > > ----------------------------------------------------- > > Understanding the ISA 2004 Access Rule Processing > > http://www.isaserver.org/articles/IS...cessRules.html > > > > Troubleshooting Client Authentication on Access Rules in ISA Server 2004 > > http://download.microsoft.com/downlo...7/ts_rules.doc > > > > Microsoft Internet Security & Acceleration Server: Partners > > http://www.microsoft.com/isaserver/partners/default.asp > > > > Microsoft ISA Server Partners: Partner Hardware Solutions > > http://www.microsoft.com/forefront/e...epartners.mspx > > ----------------------------------------------------- > > > > "Ryan" <(E-Mail Removed)> wrote in message > > news 7A0C5EC-4BEA-48EB-AF97-(E-Mail Removed)...> > > Our main office runs ISA 2004 SP2 on Server 2003 Standard SP2 behind a > > > Cisco > > > router. > > > > > > We are leasing an offsite Windows Server 2003 Standard SP2 to replicate > > > our > > > data for DR purposes. Under the current budget we can only afford a single > > > server and can not afford a device to run the VPN connection back to our > > > main > > > office ISA server. My question is what is the most secure and reliable > > > setup > > > with this configuration? > > > > > > Would I enable RRAS on the remote server and setup a demand dial interface > > > with L2TP VPN back to our main office ISA server? The remote server has a > > > single NIC with 3 public IP's configured. If I enable RRAS I have to then > > > disable the Windows Firewall/ICS service, and a I lose my software > > > firewall. > > > What do I do to protect this server? In past setups I've only configured a > > > site to site connection to another ISA server or VPN appliance such as a > > > SonicWall or PIX. > > > > > > My other thought was to keep the Windows Firewall in place and use the > > > PPTP > > > client that I've setup for all remote users to connect the server. This > > > seems > > > a little hokie, and also I'm not sure how I would keep a persistent > > > connection? Thanks in advance for you advice. > > > > > > Ryan > > > > > > |
|
|
|
|
|||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| setting up remote dc that will access main SBS server via VPN | cgtech | Windows Networking | 6 | 07-19-2009 12:14 PM |
| How to connect 2 windows 2003 remote domains? | lil_shark72 | Windows Networking | 6 | 01-24-2008 03:06 PM |
| Migrating to Windows Server 2003 from Windows Server 2000 and using Remote Desktop Client | Navodit | Windows Networking | 1 | 09-13-2006 07:38 PM |
| Cant connect from a remote office using out look to Exchange server?? | APACHEE via WinServerKB.com | Windows Networking | 1 | 07-19-2006 04:09 AM |
| VS 2003 remote debugging errors with Windows Server 2003 | Daren Hawes | Windows Networking | 0 | 03-22-2005 06:15 AM |
Linear Mode
