Hi all
I'm not sure if this is the correct sub-forum for my post - if not I apologize in advance
I need some advice on how to setup our work network for secure vpn access.
Our setup is currently configured as follows :-
we have a router (Thomson TG582n) that the outside world is connected to. We plug one of the LAN outputs from that into a switch. The switch is patched into all of the LAN sockets in the skirting board around the office. We also have a Windows Server 2008 R2 box, which is the domain controller + dns, and a NAS box connected to the switch.
The router is also the DCHP server and we have some static ip assignments (to the servers, and some printers).
Access to some of our internal server (subversion, mantis bug tracking) is done through port-forwarding on the router. When we started there wasn't much to keep secure but now that we have grown a bit I'm concerned that this really isn't very secure, and so I'd like to setup a vpn (using SSL).
I did a quick test by installing RRAS on the windows server and enabled PPTP which kind of 'just worked' with some port forwarding on the router, and I was able to access machines on the network via their domain/machine name. But then I read that PPTP is not really secure, and that SSL (or at the very least ipsec) is a better option. I've also read that installing the VPN role on the DC is also not secure (but I'm not sure why)
Since we're all running windows for development work, SSTP (which is windows only) would also be ok I suppose
So now I'm not sure what to do. As far as I can see I have the following options :-
1. Create another Win Server box and install the VPN server role on it, with 2 NICS etc...
but I need some clarification on a few things. The tutorial I read has the router-facing NIC IP set to 192.168.1.x and the DC facing NIC set to 10.0.0.x
So with the DC on the 10.0.0.x network how do other machines on the LAN see it? Or should the DC also have 2 NICS (the other on 192.1.1.x) so that LAN machines can see it?
2. Buy some kind of dedicated VPN box that does SSL, in which case does _all_ traffic (in and out) go through this box? If this is the way to do it, what would be a suitable box?
3. something else that anyone might suggest?
Thanks for reading my ramble
Rob
I'm not sure if this is the correct sub-forum for my post - if not I apologize in advance
I need some advice on how to setup our work network for secure vpn access.
Our setup is currently configured as follows :-
we have a router (Thomson TG582n) that the outside world is connected to. We plug one of the LAN outputs from that into a switch. The switch is patched into all of the LAN sockets in the skirting board around the office. We also have a Windows Server 2008 R2 box, which is the domain controller + dns, and a NAS box connected to the switch.
The router is also the DCHP server and we have some static ip assignments (to the servers, and some printers).
Access to some of our internal server (subversion, mantis bug tracking) is done through port-forwarding on the router. When we started there wasn't much to keep secure but now that we have grown a bit I'm concerned that this really isn't very secure, and so I'd like to setup a vpn (using SSL).
I did a quick test by installing RRAS on the windows server and enabled PPTP which kind of 'just worked' with some port forwarding on the router, and I was able to access machines on the network via their domain/machine name. But then I read that PPTP is not really secure, and that SSL (or at the very least ipsec) is a better option. I've also read that installing the VPN role on the DC is also not secure (but I'm not sure why)
Since we're all running windows for development work, SSTP (which is windows only) would also be ok I suppose
So now I'm not sure what to do. As far as I can see I have the following options :-
1. Create another Win Server box and install the VPN server role on it, with 2 NICS etc...
but I need some clarification on a few things. The tutorial I read has the router-facing NIC IP set to 192.168.1.x and the DC facing NIC set to 10.0.0.x
So with the DC on the 10.0.0.x network how do other machines on the LAN see it? Or should the DC also have 2 NICS (the other on 192.1.1.x) so that LAN machines can see it?
2. Buy some kind of dedicated VPN box that does SSL, in which case does _all_ traffic (in and out) go through this box? If this is the way to do it, what would be a suitable box?
3. something else that anyone might suggest?
Thanks for reading my ramble
Rob