RAS as a member server

[John]

All here is my question. I want to install RAS on a Win2k3 box as a member
server. This RAS server will only handle remote authentication. Of course
this machine will have two nic, one to the ISP and second on to my DC. I
just want to know if this is even possible?

Then from the DC, I will be handling DHCP, DNS and Exchange 2003. If it
were up to my boss, he wouldn't even want AD on the network ( I work for a
bunch of developers).

Let me know what you think or if there are any security issues here. Any
thoughts are welcome.

 

[Kurt]

All here is my question. I want to install RAS on a Win2k3 box as a member
server.

This RAS server will only handle remote authentication.

A RAS Server as a domain member server can handle authentication only
for itself. If you need for remote users to have access to domain
resources, you'll need to set up the member server to use domain
authentication.

Of course
this machine will have two nic, one to the ISP and second on to my DC. I
just want to know if this is even possible?

Completely possible, but not the way I'd do it. You can accept remote
connections and have a LAN connection with just one NIC. You just need
to open/forward the appropriate ports in your router.

Then from the DC, I will be handling DHCP, DNS and Exchange 2003. If it
were up to my boss, he wouldn't even want AD on the network ( I work for a
bunch of developers).

Can't have Exchange without AD. If you're already buying a Server OS and
have more than just a few accounts, AD is the way to go.

Let me know what you think or if there are any security issues here. Any
thoughts are welcome.

There are always security issues if you intend to expose a server
directly to the Internet. Keep it behind your NAT router/firewall.

....kurt

 

[John]

Kurt thanks for answer my questions so quickly, I have a few more question,
please see my comments below. And thanks again for your assistance.

This RAS server will only handle remote authentication.

A RAS Server as a domain member server can handle authentication only for
itself. If you need for remote users to have access to domain resources,
you'll need to set up the member server to use domain authentication.

They want to only have RAS so that they can access the resource behind the
firewall, meaning RAS will act as the firewall so that they can access their
PC through remote desktop. Currently their PC are not part of the domain,
again I work for a bunch of developers who only cares about getting into the
LAN. Dumb I know...

Completely possible, but not the way I'd do it. You can accept remote
connections and have a LAN connection with just one NIC. You just need to
open/forward the appropriate ports in your router.

They do not want to spend money on a router, they just want RAS to act as
the router and only open certain ports so they can access email and remote
to their workgroup desktop computers.

Can't have Exchange without AD. If you're already buying a Server OS and
have more than just a few accounts, AD is the way to go.

Total agree, they just want to have Exchange so that it handle POP3 so they
can download to their PC and us a redirector to forward it onto they local
Blackberry devices. Even with E2K3 or E2K7 you still need AD in order to
run it???

There are always security issues if you intend to expose a server directly
to the Internet. Keep it behind your NAT router/firewall.

This is why I am thinking of setting up a RAS server as a stand alone, I
know I will have to create accounts their locally through computer manage to
handle RAS authentication and then go over to AD and creat another account
so that it has mail.

John, Thanks Kurt....

 

[Kurt]

They want to only have RAS so that they can access the resource behind the

firewall, meaning RAS will act as the firewall so that they can access their
PC through remote desktop. Currently their PC are not part of the domain,
again I work for a bunch of developers who only cares about getting into the
LAN. Dumb I know...

RAS, in and of itself, provides no firewall other than authentication.
You need something between the RAS server and the Internet.

They do not want to spend money on a router, they just want RAS to act as
the router and only open certain ports so they can access email and remote
to their workgroup desktop computers.

How do they get to the Internet now if they don't have a router? Does
everybody have a public IP address?

Total agree, they just want to have Exchange so that it handle POP3 so they
can download to their PC and us a redirector to forward it onto they local
Blackberry devices. Even with E2K3 or E2K7 you still need AD in order to
run it???

Yep. Exchange is tied to AD. There are many alternatives if you just
want POP3. Check out Zimbra (Free if you can use the web interface - and
it's a very nice interface). Also check out Scalix, another Free server
that with an Outlook connector (Outlook 2000 - 2003, but not Outlook
2007 yet) that is free up to 25 users (plus an unlimited number of
non-Outlook users). Not as nice as Zimbra, but if Outlook is a must, it
does the job. Either will do just dandy as a pop3/smtp server. Priced
Exchange lately? Waaayyy too much (price, overhead, administration) for
a handful of users.

This is why I am thinking of setting up a RAS server as a stand alone, I
know I will have to create accounts their locally through computer manage to
handle RAS authentication and then go over to AD and creat another account
so that it has mail.

Having the RAS server (I assume you are talking about VPNs, right?)
exposed to the Internet directly is less secure than having it behind a
firewall.

If you just want Remote Desktop, you don't need a RAS server. You just
need to forward the ports from your Internet Router to the workstations.
The default port for RDP is 3389, but you can change it in the registry
(the internal users have to have XP Pro, or Vista Business/Ultimate -
Home won't do it). So assign ports (3390, 3391, or whatever you like) to
the workstations and forward those ports from the Internet Router to
their private IP addresses. Google "Change terminal services port". Then
they can connect remotely from any Internet-connected computer with an
RDP client (including XP Home and such). Use strong passwords, rename
the administrator account if you want. Set a lockout policy for failed
attempts, and you can't get much more secure. Plus, you won't have to
move files across a slow Internet link.

....kurt