RRAS configuration

I have searched the net for a while and am wondering which is considered the
"best practice"...punching holes in my linux/shorewall firewall, DNATing
traffic intended for VPN connections to a Win2k3 RRAS server behind the
firewall or making the linux/shorewall box the VPN server and connecting to
it then the network behind it.

I have seen both scenarios documented, though there doesn't seem to be a
clearly defined opinion as to which scenario is preferred.

Thanks.

There are lots of different opinions and it depends a bit on how your
network is configured.

My personal opinion is that if all your network is reachable from the
firewall device and this device is capable of acting as a VPN server, do
that. It is the simplest routing setup because the firewall is already the
default gateway for the LAN.

The only thing that would push me to favour the RRAS server on the LAN
would be if you want the remote clients to authenticate against your Windows
user database.

perfimage wrote:
> I have searched the net for a while and am wondering which is
> considered the "best practice"...punching holes in my linux/shorewall
> firewall, DNATing traffic intended for VPN connections to a Win2k3
> RRAS server behind the firewall or making the linux/shorewall box the
> VPN server and connecting to it then the network behind it.
>
> I have seen both scenarios documented, though there doesn't seem to
> be a clearly defined opinion as to which scenario is preferred.
>
> Thanks.

Thanks.

That pretty much answers it, because I want to use my win2k3 DC(also the
RRAS) to handle authentication.

"Bill Grant" wrote:

> There are lots of different opinions and it depends a bit on how your
> network is configured.
>
> My personal opinion is that if all your network is reachable from the
> firewall device and this device is capable of acting as a VPN server, do
> that. It is the simplest routing setup because the firewall is already the
> default gateway for the LAN.
>
> The only thing that would push me to favour the RRAS server on the LAN
> would be if you want the remote clients to authenticate against your Windows
> user database.
>
> perfimage wrote:
> > I have searched the net for a while and am wondering which is
> > considered the "best practice"...punching holes in my linux/shorewall
> > firewall, DNATing traffic intended for VPN connections to a Win2k3
> > RRAS server behind the firewall or making the linux/shorewall box the
> > VPN server and connecting to it then the network behind it.
> >
> > I have seen both scenarios documented, though there doesn't seem to
> > be a clearly defined opinion as to which scenario is preferred.
> >
> > Thanks.
>
>
>

Have a look at KB292822 and KB 830063 before you decide on using a DC as
a remote access server.

Is your firewall RADIUS compliant? If it is you could use IAS on the
Windows server for authentication but still run remote access on the
firewall.

perfimage wrote:
> Thanks.
>
> That pretty much answers it, because I want to use my win2k3 DC(also
> the RRAS) to handle authentication.
>
> "Bill Grant" wrote:
>
>> There are lots of different opinions and it depends a bit on how
>> your network is configured.
>>
>> My personal opinion is that if all your network is reachable
>> from the firewall device and this device is capable of acting as a
>> VPN server, do that. It is the simplest routing setup because the
>> firewall is already the default gateway for the LAN.
>>
>> The only thing that would push me to favour the RRAS server on
>> the LAN would be if you want the remote clients to authenticate
>> against your Windows user database.
>>
>> perfimage wrote:
>>> I have searched the net for a while and am wondering which is
>>> considered the "best practice"...punching holes in my
>>> linux/shorewall firewall, DNATing traffic intended for VPN
>>> connections to a Win2k3 RRAS server behind the firewall or making
>>> the linux/shorewall box the VPN server and connecting to it then
>>> the network behind it.
>>>
>>> I have seen both scenarios documented, though there doesn't seem to
>>> be a clearly defined opinion as to which scenario is preferred.
>>>
>>> Thanks.