Couple of questions regarding RRAS routing

Now that I have RRAS working, there are a couple of things I'd like to
do. I think these may be related, but I can't figure out how to do
them.

1) It would be nice if our RRAS server (which has no other software on
it) could double as a backup repository. The machine has large disks
and we have scripts to backup our internal (behind the firewall/NAT)
and external servers (outside firewall/NAT). The scripts basically
mount a network drive (temporarily) and backup each server. From the
RRAS server, drives inside the LAN (192.168.1.x) can be mounted
without a problem. However, no drives outside the LAN can not be
mounted. Note that our outside servers allow file sharing from just
our (external) subnet. I've tried setting up various inbound and
outbound filters, but have not been able to get this to work.

2) I want to allow vpn clients to access internet resources without
turning off the "use default gateway". We don't have that many dial
in users and would prefer the increased security. I've added the NAT
to RRAS, and have experimented with adding "interfaces", but have been
unsuccessful at making it work.

Any help would be appreciated.

Thanks,
Mike

"MikeDee" <(E-Mail Removed)> wrote in message
news:dc953b1a-10ef-4b59-8790-(E-Mail Removed)...
> Now that I have RRAS working, there are a couple of things I'd like to
> do. I think these may be related, but I can't figure out how to do
> them.
>
> 1) It would be nice if our RRAS server (which has no other software on
> it) could double as a backup repository. The machine has large disks
> and we have scripts to backup our internal (behind the firewall/NAT)
> and external servers (outside firewall/NAT). The scripts basically
> mount a network drive (temporarily) and backup each server. From the
> RRAS server, drives inside the LAN (192.168.1.x) can be mounted
> without a problem. However, no drives outside the LAN can not be
> mounted. Note that our outside servers allow file sharing from just
> our (external) subnet. I've tried setting up various inbound and
> outbound filters, but have not been able to get this to work.
>
> 2) I want to allow vpn clients to access internet resources without
> turning off the "use default gateway". We don't have that many dial
> in users and would prefer the increased security. I've added the NAT
> to RRAS, and have experimented with adding "interfaces", but have been
> unsuccessful at making it work.
>
> Any help would be appreciated.
>
> Thanks,
> Mike

1. I think that would be a very bad idea. Use your router as a router. If it
has disks it doesn't need, move them somewhere else.

2. That is not impossible, just very hard. The problem is that there is
nothing you can do at the server end to make this happen, because the
routing decision is made at the client. If the client does not send the
traffic through the vpn connection, that's it!

Without the "use default gateway" switch, the client will only send
traffic through the tunnel which is in its own IP subnet. (See KB 254231).
You can't really add any extra routes. What would you use as the gateway
and interface addresses? These don't exist until the connection is made.

With RRAS you can use demand-dial interfaces for this, but the client
doesn't have them. You would need to have a script which ran after the
connection was established to plug the IP addresses into a route command.

On Jul 1, 7:28 pm, "Bill Grant" <not.available@online> wrote:
> "MikeDee" <mdichiapp...@cardeatech.com> wrote in message
>
> news:dc953b1a-10ef-4b59-8790-(E-Mail Removed)...
>
>
>
> > Now that I have RRAS working, there are a couple of things I'd like to
> > do. I think these may be related, but I can't figure out how to do
> > them.
>
> > 1) It would be nice if our RRAS server (which has no other software on
> > it) could double as a backup repository. The machine has large disks
> > and we have scripts to backup our internal (behind the firewall/NAT)
> > and external servers (outside firewall/NAT). The scripts basically
> > mount a network drive (temporarily) and backup each server. From the
> > RRAS server, drives inside the LAN (192.168.1.x) can be mounted
> > without a problem. However, no drives outside the LAN can not be
> > mounted. Note that our outside servers allow file sharing from just
> > our (external) subnet. I've tried setting up various inbound and
> > outbound filters, but have not been able to get this to work.
>
> > 2) I want to allow vpn clients to access internet resources without
> > turning off the "use default gateway". We don't have that many dial
> > in users and would prefer the increased security. I've added the NAT
> > to RRAS, and have experimented with adding "interfaces", but have been
> > unsuccessful at making it work.
>
> > Any help would be appreciated.
>
> > Thanks,
> > Mike
>
> 1. I think that would be a very bad idea. Use your router as a router. If it
> has disks it doesn't need, move them somewhere else.
>
> 2. That is not impossible, just very hard. The problem is that there is
> nothing you can do at the server end to make this happen, because the
> routing decision is made at the client. If the client does not send the
> traffic through the vpn connection, that's it!
>
> Without the "use default gateway" switch, the client will only send
> traffic through the tunnel which is in its own IP subnet. (See KB 254231).
> You can't really add any extra routes. What would you use as the gateway
> and interface addresses? These don't exist until the connection is made.
>
> With RRAS you can use demand-dial interfaces for this, but the client
> doesn't have them. You would need to have a script which ran after the
> connection was established to plug the IP addresses into a route command.


OK, regarding #1, it seems silly to have an entire server dedicated
just to VPN/routing, especially for a company our size. Can anyone
suggest a good hardware router - something small and relatively
inexpensive? It would need to be easy to configure and work well with
a Windows/Active Directory environment.

Regarding #2, perhaps a hardware router could address that too?

"MikeDee" <(E-Mail Removed)> wrote in message
news:ee38a5dd-2f70-4035-a398-(E-Mail Removed)...
> On Jul 1, 7:28 pm, "Bill Grant" <not.available@online> wrote:
>> "MikeDee" <mdichiapp...@cardeatech.com> wrote in message
>>
>> news:dc953b1a-10ef-4b59-8790-(E-Mail Removed)...
>>
>>
>>
>> > Now that I have RRAS working, there are a couple of things I'd like to
>> > do. I think these may be related, but I can't figure out how to do
>> > them.
>>
>> > 1) It would be nice if our RRAS server (which has no other software on
>> > it) could double as a backup repository. The machine has large disks
>> > and we have scripts to backup our internal (behind the firewall/NAT)
>> > and external servers (outside firewall/NAT). The scripts basically
>> > mount a network drive (temporarily) and backup each server. From the
>> > RRAS server, drives inside the LAN (192.168.1.x) can be mounted
>> > without a problem. However, no drives outside the LAN can not be
>> > mounted. Note that our outside servers allow file sharing from just
>> > our (external) subnet. I've tried setting up various inbound and
>> > outbound filters, but have not been able to get this to work.
>>
>> > 2) I want to allow vpn clients to access internet resources without
>> > turning off the "use default gateway". We don't have that many dial
>> > in users and would prefer the increased security. I've added the NAT
>> > to RRAS, and have experimented with adding "interfaces", but have been
>> > unsuccessful at making it work.
>>
>> > Any help would be appreciated.
>>
>> > Thanks,
>> > Mike
>>
>> 1. I think that would be a very bad idea. Use your router as a router. If
>> it
>> has disks it doesn't need, move them somewhere else.
>>
>> 2. That is not impossible, just very hard. The problem is that there is
>> nothing you can do at the server end to make this happen, because the
>> routing decision is made at the client. If the client does not send the
>> traffic through the vpn connection, that's it!
>>
>> Without the "use default gateway" switch, the client will only send
>> traffic through the tunnel which is in its own IP subnet. (See KB
>> 254231).
>> You can't really add any extra routes. What would you use as the gateway
>> and interface addresses? These don't exist until the connection is made.
>>
>> With RRAS you can use demand-dial interfaces for this, but the client
>> doesn't have them. You would need to have a script which ran after the
>> connection was established to plug the IP addresses into a route command.
>
>
> OK, regarding #1, it seems silly to have an entire server dedicated
> just to VPN/routing, especially for a company our size. Can anyone
> suggest a good hardware router - something small and relatively
> inexpensive? It would need to be easy to configure and work well with
> a Windows/Active Directory environment.
>
> Regarding #2, perhaps a hardware router could address that too?
>

How would a hardware router change the situation if the routing problem
is at the client? If you mean using a third party VPN solution you will
probably find that they are even more restrictive than the Microsoft client.