On Apr 26, 9:59 pm, "Bill Grant" <not.available@online> wrote:
> "robr" <rrothb...@gmail.com> wrote in message
>
> news:(E-Mail Removed) oups.com...
>
> > Here's my scenario:
>
> > Internal Exchange Server 2003 NATted behind a ZyXel ZyWall 35. This
> > is also the PDC and AD Global Catalog server.
>
> > I just installed a new machine internally with Exchange Server 2007.
> > I then moved this server outside the firewall.
> > Of course it can no longer communicate with the internal server, so I
> > followed various technet articles and NAT forwarded the 7 or 8
> > documented ports as well as edited the registry on both machine to
> > change the RPC and GC ports to be a fixed port. None of this worked,
> > so I decided the best way to do this is to set up a VPN between
> > the two boxes.
>
> > The internal server has 2 NICs, 192.168.10.200 and 192.168.11.200
> > (different subnets, netmask is 255.255.255.0)
>
> > On the internal server I added the role of Remote Access/VPN server.
> > I wasn't sure at this point whether to set it up as "Remote access" or
> > "Secure connection between two private networks", since all I need is
> > to have one server talk to the other, with no routing beyond that.
> > Since the 2nd Exchange server is on a public network and not a private
> > one, I went with the "Remote access" option. I then selected VPN (no
> > dialup), selected the NIC connected to the internet (NIC1 -
> > 192.168.10.200) and unchecked the enable security checkbox, then
> > assigned NIC2 for VPN clients, then set up a DHCP pool
> > (192.168.11.100-.110), and finally use RRAS to authenticate. I'm then
> > told I must set up the DHCP relay agent. My normal DHCP server is the
> > router, but that's not going to hand out address on the 192.168.11.*
> > subnet, so I'm not sure what it's looking for here. Do I now need to
> > set up DHCP on this server? I had sort of thought that when I
> > selected a DHCP pool, it was setting up a mini DHCP server just for
> > VPN, otherwise why bother to ask me at all? Just for giggles, I set
> > up a DHCP server on the router DMZ (see more info re: DMZ below) that
> > matched what I entered above and pointed the DHCP relay agent at it.
>
> > On the router side, since there is no way to set up multiple internal
> > subnets, I set up one port as a DMZ port, then assigned 192.168.11.1
> > as the router DMZ IP address and plugged PDC NIC2 into that port.
> >>From my PC here in the office and the PDC, I can ping both
> > 192.168.10.200 and 11.200 and 192.168.11.1.
>
> > Ok, so let's keep going. I then connect to the server outside the
> > firewall and set up a VPN connection with the network wizard. I point
> > it to the external IP address of the router. I go into AD and on the
> > Administrator account I change Remote Access Permission to Allow
> > access.
>
> >>From the outside server I then attempt to connect (username
> > Administrator) and on the networking tab I set the type of VPN to PPTP
> > VPN. I then dial and almost immediately am told Error 678: The remote
> > computer did not respond. I'm trying to figure out why, but there is
> > nothing in the event log on either machine, so I wonder if I'm making
> > it through the ZyXel. I'm not sure what to look at next to
> > troubleshoot.
>
> > The firewall feature of the ZyXel is disabled and I can't see any
> > reason it would block port 1723. Actually now that I think about it,
> > typically you would use a public IP address on the DMZ, since I am
> > not, I need to have a way of telling the router that anything coming
> > in over 1723 needs to go to the DMZ, rather than through the NAT to
> > the LAN. NAT rules only apply to the LAN interface. OK, so I
> > created Policy route, anything that's IP Protocol GRE (47) coming in
> > over the WAN is now routed to 192.168.11.200. Same issue. I'm going
> > to go confirm with the ZyXel people that this will work, but does
> > anyone see anything else I'm doing wrong?
>
> > Thanks!
>
> There are a number of problems with this. Here are a few of them.
>
> 1. It is not a good idea to configure a DC as a remote access server. As
> soon as a remote user connects, you have a multihomed DC which causes all
> sorts of problems with browsing and name resolution. See KB 292822.
> 2. You do not need two NICs in the RRAS server. Two NICs are only required
> if this server is directly connected to the Internet. You are behind a
> router/firewall. The VPN connection will be made to the firewall's public
> IP. You extend that to the server on the LAN by forwarding the VPN traffic
> to the server's LAN IP. The VPN endpoint is an internal interface in the
> RRAS server, not a NIC.
> 3. You do not need DHCP and you do not need DHCP relay. If your LAN is not
> running a DHCP server, use the static pool option in RRAS. Give RRAS a pool
> of addresses in the same IP subnet as your LAN machines.
> 4. After you configure remote access on your server with one NIC, check
> that you can make a VPN connection to it from a LAN machine using its LAN
> name or IP. This will allow you to check that the remote access setup is
> correct. If you can't connect locally you will never connect from the public
> side.
> 5. When this works, forward tcp port 1723 from the firewall to the RRAS
> server's LAN IP. Try to connect from the DMZ using the firewall's DMZ IP.
Thanks for the hints Bill, I'll have to play with this down the road,
I found that removing the 2nd box with Exchange Server 2007 from the
local network disrupted our incoming and outgoing mail for some reason
(even though I never migrated any mailboxes or changed any Exchange
configs). I'll need to wait until I have some time over a weekend to
play with getting the two boxes to connect through a firewall.
|
Similar Threads
Linear Mode
