external VPN connect to w2k server behind Symantec Firewall/VPN 100 ?

Hello all,

I'm a total VPN newbie ...

But I have to connect some external laptop users through VPN
to our company w2k server (DC)

After reading a lot about the VPN stuff in several newsgroups
i'm finaly so confused that I have no Idea what could make sence to try ..


I already know that the Symantec Firewall/VPN 100 is not able to handele
Client-Server connections on it's own ..
But my hope is that there is another scenario that might work .. eg.:
Gatway-Gateway connection? or: setting up a virtual server on the firewall
that redirects to the DC?

BTW: I also read about the possibility to define a virtual "Radius Server"
on the firewall ???

But as said above: I do not know what could make sense to start with in our
setup ..

Any help would be appreciated a lot !!


Lokale Domain setup::
-----------------------

Internet
|
(dynamis IP & dyndns)
Symantec Firewall VPN100
(Subnet A)
|
(Subnet A) = default gateway
W2K Server (2 nic's)
(Subnet B)
|
(Subnet B)
xx* Client PC's (Server NIC = default gateway)


What would you do/try ??

best regards from germany
thomas

In order to configure Gateway to Gateway VPN, your laptop users would have
to have their own Symantec Firewall/VPN 100. What you could do instead with
the 100 model is configure what Symantec calls a Virtual Server - check the
box for PPTP and enter the IP address of a Win2k Server running RRAS.

You will need to configure RRAS on the Win2k Server to allow PPTP VPN
connections, See:

http://www.microsoft.com/windows2000...pnoverview.asp

Clients simply use the Make new network connection wizard to make a VPN
connection to the IP address of the Symantec device.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Thomas Schäfer" <(E-Mail Removed)> wrote in message
news:uA0UG%(E-Mail Removed)...
> Hello all,
>
> I'm a total VPN newbie ...
>
> But I have to connect some external laptop users through VPN
> to our company w2k server (DC)
>
> After reading a lot about the VPN stuff in several newsgroups
> i'm finaly so confused that I have no Idea what could make sence to try ..
>
>
> I already know that the Symantec Firewall/VPN 100 is not able to handele
> Client-Server connections on it's own ..
> But my hope is that there is another scenario that might work .. eg.:
> Gatway-Gateway connection? or: setting up a virtual server on the firewall
> that redirects to the DC?
>
> BTW: I also read about the possibility to define a virtual "Radius Server"
> on the firewall ???
>
> But as said above: I do not know what could make sense to start with in
our
> setup ..
>
> Any help would be appreciated a lot !!
>
>
> Lokale Domain setup::
> -----------------------
>
> Internet
> |
> (dynamis IP & dyndns)
> Symantec Firewall VPN100
> (Subnet A)
> |
> (Subnet A) = default gateway
> W2K Server (2 nic's)
> (Subnet B)
> |
> (Subnet B)
> xx* Client PC's (Server NIC = default gateway)
>
>
> What would you do/try ??
>
> best regards from germany
> thomas
>
>

Thanks Dough,

that sounds simple enough for me to be able to set it up

One question on this solution:

I read somewere else that a "simple" PPTP connection would be "unsafe" ...
Is this true ?
How heavy is the intrusion risk for the server in "real life" ??

cheers,
thomas



"Doug Sherman [MVP]" <(E-Mail Removed)> schrieb im
Newsbeitrag news:%23C$(E-Mail Removed)...
> In order to configure Gateway to Gateway VPN, your laptop users would have
> to have their own Symantec Firewall/VPN 100. What you could do instead
with
> the 100 model is configure what Symantec calls a Virtual Server - check
the
> box for PPTP and enter the IP address of a Win2k Server running RRAS.
>
> You will need to configure RRAS on the Win2k Server to allow PPTP VPN
> connections, See:
>
>
http://www.microsoft.com/windows2000...pnoverview.asp
>
> Clients simply use the Make new network connection wizard to make a VPN
> connection to the IP address of the Symantec device.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Thomas Schäfer" <(E-Mail Removed)> wrote in message
> news:uA0UG%(E-Mail Removed)...
> > Hello all,
> >
> > I'm a total VPN newbie ...
> >
> > But I have to connect some external laptop users through VPN
> > to our company w2k server (DC)
> >
> > After reading a lot about the VPN stuff in several newsgroups
> > i'm finaly so confused that I have no Idea what could make sence to try
...
> >
> >
> > I already know that the Symantec Firewall/VPN 100 is not able to handele
> > Client-Server connections on it's own ..
> > But my hope is that there is another scenario that might work .. eg.:
> > Gatway-Gateway connection? or: setting up a virtual server on the
firewall
> > that redirects to the DC?
> >
> > BTW: I also read about the possibility to define a virtual "Radius
Server"
> > on the firewall ???
> >
> > But as said above: I do not know what could make sense to start with in
> our
> > setup ..
> >
> > Any help would be appreciated a lot !!
> >
> >
> > Lokale Domain setup::
> > -----------------------
> >
> > Internet
> > |
> > (dynamis IP & dyndns)
> > Symantec Firewall VPN100
> > (Subnet A)
> > |
> > (Subnet A) = default gateway
> > W2K Server (2 nic's)
> > (Subnet B)
> > |
> > (Subnet B)
> > xx* Client PC's (Server NIC = default gateway)
> >
> >
> > What would you do/try ??
> >
> > best regards from germany
> > thomas
> >
> >
>
>

sorry )
Doug ...

it wasn't intended like this ..

"Thomas Schäfer" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed)...
> Thanks Dough,
>
> that sounds simple enough for me to be able to set it up
>
> One question on this solution:
>
> I read somewere else that a "simple" PPTP connection would be "unsafe" ...
> Is this true ?
> How heavy is the intrusion risk for the server in "real life" ??
>
> cheers,
> thomas
>
>
>
> "Doug Sherman [MVP]" <(E-Mail Removed)> schrieb im
> Newsbeitrag news:%23C$(E-Mail Removed)...
> > In order to configure Gateway to Gateway VPN, your laptop users would
have
> > to have their own Symantec Firewall/VPN 100. What you could do instead
> with
> > the 100 model is configure what Symantec calls a Virtual Server - check
> the
> > box for PPTP and enter the IP address of a Win2k Server running RRAS.
> >
> > You will need to configure RRAS on the Win2k Server to allow PPTP VPN
> > connections, See:
> >
> >
>
http://www.microsoft.com/windows2000...pnoverview.asp
> >
> > Clients simply use the Make new network connection wizard to make a VPN
> > connection to the IP address of the Symantec device.
> >
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >
> > "Thomas Schäfer" <(E-Mail Removed)> wrote in message
> > news:uA0UG%(E-Mail Removed)...
> > > Hello all,
> > >
> > > I'm a total VPN newbie ...
> > >
> > > But I have to connect some external laptop users through VPN
> > > to our company w2k server (DC)
> > >
> > > After reading a lot about the VPN stuff in several newsgroups
> > > i'm finaly so confused that I have no Idea what could make sence to
try
> ..
> > >
> > >
> > > I already know that the Symantec Firewall/VPN 100 is not able to
handele
> > > Client-Server connections on it's own ..
> > > But my hope is that there is another scenario that might work .. eg.:
> > > Gatway-Gateway connection? or: setting up a virtual server on the
> firewall
> > > that redirects to the DC?
> > >
> > > BTW: I also read about the possibility to define a virtual "Radius
> Server"
> > > on the firewall ???
> > >
> > > But as said above: I do not know what could make sense to start with
in
> > our
> > > setup ..
> > >
> > > Any help would be appreciated a lot !!
> > >
> > >
> > > Lokale Domain setup::
> > > -----------------------
> > >
> > > Internet
> > > |
> > > (dynamis IP & dyndns)
> > > Symantec Firewall VPN100
> > > (Subnet A)
> > > |
> > > (Subnet A) = default gateway
> > > W2K Server (2 nic's)
> > > (Subnet B)
> > > |
> > > (Subnet B)
> > > xx* Client PC's (Server NIC = default gateway)
> > >
> > >
> > > What would you do/try ??
> > >
> > > best regards from germany
> > > thomas
> > >
> > >
> >
> >
>
>

The short answer is that nothing is safe. PPTP is encrypted and reasonably
safe, but L2TP/IPSEC is better and Win2k Server is capable of providing
L2TP/IPSEC VPN and acting as the requisite Certificate of Authority. I
recommend you start with a PPTP server first (you can always add L2TP later)
because:

1. PPTP is easier to configure and tends to give slightly better
performance.

2. I know that the Symantec Firewall can pass PPTP packets, and a PPTP VPN
server running behind it should work fine. I am not sure about running a
L2TP/IPSEC server behind this device. There is an issue called NAT
Traversal when running IPSEC through a NAT provider - See:
http://www.microsoft.com/technet/com...uy/cg0802.mspx

Note that you can create an L2TP tunnel alone without IPSEC, but this is not
as good as PPTP.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Thomas Schäfer" <(E-Mail Removed)> wrote in message
news:Of$(E-Mail Removed)...
> sorry )
> Doug ...
>
> it wasn't intended like this ..
>
> "Thomas Schäfer" <(E-Mail Removed)> schrieb im Newsbeitrag
> news:(E-Mail Removed)...
> > Thanks Dough,
> >
> > that sounds simple enough for me to be able to set it up
> >
> > One question on this solution:
> >
> > I read somewere else that a "simple" PPTP connection would be "unsafe"
....
> > Is this true ?
> > How heavy is the intrusion risk for the server in "real life" ??
> >
> > cheers,
> > thomas
> >
> >
> >
> > "Doug Sherman [MVP]" <(E-Mail Removed)> schrieb im
> > Newsbeitrag news:%23C$(E-Mail Removed)...
> > > In order to configure Gateway to Gateway VPN, your laptop users would
> have
> > > to have their own Symantec Firewall/VPN 100. What you could do
instead
> > with
> > > the 100 model is configure what Symantec calls a Virtual Server -
check
> > the
> > > box for PPTP and enter the IP address of a Win2k Server running RRAS.
> > >
> > > You will need to configure RRAS on the Win2k Server to allow PPTP VPN
> > > connections, See:
> > >
> > >
> >
>
http://www.microsoft.com/windows2000...pnoverview.asp
> > >
> > > Clients simply use the Make new network connection wizard to make a
VPN
> > > connection to the IP address of the Symantec device.
> > >
> > > Doug Sherman
> > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > >
> > > "Thomas Schäfer" <(E-Mail Removed)> wrote in message
> > > news:uA0UG%(E-Mail Removed)...
> > > > Hello all,
> > > >
> > > > I'm a total VPN newbie ...
> > > >
> > > > But I have to connect some external laptop users through VPN
> > > > to our company w2k server (DC)
> > > >
> > > > After reading a lot about the VPN stuff in several newsgroups
> > > > i'm finaly so confused that I have no Idea what could make sence to
> try
> > ..
> > > >
> > > >
> > > > I already know that the Symantec Firewall/VPN 100 is not able to
> handele
> > > > Client-Server connections on it's own ..
> > > > But my hope is that there is another scenario that might work ..
eg.:
> > > > Gatway-Gateway connection? or: setting up a virtual server on the
> > firewall
> > > > that redirects to the DC?
> > > >
> > > > BTW: I also read about the possibility to define a virtual "Radius
> > Server"
> > > > on the firewall ???
> > > >
> > > > But as said above: I do not know what could make sense to start with
> in
> > > our
> > > > setup ..
> > > >
> > > > Any help would be appreciated a lot !!
> > > >
> > > >
> > > > Lokale Domain setup::
> > > > -----------------------
> > > >
> > > > Internet
> > > > |
> > > > (dynamis IP & dyndns)
> > > > Symantec Firewall VPN100
> > > > (Subnet A)
> > > > |
> > > > (Subnet A) = default gateway
> > > > W2K Server (2 nic's)
> > > > (Subnet B)
> > > > |
> > > > (Subnet B)
> > > > xx* Client PC's (Server NIC = default gateway)
> > > >
> > > >
> > > > What would you do/try ??
> > > >
> > > > best regards from germany
> > > > thomas
> > > >
> > > >
> > >
> > >
> >
> >
>
>

OK undestood ...

I will try to do the setup on monday then ..

again, thanxx a lot for your help Doug!

best regards from germany
thomas

"Doug Sherman [MVP]" <(E-Mail Removed)> schrieb im
Newsbeitrag news:%(E-Mail Removed)...
> The short answer is that nothing is safe. PPTP is encrypted and
reasonably
> safe, but L2TP/IPSEC is better and Win2k Server is capable of providing
> L2TP/IPSEC VPN and acting as the requisite Certificate of Authority. I
> recommend you start with a PPTP server first (you can always add L2TP
later)
> because:
>
> 1. PPTP is easier to configure and tends to give slightly better
> performance.
>
> 2. I know that the Symantec Firewall can pass PPTP packets, and a PPTP
VPN
> server running behind it should work fine. I am not sure about running a
> L2TP/IPSEC server behind this device. There is an issue called NAT
> Traversal when running IPSEC through a NAT provider - See:
> http://www.microsoft.com/technet/com...uy/cg0802.mspx
>
> Note that you can create an L2TP tunnel alone without IPSEC, but this is
not
> as good as PPTP.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Thomas Schäfer" <(E-Mail Removed)> wrote in message
> news:Of$(E-Mail Removed)...
> > sorry )
> > Doug ...
> >
> > it wasn't intended like this ..
> >
> > "Thomas Schäfer" <(E-Mail Removed)> schrieb im Newsbeitrag
> > news:(E-Mail Removed)...
> > > Thanks Dough,
> > >
> > > that sounds simple enough for me to be able to set it up
> > >
> > > One question on this solution:
> > >
> > > I read somewere else that a "simple" PPTP connection would be "unsafe"
> ...
> > > Is this true ?
> > > How heavy is the intrusion risk for the server in "real life" ??
> > >
> > > cheers,
> > > thomas
> > >
> > >
> > >
> > > "Doug Sherman [MVP]" <(E-Mail Removed)> schrieb im
> > > Newsbeitrag news:%23C$(E-Mail Removed)...
> > > > In order to configure Gateway to Gateway VPN, your laptop users
would
> > have
> > > > to have their own Symantec Firewall/VPN 100. What you could do
> instead
> > > with
> > > > the 100 model is configure what Symantec calls a Virtual Server -
> check
> > > the
> > > > box for PPTP and enter the IP address of a Win2k Server running
RRAS.
> > > >
> > > > You will need to configure RRAS on the Win2k Server to allow PPTP
VPN
> > > > connections, See:
> > > >
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000...pnoverview.asp
> > > >
> > > > Clients simply use the Make new network connection wizard to make a
> VPN
> > > > connection to the IP address of the Symantec device.
> > > >
> > > > Doug Sherman
> > > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > > >
> > > > "Thomas Schäfer" <(E-Mail Removed)> wrote in message
> > > > news:uA0UG%(E-Mail Removed)...
> > > > > Hello all,
> > > > >
> > > > > I'm a total VPN newbie ...
> > > > >
> > > > > But I have to connect some external laptop users through VPN
> > > > > to our company w2k server (DC)
> > > > >
> > > > > After reading a lot about the VPN stuff in several newsgroups
> > > > > i'm finaly so confused that I have no Idea what could make sence
to
> > try
> > > ..
> > > > >
> > > > >
> > > > > I already know that the Symantec Firewall/VPN 100 is not able to
> > handele
> > > > > Client-Server connections on it's own ..
> > > > > But my hope is that there is another scenario that might work ..
> eg.:
> > > > > Gatway-Gateway connection? or: setting up a virtual server on the
> > > firewall
> > > > > that redirects to the DC?
> > > > >
> > > > > BTW: I also read about the possibility to define a virtual "Radius
> > > Server"
> > > > > on the firewall ???
> > > > >
> > > > > But as said above: I do not know what could make sense to start
with
> > in
> > > > our
> > > > > setup ..
> > > > >
> > > > > Any help would be appreciated a lot !!
> > > > >
> > > > >
> > > > > Lokale Domain setup::
> > > > > -----------------------
> > > > >
> > > > > Internet
> > > > > |
> > > > > (dynamis IP & dyndns)
> > > > > Symantec Firewall VPN100
> > > > > (Subnet A)
> > > > > |
> > > > > (Subnet A) = default gateway
> > > > > W2K Server (2 nic's)
> > > > > (Subnet B)
> > > > > |
> > > > > (Subnet B)
> > > > > xx* Client PC's (Server NIC = default gateway)
> > > > >
> > > > >
> > > > > What would you do/try ??
> > > > >
> > > > > best regards from germany
> > > > > thomas
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>