VPN to single server

Hey all,

I was reading up on some VPN solutions for windows 2003 server. Alot of
them recommend having 2-3 servers just to VPN. Is this really
necessary? Couldn't I just turn VPN on on the single server and have
that? Then just have the router point to the right place, or am I
missing something?

Is this method unsecure?

Thanks for the info



radink

Site-to-Site VPN requires 2 servers,...one at each end.

Remote Access VPN requires one server.

Nothing requires 3 srvers.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

The views expressed are my own (as annoying as they are), and not those of my
employer or anyone else associated with me.
-----------------------------------------------------


"radink" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hey all,
>
> I was reading up on some VPN solutions for windows 2003 server. Alot of
> them recommend having 2-3 servers just to VPN. Is this really
> necessary? Couldn't I just turn VPN on on the single server and have
> that? Then just have the router point to the right place, or am I
> missing something?
>
> Is this method unsecure?
>
> Thanks for the info
>

On Jan 27, 8:35 am, "radink" <radi...@gmail.com> wrote:
> Hey all,
>
> I was reading up on some VPN solutions for windows 2003 server. Alot of
> them recommend having 2-3 servers just to VPN. Is this really
> necessary? Couldn't I just turn VPN on on the single server and have
> that? Then just have the router point to the right place, or am I
> missing something?
>
> Is this method unsecure?
>
> Thanks for the info


The servers that handle the Remote Access (VPN, RAS or RADIUS) should
be in a different domain from the DCs that people want to access on,
with an appropriate kind of domain trust for security.

That is a bit of an over-statement. You can have the remote users
connecting to a member server in the same domain, or even to a standalone
(non-member) server. But it is important to not make a DC a remote access
server.

"NZSchoolTech" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
>
>
> On Jan 27, 8:35 am, "radink" <radi...@gmail.com> wrote:
>> Hey all,
>>
>> I was reading up on some VPN solutions for windows 2003 server. Alot of
>> them recommend having 2-3 servers just to VPN. Is this really
>> necessary? Couldn't I just turn VPN on on the single server and have
>> that? Then just have the router point to the right place, or am I
>> missing something?
>>
>> Is this method unsecure?
>>
>> Thanks for the info
>
>
> The servers that handle the Remote Access (VPN, RAS or RADIUS) should
> be in a different domain from the DCs that people want to access on,
> with an appropriate kind of domain trust for security.
>

So would a VPN router and a windows 2003 server be enough? The windows
server would be the same one as our normal file server.

On Jan 26, 6:39 pm, "Bill Grant" <not.available@online> wrote:
> That is a bit of an over-statement. You can have the remote users
> connecting to a member server in the same domain, or even to a standalone
> (non-member) server. But it is important to not make a DC a remote access
> server.
>
> "NZSchoolTech" <kiwichrist...@xtra.co.nz> wrote in messagenews:(E-Mail Removed) ooglegroups.com...
>
>
>
> > On Jan 27, 8:35 am, "radink" <radi...@gmail.com> wrote:
> >> Hey all,
>
> >> I was reading up on some VPN solutions for windows 2003 server. Alot of
> >> them recommend having 2-3 servers just to VPN. Is this really
> >> necessary? Couldn't I just turn VPN on on the single server and have
> >> that? Then just have the router point to the right place, or am I
> >> missing something?
>
> >> Is this method unsecure?
>
> >> Thanks for the info
>
> > The servers that handle the Remote Access (VPN, RAS or RADIUS) should
> > be in a different domain from the DCs that people want to access on,
> > with an appropriate kind of domain trust for security.

I should think that would work well (unless you are running a huge
enterprise).

The main reason to avoid running a DC as any sort of router is
multihoming. If a DC has more than one NIC, you get odd problems because you
can get the name of the server resolving to the "wrong" IP address. You get
the same problem with a DC VPN server because the server has a second IP for
the internal (VPN endpoint) interface.

If you want to use accounts in AD to authorise VPN connections it is
best to make the VPN server a member server of the domain. You can then use
Windows authorisation for remote access.

"radink" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> So would a VPN router and a windows 2003 server be enough? The windows
> server would be the same one as our normal file server.
>
> On Jan 26, 6:39 pm, "Bill Grant" <not.available@online> wrote:
>> That is a bit of an over-statement. You can have the remote users
>> connecting to a member server in the same domain, or even to a standalone
>> (non-member) server. But it is important to not make a DC a remote access
>> server.
>>
>> "NZSchoolTech" <kiwichrist...@xtra.co.nz> wrote in
>> messagenews:(E-Mail Removed) ooglegroups.com...
>>
>>
>>
>> > On Jan 27, 8:35 am, "radink" <radi...@gmail.com> wrote:
>> >> Hey all,
>>
>> >> I was reading up on some VPN solutions for windows 2003 server. Alot
>> >> of
>> >> them recommend having 2-3 servers just to VPN. Is this really
>> >> necessary? Couldn't I just turn VPN on on the single server and have
>> >> that? Then just have the router point to the right place, or am I
>> >> missing something?
>>
>> >> Is this method unsecure?
>>
>> >> Thanks for the info
>>
>> > The servers that handle the Remote Access (VPN, RAS or RADIUS) should
>> > be in a different domain from the DCs that people want to access on,
>> > with an appropriate kind of domain trust for security.
>