VPN setup w/ Win 2003 server (conn 2 offices AND home users)

Yes, and thanks for all of the information - but if there
are *already* routers to the Internet for each respective
LAN, and the VPN appliances (Win2K3 server end-point
routers (NOT DC's)) are using this same connection to the
internet (to provide VPN connectivity), how does a user
workstation determine which router to use?
I was told that the user workstation should be able to use
the router on thier respective LAN to access the Internet,
and use the end-point router when needing to access the
other network resource(s). Is there a suggested
configuration?




>-----Original Message-----
>"clay" <(E-Mail Removed)> wrote in
message
>news:1586601c415c6$169a10c0$(E-Mail Removed)...
>> the server platform. I was told (by my ISP) that in
order
>> to make this work, I'd need to create a Win2K3 policy
for
>> each office to point specific traffic either to the end-
>> point router (for VPN traffic) or the default gateway
(for
>> regular internet traffic). Can anyone point me to info
on
>> how to accomplish this? PLEASE do not send me to the
>
>It is not a "policy", it is simply a normal Default
Gateway setting. Since
>the "VPN Server" is probably already the "route" out to
the Internet, then
>it is probably already the Default Gateway of the Clients
as it is. The VPN
>Routers will already know where the other remote network
is since it would
>be a "directly connected network" once the VPN is active.
>
>Routing typically is never the problem, the problem
is "naming" and "network
>browsing" and the fact that it will be two different
Domains that don't have
>a "Trust" setup between them. The more you expect it to
do and the more you
>want to do with it, the more increasingly difficult it
will become. If you
>*don't* go into it expecting normal LAN 10/100mbps
behavior then you are
>much better off.
>
>Home users are no problem, RRAS will accept incomming
connections from them
>just as well as it does from the other RRAS on the other
end. You just have
>to add enough Virtual Adapters to cover everyone, but
don't go too far
>beyond that because it will eat up too many IP#s
needlessly.
>
>--
>
>Phillip Windell [MCP, MVP, CCNA]
>www.wandtv.com
>
>
>.
>



>-----Original Message-----
> If your RRAS routers are the default gateways for
each LAN, the
>routing between sites is handled without any fuss. Each
RRAS router has a
>route to the "other" site's subnet through the VPN link,
so routing between
>sites works as if they were connected by a simple IP
router (only much
>slower!)
>
> As Phillip pointed out, the routing is usually pretty
straight forward.
>It is all the problems which arise when you connect two
subnets and two
>domains that are important to think about before you
actually do it. Things
>like name resolution (DNS and/or WINS), browsing, domain
trusts etc. This is
>even more critical if you are considering making the DCs
the RRAS routers.
>That opens up quite a can of worms.
>
>"clay" <(E-Mail Removed)> wrote in
message
>news:1586601c415c6$169a10c0$(E-Mail Removed)...
>> Hello all,
>> I am trying to set up a VPN to connect two offices each
>> with it's own Win2K3 network & DC. Each office's PDC
>> points all traffic that is not for the local network to
>> their default gateway (the router that facilitates
>> Internet access). Keeping this in mind, I would like to
>> use the suggestions (basically creating end-point
routers
>> with Win2K computers) at
>>
>> http://msdn.microsoft.com/library/default.asp?
>> url=/library/en-us/dnw2kmag00/html/VPN.asp
>>
>> to set up the VPN and I would like to know if there is
>> anything I need to be concerened with if I use Win2K3 as
>> the server platform. I was told (by my ISP) that in
order
>> to make this work, I'd need to create a Win2K3 policy
for
>> each office to point specific traffic either to the end-
>> point router (for VPN traffic) or the default gateway
(for
>> regular internet traffic). Can anyone point me to info
on
>> how to accomplish this? PLEASE do not send me to the
>> general MS VPN site as the info provided is too general
>> and does not answer my questions (my ISP could not offer
>> documentation as company policy forbids it).
>>
>> Additionally, I would like to know if I can create
>> additional VPN connections (user's home to their
>> respective office) with this setup.
>>
>> Thanks in advance.

this may help. quoted form http://www.ChicagoTech.net
Routing order

If you have two NICs in the same subnet on one w2k/xp computer, you wonder
which NIC is been used as primary NIC to access the Internet. In most cases,
when adding the second NIC on a w2k/xp computer, the first one is the
primary NIC. You may change the order by going to Advanced menu of the
Network Connection>Advanced Settings>Adapter and Bindings. If the settings
doesn't work (by default, the faster NIC will be chooses as primary NIC) or
if you want to override the settings, you can assign metric # manually by
going to the Properties of the Network Connection>the Properties of the
Network Connection>Advanced.


--
For more and other information, go to http://www.ChicagoTech.net

Don't send e-mail or reply to me except you need consulting services.
Posting on MS newsgroup will benefit all readers and you may get more help.

Robert Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on
http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

"clay" <(E-Mail Removed)> wrote in message
news:1a8e501c41e58$27963fd0$(E-Mail Removed)...
> Yes, and thanks for all of the information - but if there
> are *already* routers to the Internet for each respective
> LAN, and the VPN appliances (Win2K3 server end-point
> routers (NOT DC's)) are using this same connection to the
> internet (to provide VPN connectivity), how does a user
> workstation determine which router to use?
> I was told that the user workstation should be able to use
> the router on thier respective LAN to access the Internet,
> and use the end-point router when needing to access the
> other network resource(s). Is there a suggested
> configuration?
>
>
>
>
>>-----Original Message-----
>>"clay" <(E-Mail Removed)> wrote in
> message
>>news:1586601c415c6$169a10c0$(E-Mail Removed).. .
>>> the server platform. I was told (by my ISP) that in
> order
>>> to make this work, I'd need to create a Win2K3 policy
> for
>>> each office to point specific traffic either to the end-
>>> point router (for VPN traffic) or the default gateway
> (for
>>> regular internet traffic). Can anyone point me to info
> on
>>> how to accomplish this? PLEASE do not send me to the
>>
>>It is not a "policy", it is simply a normal Default
> Gateway setting. Since
>>the "VPN Server" is probably already the "route" out to
> the Internet, then
>>it is probably already the Default Gateway of the Clients
> as it is. The VPN
>>Routers will already know where the other remote network
> is since it would
>>be a "directly connected network" once the VPN is active.
>>
>>Routing typically is never the problem, the problem
> is "naming" and "network
>>browsing" and the fact that it will be two different
> Domains that don't have
>>a "Trust" setup between them. The more you expect it to
> do and the more you
>>want to do with it, the more increasingly difficult it
> will become. If you
>>*don't* go into it expecting normal LAN 10/100mbps
> behavior then you are
>>much better off.
>>
>>Home users are no problem, RRAS will accept incomming
> connections from them
>>just as well as it does from the other RRAS on the other
> end. You just have
>>to add enough Virtual Adapters to cover everyone, but
> don't go too far
>>beyond that because it will eat up too many IP#s
> needlessly.
>>
>>--
>>
>>Phillip Windell [MCP, MVP, CCNA]
>>www.wandtv.com
>>
>>
>>.
>>
>
>
>
>>-----Original Message-----
>> If your RRAS routers are the default gateways for
> each LAN, the
>>routing between sites is handled without any fuss. Each
> RRAS router has a
>>route to the "other" site's subnet through the VPN link,
> so routing between
>>sites works as if they were connected by a simple IP
> router (only much
>>slower!)
>>
>> As Phillip pointed out, the routing is usually pretty
> straight forward.
>>It is all the problems which arise when you connect two
> subnets and two
>>domains that are important to think about before you
> actually do it. Things
>>like name resolution (DNS and/or WINS), browsing, domain
> trusts etc. This is
>>even more critical if you are considering making the DCs
> the RRAS routers.
>>That opens up quite a can of worms.
>>
>>"clay" <(E-Mail Removed)> wrote in
> message
>>news:1586601c415c6$169a10c0$(E-Mail Removed).. .
>>> Hello all,
>>> I am trying to set up a VPN to connect two offices each
>>> with it's own Win2K3 network & DC. Each office's PDC
>>> points all traffic that is not for the local network to
>>> their default gateway (the router that facilitates
>>> Internet access). Keeping this in mind, I would like to
>>> use the suggestions (basically creating end-point
> routers
>>> with Win2K computers) at
>>>
>>> http://msdn.microsoft.com/library/default.asp?
>>> url=/library/en-us/dnw2kmag00/html/VPN.asp
>>>
>>> to set up the VPN and I would like to know if there is
>>> anything I need to be concerened with if I use Win2K3 as
>>> the server platform. I was told (by my ISP) that in
> order
>>> to make this work, I'd need to create a Win2K3 policy
> for
>>> each office to point specific traffic either to the end-
>>> point router (for VPN traffic) or the default gateway
> (for
>>> regular internet traffic). Can anyone point me to info
> on
>>> how to accomplish this? PLEASE do not send me to the
>>> general MS VPN site as the info provided is too general
>>> and does not answer my questions (my ISP could not offer
>>> documentation as company policy forbids it).
>>>
>>> Additionally, I would like to know if I can create
>>> additional VPN connections (user's home to their
>>> respective office) with this setup.
>>>
>>> Thanks in advance.

Yes, thank you - I am looking at the ChicagoTech site, but
I am not using dual NICs. I wish to create 2 end-point VPN
appliances/routers out of 2 cheap computers with Win2K3
Server on it. This was suggested and the purchase has been
made. It was suggested to me that this is the most
straight-forward method (except that Win2K Server was
suggested).

OK - Now that I have my two networks which point to their
respective cable router (default gateway) to access the
Internet and I've created these end-point routers (to
access the other network), how do I tell the workstations
of each network that in order to see the other network,
that the new end-point router is to be used instead of the
cable router (that is set up as the default gateway)? How
do I configure the networks to use their OWN cable router
when accessing Internet resources and the new end-point
VPN appliances/routers when they wish to access the other
network (assuming that the end-point routers use the cable
routers as that is the only access to the Internet)?




>-----Original Message-----
>this may help. quoted form http://www.ChicagoTech.net
>Routing order
>
>If you have two NICs in the same subnet on one w2k/xp
computer, you wonder
>which NIC is been used as primary NIC to access the
Internet. In most cases,
>when adding the second NIC on a w2k/xp computer, the
first one is the
>primary NIC. You may change the order by going to
Advanced menu of the
>Network Connection>Advanced Settings>Adapter and
Bindings. If the settings
>doesn't work (by default, the faster NIC will be chooses
as primary NIC) or
>if you want to override the settings, you can assign
metric # manually by
>going to the Properties of the Network Connection>the
Properties of the
>Network Connection>Advanced.
>
>
>--
>For more and other information, go to
http://www.ChicagoTech.net
>
>Don't send e-mail or reply to me except you need
consulting services.
>Posting on MS newsgroup will benefit all readers and you
may get more help.
>
>Robert Lin, MS-MVP, MCSE & CNE
>Networking, Internet, Routing, VPN, Anti-Virus, Tips &
Troubleshooting on
>http://www.ChicagoTech.net
>This posting is provided "AS IS" with no warranties.
>
>"clay" <(E-Mail Removed)> wrote in
message
>news:1a8e501c41e58$27963fd0$(E-Mail Removed)...
>> Yes, and thanks for all of the information - but if
there
>> are *already* routers to the Internet for each
respective
>> LAN, and the VPN appliances (Win2K3 server end-point
>> routers (NOT DC's)) are using this same connection to
the
>> internet (to provide VPN connectivity), how does a user
>> workstation determine which router to use?
>> I was told that the user workstation should be able to
use
>> the router on thier respective LAN to access the
Internet,
>> and use the end-point router when needing to access the
>> other network resource(s). Is there a suggested
>> configuration?
>>
>>
>>
>>
>>>-----Original Message-----
>>>"clay" <(E-Mail Removed)> wrote in
>> message
>>>news:1586601c415c6$169a10c0$(E-Mail Removed). ..
>>>> the server platform. I was told (by my ISP) that in
>> order
>>>> to make this work, I'd need to create a Win2K3 policy
>> for
>>>> each office to point specific traffic either to the
end-
>>>> point router (for VPN traffic) or the default gateway
>> (for
>>>> regular internet traffic). Can anyone point me to info
>> on
>>>> how to accomplish this? PLEASE do not send me to the
>>>
>>>It is not a "policy", it is simply a normal Default
>> Gateway setting. Since
>>>the "VPN Server" is probably already the "route" out to
>> the Internet, then
>>>it is probably already the Default Gateway of the
Clients
>> as it is. The VPN
>>>Routers will already know where the other remote network
>> is since it would
>>>be a "directly connected network" once the VPN is
active.
>>>
>>>Routing typically is never the problem, the problem
>> is "naming" and "network
>>>browsing" and the fact that it will be two different
>> Domains that don't have
>>>a "Trust" setup between them. The more you expect it to
>> do and the more you
>>>want to do with it, the more increasingly difficult it
>> will become. If you
>>>*don't* go into it expecting normal LAN 10/100mbps
>> behavior then you are
>>>much better off.
>>>
>>>Home users are no problem, RRAS will accept incomming
>> connections from them
>>>just as well as it does from the other RRAS on the other
>> end. You just have
>>>to add enough Virtual Adapters to cover everyone, but
>> don't go too far
>>>beyond that because it will eat up too many IP#s
>> needlessly.
>>>
>>>--
>>>
>>>Phillip Windell [MCP, MVP, CCNA]
>>>www.wandtv.com
>>>
>>>
>>>.
>>>
>>
>>
>>
>>>-----Original Message-----
>>> If your RRAS routers are the default gateways for
>> each LAN, the
>>>routing between sites is handled without any fuss. Each
>> RRAS router has a
>>>route to the "other" site's subnet through the VPN link,
>> so routing between
>>>sites works as if they were connected by a simple IP
>> router (only much
>>>slower!)
>>>
>>> As Phillip pointed out, the routing is usually
pretty
>> straight forward.
>>>It is all the problems which arise when you connect two
>> subnets and two
>>>domains that are important to think about before you
>> actually do it. Things
>>>like name resolution (DNS and/or WINS), browsing, domain
>> trusts etc. This is
>>>even more critical if you are considering making the DCs
>> the RRAS routers.
>>>That opens up quite a can of worms.
>>>
>>>"clay" <(E-Mail Removed)> wrote in
>> message
>>>news:1586601c415c6$169a10c0$(E-Mail Removed). ..
>>>> Hello all,
>>>> I am trying to set up a VPN to connect two offices
each
>>>> with it's own Win2K3 network & DC. Each office's PDC
>>>> points all traffic that is not for the local network
to
>>>> their default gateway (the router that facilitates
>>>> Internet access). Keeping this in mind, I would like
to
>>>> use the suggestions (basically creating end-point
>> routers
>>>> with Win2K computers) at
>>>>
>>>> http://msdn.microsoft.com/library/default.asp?
>>>> url=/library/en-us/dnw2kmag00/html/VPN.asp
>>>>
>>>> to set up the VPN and I would like to know if there is
>>>> anything I need to be concerened with if I use Win2K3
as
>>>> the server platform. I was told (by my ISP) that in
>> order
>>>> to make this work, I'd need to create a Win2K3 policy
>> for
>>>> each office to point specific traffic either to the
end-
>>>> point router (for VPN traffic) or the default gateway
>> (for
>>>> regular internet traffic). Can anyone point me to info
>> on
>>>> how to accomplish this? PLEASE do not send me to the
>>>> general MS VPN site as the info provided is too
general
>>>> and does not answer my questions (my ISP could not
offer
>>>> documentation as company policy forbids it).
>>>>
>>>> Additionally, I would like to know if I can create
>>>> additional VPN connections (user's home to their
>>>> respective office) with this setup.
>>>>
>>>> Thanks in advance.
>
>
>.
>