How do I connect a 2nd VPN Router with its own gateway to my Network?

Here in Miami I have a Windows Server 2003 computer with Exchange 2003
installed and working on it. This is a member server that is connected to
another server in London. The LAN is connected by two Snapgear VPN Routers,
one here in Miami, the other in London. This is working fine. However, I
am now interested in having laptop users in Miami connect to the Miami
network by VPN as well. That is, not from the London office, but from
laptops in user homes, cafés, etc. So, I want a client software on their
laptops to VPN in with. However, I do not want to do this through the
existing Snapgear VPN Router. What I want is to install a Netgear FVS-338
into the Miami network for access. But how? We have a T1 here, with five
available WAN Static Addresses. One is set and used for the Snapgear
router, and I want to set another Static WAN for the Netgear FVS-338.
However, this creates two Gateways, and Netgear is telling me that unless
the Server's gateway is set to the FVS-338, Miami Laptop Clients will not be
able to communicate with local network computers. So, my question is, how
can I configure VPN access with this second Netgear VPN router without
disconnecting or interfering with the existing VPN router? The most
important service I want to use this with is logging into Exchange. That
means communicating with the Exchange Server. It appears I cannot use 1 LAN
card with Two Gateway addresses, or two LAN cards with different Gateway
addresses. Any ideas?

Thanks,

Dan

"Daniel Mazur" <(E-Mail Removed)> wrote in
news:#s$(E-Mail Removed):

> Here in Miami I have a Windows Server 2003 computer with Exchange 2003
> installed and working on it. This is a member server that is
> connected to another server in London. The LAN is connected by two
> Snapgear VPN Routers, one here in Miami, the other in London. This is
> working fine. However, I am now interested in having laptop users in
> Miami connect to the Miami network by VPN as well. That is, not from
> the London office, but from laptops in user homes, cafés, etc. So, I
> want a client software on their laptops to VPN in with. However, I do
> not want to do this through the existing Snapgear VPN Router. What I
> want is to install a Netgear FVS-338 into the Miami network for
> access. But how? We have a T1 here, with five available WAN Static
> Addresses. One is set and used for the Snapgear router, and I want to
> set another Static WAN for the Netgear FVS-338. However, this creates
> two Gateways, and Netgear is telling me that unless the Server's
> gateway is set to the FVS-338, Miami Laptop Clients will not be able
> to communicate with local network computers. So, my question is, how
> can I configure VPN access with this second Netgear VPN router without
> disconnecting or interfering with the existing VPN router? The most
> important service I want to use this with is logging into Exchange.
> That means communicating with the Exchange Server. It appears I
> cannot use 1 LAN card with Two Gateway addresses, or two LAN cards
> with different Gateway addresses. Any ideas?
>
> Thanks,
>
> Dan
>
>
>
Hi Dan --

The WS03 server default gateway address does not need to be changed just
because you add another VPN server/router and connection to the Internet. I
believe this is the overall setup you want:


Remote Miami VPN clients <--Internet-->

Netgear FVS-338 Miami VPN server -->

Miami Windows Server 2003 LAN/Exchange server -->

Snapgear VPN Router Miami <-Internet-> Snapgear VPN Router London -->

London LAN and DC


So just view this as adding another subnet to your existing network.

The Netgear VPN server/router will have the static public IP address on the
public interface and an internal IP address for the LAN interface. The
connecting VPN clients can have their own subnet and can still connect to
Miami LAN resources as long as the Netgear router has the paths in its
routing tables. (It should automatically build those.)

But you will need an authentication solution, and that means using the
router with AD somehow (if you're using AD) or installing Internet
Authentication Service (IAS) and creating access policies there, which I
think is a better idea in case you ever want to add more VPN servers or
wireless access points.

Keep in mind that client computers, the Netgear VPN server, and the IAS
server must support the same authentication methods. In addition, the
Netgear router must support the RADIUS standard RFC's, and should support
EAP and 802.1X to provide you with the flexibility to deploy the
authentication methods that you want to deploy.

Also, assuming you're using AD, you'll need a DC in Miami if you don't have
one already in order to allow IAS to rapidly process authentication
requests. I believe this will work with a read-only DC, but you'll have to
double-check on that.

Depending on the hardware you're using and the number of users, plus a few
other factors, you might be able to just install IAS on your existing WS03
server. If it is already a DC that is a supported configuration.

HTH --

****************

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

It is OK to have two gateways. You just cannot have two default gateways.

The router you use for dialup type VPN access will need to be the
default gateway for the LAN machines, because you do not know what IP
address the remote machine is using to connect.

The site to site connection is different. You know exactly what IP
addresses the London office uses. You can reroute that traffic to the
existing Snapgear router. You can add a static route to each machine on the
LAN, or you can simply add it to the gateway router to bounce the traffic to
the Snapgear. (This assumes that your connection to London is correctly
configured as a site-to-site connection).

"Daniel Mazur" <(E-Mail Removed)> wrote in message
news:#s$(E-Mail Removed)...
> Here in Miami I have a Windows Server 2003 computer with Exchange 2003
> installed and working on it. This is a member server that is connected to
> another server in London. The LAN is connected by two Snapgear VPN
> Routers, one here in Miami, the other in London. This is working fine.
> However, I am now interested in having laptop users in Miami connect to
> the Miami network by VPN as well. That is, not from the London office, but
> from laptops in user homes, cafés, etc. So, I want a client software on
> their laptops to VPN in with. However, I do not want to do this through
> the existing Snapgear VPN Router. What I want is to install a Netgear
> FVS-338 into the Miami network for access. But how? We have a T1 here,
> with five available WAN Static Addresses. One is set and used for the
> Snapgear router, and I want to set another Static WAN for the Netgear
> FVS-338. However, this creates two Gateways, and Netgear is telling me
> that unless the Server's gateway is set to the FVS-338, Miami Laptop
> Clients will not be able to communicate with local network computers. So,
> my question is, how can I configure VPN access with this second Netgear
> VPN router without disconnecting or interfering with the existing VPN
> router? The most important service I want to use this with is logging
> into Exchange. That means communicating with the Exchange Server. It
> appears I cannot use 1 LAN card with Two Gateway addresses, or two LAN
> cards with different Gateway addresses. Any ideas?
>
> Thanks,
>
> Dan
>
>

Without burying myself in your setup (as I sometimes do)......

"Something" has to act as the central LAN Router for the particular
site,...and it will *not* be the firewall. Choose some kind of Routing
Device on the LAN (maybe one of the VPN Devices) as the LAN Router. The
device must be capble of having Static Routes added to it and must be able
to be the central "decision maker" and pass the traffic in whatever
direction it has to go. All hosts on the LAN then use *this* device as the
Defrault Gateway,...then *this* device uses the Firewall to the Internet as
its Default Gateway.

Then all Edge Devices (Firewalls, or whatever) have to have Static routes
point back at the LAN Router to cover other LAN IP Segments that they are
not directly sitting in. The Firewall must have the IP Ranges of all LAN IP
Segments added into its Local Address Table (meaning the LAT and the Local
Routing Table have to agree).

Then repeat the same design at all the Sites (they have to agree).

It is not as confusing as it sounds if you "envision" the network without
any PCs. You have to look at the network as a bunch of cables and network
equipment,...the PCs only "live" on the network,...they don't "make up" the
network,...and they are not supposed to make routing decisions for the
network.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"Daniel Mazur" <(E-Mail Removed)> wrote in message
news:%23s$(E-Mail Removed)...
> Here in Miami I have a Windows Server 2003 computer with Exchange 2003
> installed and working on it. This is a member server that is connected to
> another server in London. The LAN is connected by two Snapgear VPN
> Routers, one here in Miami, the other in London. This is working fine.
> However, I am now interested in having laptop users in Miami connect to
> the Miami network by VPN as well. That is, not from the London office, but
> from laptops in user homes, cafés, etc. So, I want a client software on
> their laptops to VPN in with. However, I do not want to do this through
> the existing Snapgear VPN Router. What I want is to install a Netgear
> FVS-338 into the Miami network for access. But how? We have a T1 here,
> with five available WAN Static Addresses. One is set and used for the
> Snapgear router, and I want to set another Static WAN for the Netgear
> FVS-338. However, this creates two Gateways, and Netgear is telling me
> that unless the Server's gateway is set to the FVS-338, Miami Laptop
> Clients will not be able to communicate with local network computers. So,
> my question is, how can I configure VPN access with this second Netgear
> VPN router without disconnecting or interfering with the existing VPN
> router? The most important service I want to use this with is logging
> into Exchange. That means communicating with the Exchange Server. It
> appears I cannot use 1 LAN card with Two Gateway addresses, or two LAN
> cards with different Gateway addresses. Any ideas?
>
> Thanks,
>
> Dan
>
>

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Without burying myself in your setup (as I sometimes do)......
>
> "Something" has to act as the central LAN Router for the particular
> site,...and it will *not* be the firewall.

Actually there is a scenario where it can be the firewall,...but it depends
on what you Firewall is capable of in terms of "doubling" as a type of LAN
Router.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

Guys, thanks so much for the responses. However, they all appear to be over
my head. Can anyone point me to some documentation for help?

Thanks,

Dan





"Daniel Mazur" <(E-Mail Removed)> wrote in message
news:%23s$(E-Mail Removed)...
> Here in Miami I have a Windows Server 2003 computer with Exchange 2003
> installed and working on it. This is a member server that is connected to
> another server in London. The LAN is connected by two Snapgear VPN
> Routers, one here in Miami, the other in London. This is working fine.
> However, I am now interested in having laptop users in Miami connect to
> the Miami network by VPN as well. That is, not from the London office, but
> from laptops in user homes, cafés, etc. So, I want a client software on
> their laptops to VPN in with. However, I do not want to do this through
> the existing Snapgear VPN Router. What I want is to install a Netgear
> FVS-338 into the Miami network for access. But how? We have a T1 here,
> with five available WAN Static Addresses. One is set and used for the
> Snapgear router, and I want to set another Static WAN for the Netgear
> FVS-338. However, this creates two Gateways, and Netgear is telling me
> that unless the Server's gateway is set to the FVS-338, Miami Laptop
> Clients will not be able to communicate with local network computers. So,
> my question is, how can I configure VPN access with this second Netgear
> VPN router without disconnecting or interfering with the existing VPN
> router? The most important service I want to use this with is logging
> into Exchange. That means communicating with the Exchange Server. It
> appears I cannot use 1 LAN card with Two Gateway addresses, or two LAN
> cards with different Gateway addresses. Any ideas?
>
> Thanks,
>
> Dan
>
>

"Daniel Mazur" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Guys, thanks so much for the responses. However, they all appear to be
> over my head. Can anyone point me to some documentation for help?
>
> Thanks,
>
> Dan
>
>
>
>
I doubt that you would find any documentation on that particular problem.
It is basically how IP routing works.

If you only have one gateway, you can set all machines to use it as the
default gateway and everything just works.

If you have two gateways, this fails. Only one can be the default
gateway. So you set your LAN machines to use your Internet router as their
default gateway. They can access the Internet and any machine connecting to
this router by dialup (RAS or VPN) can access the LAN machines.

A site to site VPN is a different matter. You do not need default
routing to use a site to site VPN. You know exactly what traffic has to go
across this link. It is only the IP subnet used by your remote site. This is
the only traffic that needs to use the second gateway.

There are basically two ways to make this happen. You can add a static
route to each machine in this LAN which needs a connection to the other
site. If you want all machines to have access to the other site it is
simpler to add the route to the Internet router instead. All traffic goes to
the default router, but the traffic for the "other" site is redirected to
the second gateway.

What the static route is depends on how your network is configured. If
the second site uses 192.168.91.0/24 addresses and your second gateway is
10.10.10.10, the static route would be

192.168.91.0 255.255.255.0 10.10.10.10

All other traffic goes out through the default router.