Routes

Hi
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
On the Site there is a Backup Dc, 2 Application servers, 60 Pc and routers.
The Dc, Servers and printers on the site have static IP addresses and the Pc
are Dhcp. The Sonicwall it to be used solely for a VPN connection in with no
outgoing traffic.
The Sonicwall internal IP address is 10.240.16.6
The Servers have 2 NIC one for the LAN and One for the Sonicwall.
Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
Like this I cannot VPN to the server, but if I add The Sonicwall address to
the gateway box in the Nic2 configuration I can VPN to the server and login
with the Local Admin Account. Unfortunately I cannot Login with my Domain
Account and neither can the users.
Is there a way to add the static route that gets over his problem? Something
like
“Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12� or won't that work?
Thanks
John

"Buzz" <(E-Mail Removed)> wrote in message
news:974913C6-3331-4603-A1BE-(E-Mail Removed)...
> I have a quick question about static routes. I have been asked to supply a
> VPN solution to access 2 servers for support purposes using a Sonicwall
> device which is not to impact any of the system as at present and to
> terminate at the servers and no further into the LAN.

You can't. when you successfullt connect the VPN and it works properly the
whole LAN is available. That has always been the "weak point" of all the
Hardware VPN Appliances.

It takes a product like ISA Server operating as a VPN Server to control this. It
will control access based on the user account. You can restrict as tightly as
"one particular user, ...to one particular host, ...using one particular
protocol, ...to one particular time of day on the clock.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------

The LAN and Sonicwall NICs should be in different subnet, for example 10.240.16.0/24 and 10.241.16.0/24. This case study may help,

Troubleshooting ipconfigCannot use the 2nd NIC. Symptom: You have two computers and each one has two NICs. You are using the first NIC with 192.168.1.0/24 to connect the Internet ...
http://www.chicagotech.net/troubleshootingipconfig.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Buzz" <(E-Mail Removed)> wrote in message news:974913C6-3331-4603-A1BE-(E-Mail Removed)...
Hi
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
On the Site there is a Backup Dc, 2 Application servers, 60 Pc and routers.
The Dc, Servers and printers on the site have static IP addresses and the Pc
are Dhcp. The Sonicwall it to be used solely for a VPN connection in with no
outgoing traffic.
The Sonicwall internal IP address is 10.240.16.6
The Servers have 2 NIC one for the LAN and One for the Sonicwall.
Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
Like this I cannot VPN to the server, but if I add The Sonicwall address to
the gateway box in the Nic2 configuration I can VPN to the server and login
with the Local Admin Account. Unfortunately I cannot Login with my Domain
Account and neither can the users.
Is there a way to add the static route that gets over his problem? Something
like
“Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12� or won't that work?
Thanks
John

And even when you put them in different IP subnets you will still have
problems with default gateway settings. A machine can only have on dg per
machine, not one per interface. The VPN will work if you set the dg to go
out through the Sonicwall, but the server will lose its normal Internet
connection through the LAN router. (Not to mention the name resolution
problems with multihomed servers).

"Robert L [MVP - Networking]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
The LAN and Sonicwall NICs should be in different subnet, for example
10.240.16.0/24 and 10.241.16.0/24. This case study may help,

Troubleshooting ipconfigCannot use the 2nd NIC. Symptom: You have two
computers and each one has two NICs. You are using the first NIC with
192.168.1.0/24 to connect the Internet ...
http://www.chicagotech.net/troubleshootingipconfig.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"Buzz" <(E-Mail Removed)> wrote in message
news:974913C6-3331-4603-A1BE-(E-Mail Removed)...
Hi
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
On the Site there is a Backup Dc, 2 Application servers, 60 Pc and
routers.
The Dc, Servers and printers on the site have static IP addresses and the
Pc
are Dhcp. The Sonicwall it to be used solely for a VPN connection in with
no
outgoing traffic.
The Sonicwall internal IP address is 10.240.16.6
The Servers have 2 NIC one for the LAN and One for the Sonicwall.
Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
Like this I cannot VPN to the server, but if I add The Sonicwall address
to
the gateway box in the Nic2 configuration I can VPN to the server and
login
with the Local Admin Account. Unfortunately I cannot Login with my Domain
Account and neither can the users.
Is there a way to add the static route that gets over his problem?
Something
like
"Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12" or won't that
work?
Thanks
John

"Bill Grant" wrote:

> And even when you put them in different IP subnets you will still have
> problems with default gateway settings. A machine can only have on dg per
> machine, not one per interface. The VPN will work if you set the dg to go
> out through the Sonicwall, but the server will lose its normal Internet
> connection through the LAN router. (Not to mention the name resolution
> problems with multihomed servers).
>

The Application Servers are solely used to run an application and serve this
via terminal services to the users, They have no access to the internet
through these servers. The printers for the sessions are on the DC.

If I set the DG to the IP address of the sonicwall what impact will it have
on user verification and printing?

Sorry I've been dropped into this with little knowledge if infrastructures!

John

"Buzz" <(E-Mail Removed)> wrote in message
news:3809FF9F-8B75-4320-9054-(E-Mail Removed)...
>
>
> "Bill Grant" wrote:
>
>> And even when you put them in different IP subnets you will still have
>> problems with default gateway settings. A machine can only have on dg per
>> machine, not one per interface. The VPN will work if you set the dg to go
>> out through the Sonicwall, but the server will lose its normal Internet
>> connection through the LAN router. (Not to mention the name resolution
>> problems with multihomed servers).
>>
>
> The Application Servers are solely used to run an application and serve
> this
> via terminal services to the users, They have no access to the internet
> through these servers. The printers for the sessions are on the DC.
>
> If I set the DG to the IP address of the sonicwall what impact will it
> have
> on user verification and printing?
>
> Sorry I've been dropped into this with little knowledge if
> infrastructures!
>
> John

The basic problem is that you are trying to use VPN to do a job that it
was not designed for. As Phillip pointed out, VPN is designed to make the
remote client perform as if it was actually on the private network. For that
reason it gets access to all the machines on the LAN.

If you put a second NIC in the server, it really should be in a
different IP subnet from the LAN NIC. This second NIC would need to be
connected to a different hub/switch from the LAN NIC. The second NIC in the
servers and the Sonicwall internal IP would then be in their own subnet on
their own network (with the Sonicwall as the default gateway for this LAN).
You would then make a VPN connection to the Sonicwall and would be able to
see the two servers only.

The big problem remaining is name resolution. As soon as you put two
NICs in a machine you have two IP addresses associated with its name. This
causes all sorts of problems (and is why Microsft recommends that you do not
multihome DCs). It is workable if the LAN machines always use the LAN IP and
"external" users always the other IP. This isn't as easy as it might seem.
For instance, accessing printers on the LAN will be tricky because they
often rely on Netbios names and/or the browser service.

You could probably make it easier for yourself if you could set up the
VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
servers over the VPN connection.

>
> You could probably make it easier for yourself if you could set up the
> VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
> servers over the VPN connection.
>
That is exactly what i want to do! but the only way I can get a Ts client
to attach to the server is to have the Sonicwalls IP in the Default gateway
in Nic2.

John

"Buzz" <(E-Mail Removed)> wrote in message
news32C25E1-A93E-4D87-979F-(E-Mail Removed)...
>> You could probably make it easier for yourself if you could set up the
>> VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
>> servers over the VPN connection.
>>
> That is exactly what i want to do! but the only way I can get a Ts client
> to attach to the server is to have the Sonicwalls IP in the Default gateway
> in Nic2.

This is what you said:
---------------
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
---------------

You said,..."No futher into the LAN"

I said,.....
-------------------
You can't. When you successfully connect the VPN and it works properly the
whole LAN is available. That has always been the "weak point" of all the
Hardware VPN Appliances.
-------------------

So this is the situation,...unless you throw out the Sonicwall and use a better
product like ISA Server for the job,...it **will** go further into the LAN than
just the one machine you want to target.

So that leaves two questions:

1. Do you still want to do it anyway even though the access will be to the
entire LAN?

2. If the answer to #1 is yes,...then what is the LAN Topology designed like so
that the routing can be set up propterly.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

Hi Phillip,

I have been told that I have been set up to fail! The IT departmant of the
company involved are trying to get me to fail so they don't loose face.

I think that the best way forward is to forget what constraints they have
set and to give them a finished solution that will work!

Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
both. and connect the Sonicwall to the LAN Switch.

I will allow full network access to the VPN clients.

The Default Gateway on the network shall remain 10.24.16.1.

The Sonicwall shall remain 10.240.16.6 and the servers will stay
10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
run citrix sessions to there head office which allows them access to
Word/Excel, the internet and mail and routes there printing back up to there
local printers

The Backup domain controller is 10.24.16.14 and this runs the printers and
DHCP server.

John


"Phillip Windell" wrote:

> "Buzz" <(E-Mail Removed)> wrote in message
> news32C25E1-A93E-4D87-979F-(E-Mail Removed)...
> >> You could probably make it easier for yourself if you could set up the
> >> VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
> >> servers over the VPN connection.
> >>
> > That is exactly what i want to do! but the only way I can get a Ts client
> > to attach to the server is to have the Sonicwalls IP in the Default gateway
> > in Nic2.
>
> This is what you said:
> ---------------
> I have a quick question about static routes. I have been asked to supply a
> VPN solution to access 2 servers for support purposes using a Sonicwall
> device which is not to impact any of the system as at present and to
> terminate at the servers and no further into the LAN.
> ---------------
>
> You said,..."No futher into the LAN"
>
> I said,.....
> -------------------
> You can't. When you successfully connect the VPN and it works properly the
> whole LAN is available. That has always been the "weak point" of all the
> Hardware VPN Appliances.
> -------------------
>
> So this is the situation,...unless you throw out the Sonicwall and use a better
> product like ISA Server for the job,...it **will** go further into the LAN than
> just the one machine you want to target.
>
> So that leaves two questions:
>
> 1. Do you still want to do it anyway even though the access will be to the
> entire LAN?
>
> 2. If the answer to #1 is yes,...then what is the LAN Topology designed like so
> that the routing can be set up propterly.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft, or
> anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>

Hi Phillip,

I have been told that I have been set up to fail! The IT departmant of the
company involved are trying to get me to fail so they don't loose face.

I think that the best way forward is to forget what constraints they have
set and to give them a finished solution that will work!

Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
both. and connect the Sonicwall to the LAN Switch.

I will allow full network access to the VPN clients.

The Default Gateway on the network shall remain 10.24.16.1.

The Sonicwall shall remain 10.240.16.6 and the servers will stay
10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
run citrix sessions to there head office which allows them access to
Word/Excel, the internet and mail and routes there printing back up to there
local printers

The Backup domain controller is 10.24.16.14 and this runs the printers and
DHCP server.

John


"Phillip Windell" wrote:

> "Buzz" <(E-Mail Removed)> wrote in message
> news32C25E1-A93E-4D87-979F-(E-Mail Removed)...
> >> You could probably make it easier for yourself if you could set up the
> >> VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
> >> servers over the VPN connection.
> >>
> > That is exactly what i want to do! but the only way I can get a Ts client
> > to attach to the server is to have the Sonicwalls IP in the Default gateway
> > in Nic2.
>
> This is what you said:
> ---------------
> I have a quick question about static routes. I have been asked to supply a
> VPN solution to access 2 servers for support purposes using a Sonicwall
> device which is not to impact any of the system as at present and to
> terminate at the servers and no further into the LAN.
> ---------------
>
> You said,..."No futher into the LAN"
>
> I said,.....
> -------------------
> You can't. When you successfully connect the VPN and it works properly the
> whole LAN is available. That has always been the "weak point" of all the
> Hardware VPN Appliances.
> -------------------
>
> So this is the situation,...unless you throw out the Sonicwall and use a better
> product like ISA Server for the job,...it **will** go further into the LAN than
> just the one machine you want to target.
>
> So that leaves two questions:
>
> 1. Do you still want to do it anyway even though the access will be to the
> entire LAN?
>
> 2. If the answer to #1 is yes,...then what is the LAN Topology designed like so
> that the routing can be set up propterly.
>
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft, or
> anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>