Best way to setup remote access for my network

[yo.natan]

Hi

First let me describe the current network setup. I have an ADSL modem
connected to a D-Link DI604 router. A server running Windows 2003 Server R2
and two Windows XP Professional SP3 workstations are all directly connected
to the DI604 router. This is a workgroup network!

At the moment I access all three machines remotely using Remote Desktop
Connection. The router forwards port 3389 to the server, 3390 and 3391 for
each workstation, respectively.

I don't believe that this is the most secure setup for remote access and I
am looking for advice on how to improve.

My first idea is to change the setup, so that I would remotely access the
server using RDP and once on the server I would use RDP on the server to
access each workstation when necessary. This way I figure I need to open only
one port on the router and this will be more secure.

Now some questions:

- Which is more secure, to run RDP over SSL or RDP over VPN?

- IF RDP over SSL is chosen, then I guess only solution is to install an SSL
server on the server?

- If RDP over VPN is chosen above, is it better to get a new router to
replace the DI604 which has VPN capabilities or to install a software VPN
server on the server?

- If it is better with a VPN router which of the following is a good choice
(money not the deciding factor):

1. CISCO RVS4000 4-PORT GIGBABIT SECURITY ROUTER

2. D-LINK DFL-200 FIREWALL

3. D-LINK DFL-210 FIREWALL

4. LINKSYS BEFVP41 4-PORT SWITCH VPN

If any hardware not mentioned is better please let me know!!

Ok that should be all my questions for now. By the way the remote computer
accessing the corporate network is not important as it can use either VPN or
SSL and will use software not hardware in case of VPN solution.

Thanks for any advice and help!

 

[Phillip Windell]

Replace your firewall device with one that can act as a VPN Server.

Your main players to check into are:

Cisco (not Linksys)
Sonicwall
Watchgaurd

Anything worth buying in this class is going to be between $300 and $500
(last time I checked). I have no model numbers to suggest. Go to someplace
such as www.cdw.com . That site gives you the ability to do side-by-side
comparisons. The last company I helped with this "in person" choose to go
with the Watchgaurd because it had less hidden charges for extra features
you had to "subscribe" to get. But they all want to "stick it to you" for
every extra feature you want, some just aren't as bad as other.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.

 

[yo.natan]

Thanks for your reply Phillip! I'll have a look at the ones you mentioned!
Can someone please address my other questions! Thanks

 

[Phillip Windell]

Thanks for your reply Phillip! I'll have a look at the ones you mentioned!
Can someone please address my other questions! Thanks

It's a pretty simple answer,...use the VPN,...run the RDP over that after
you put all the RDP ports back to the normal ports.

You VPN is going to be PPTP or L2TP. The most secure choice is L2TP,...but
PPTP is the easiest to deal with.

IPSec is not even part of the conversation as far as I am concerned unless
the Device you buy will only work with IPSec.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[yo.natan]

Thanks again Phillip for your speedy reply! Much appreciated!

Ok, so VPN it is! Now I just need to decide on what hardware will replace
the D-Link DI604 which is currently in use!

I've done some searching and going on your hardware manufacturer
recommendations...I've found the following Cisco RVS4000 4-port Gigabit
Security Router (roughly $200). Please see the link to the product specs:

http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps9928/data_sheet_c78-496735.pdf

I don't know if it is a good device, but it doesn't seem to be overkill for
my situation. It has 4 ports which is what my current D-Link router has and
allows me to connect my server, two workstations and printer. Apparent from
that I have not experience with Cisco products although they seem very widely
used for much large networks. Regarding the VPN capabilities of the product,
it seems that it has a VPN server with IPsec, PPTP and L2TP.

Not sure if this is a good product and with the VPN capabilities I need?

P.S. An advantage with the product is that my network will go from 100 Mbps
to 1000 Mbps which I guess will increase the performance of the network even
though we only deal with documents and accounting software (some of which
runs from the server).

What do you think? Should I look for something else?

 

[Phillip Windell]

I've done some searching and going on your hardware manufacturer
recommendations...I've found the following Cisco RVS4000 4-port Gigabit
Security Router (roughly $200). Please see the link to the product specs:

http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps9928/data_sheet_c78-496735.pdf

I will probably do what you need. But one thing to watch out for with Cisco
(and maybe some others) is that the Remote Access VPN won't work with the
built in abilities of Windows, which require you to install a special dialup
Client and you can't establish a VPN link without it. Some people don't
mind that, but I can't stand that,...I guess it is a personal choice.

I don't use Cisco products of this nature so I don't know all the little
details about them. the only VPN application I am involved in is a
commercial application and we use MS ISA Server as the Firewall & VPN
Server. It requires no special VPN Client to be able to function. But ISA
is way overkill and way too $$$$ for your situation.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[yo.natan]

Not sure what you mean! Would I have to install software on the server and
workstations in order to connect to them remotely? I thought I connect to the
Cisco router using a vpn client on my remote machine and then just use RDC?

 

[Phillip Windell]

Not sure what you mean! Would I have to install software on the server and
workstations in order to connect to them remotely?

The Server has nothing to do with it. On the workstation,..yes,..you have
to install a piece of software called the Cisco VPN Client,...that is not
something I like,...and I don't know if all the Cisco products capable of
VPN force that on you or not.

I thought I connect to the
Cisco router using a vpn client on my remote machine and then just use
RDC?

That is the way I prefer to do it too. I just am doubful with Cisco
products that it will be like that. I'm just saying that is something you
have to keep in mind when you choose a product.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[yo.natan]

Ok I think I'm starting to understand the whole VPN setup. I found the manual
for the Cisco product which I named earlier.

http://www.cisco.com/en/US/docs/routers/csbr/rvs4000/administration/guide/RVS4000_V10_UG_B_web.pdf

I've had a look through, but I would like some clarification and you are
definitely more knowledgeable about VPNs than I am. Pages 49-54 covers
configuring IPsec. If I understand it correctly, you setup the Cisco router
then for each computer connected to the router on the local LAN needs to be
configured using secpol.msc and setup the IPsec rules as stated on these
pages. If I am correct than no software needs to be installed on the server
or the workstations and the IPsec rules make sure that once a VPN connection
has been established to the router, the IPsec rules come into play and route
traffic to the computers.

Is this correct? Can you perhaps clarify what I've said?

Thanks for your patience!

 

[Phillip Windell]

Ok I think I'm starting to understand the whole VPN setup. I found the
manual
for the Cisco product which I named earlier.

http://www.cisco.com/en/US/docs/routers/csbr/rvs4000/administration/guide/RVS4000_V10_UG_B_web.pdf

definitely more knowledgeable about VPNs than I am. Pages 49-54 covers
configuring IPsec. If I understand it correctly, you setup the Cisco
router
<shortened for space>
Is this correct? Can you perhaps clarify what I've said?

No.

You want Appendix B: Quick VPN for Windows

You have to install "Quick VPN Client" on the machines that want to "dial
in" to the LAN from outside.

The Appendix C for IPSec makes no sense to me at all and I have no idea what
they are trying accomplish with that.

Appendix D is the one for Site-to-Site VPN,...which is *not* what you are
doing but I wanted you to know ahat that one was for anyway.

There is no way I would buy that.

You want something that will accept incomming Remote Access VPN using either
PPTP or L2TP without having to install any software on the workstation that
is trying to do the connecting.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

[Phillip Windell]

Look at Chapter3, Page 5 (based on the PDF pages)
http://www.cisco.com/en/US/docs/rou...nistration/guide/RVS4000_V10_UG_B_web.pdfThis part of their docs is very clear. There are two types of VPN in thiscontext:1. Router-to-Router VPN (aka Site-to-Site VPN)2. Computer to VPN Router (aka User Initiated, Remote Access VPN)The second one is what I interpret you are trying to do. Notice that issays it requires the "Linksys VPN client software" installed on the usermachine to function. In Appendix B it calls it "QuickVPN for Windows". Inany case it means you have to install "stuff" on the workstation to be ableto use the VPN. That is what I am generally opposed to doing. But it is upto you of course.--Phillip Windellwww.wandtv.comThe views expressed, are my own and not those of my employer, or Microsoft,or anyone else associated with me, including my cats.-----------------------------------------------------

 

[yo.natan]

I read this on page 4:

"If you choose not to run the VPN client software, any computer with the
built-in IPSec Security Manager
(Microsoft 2000 and XP) allows the VPN Router to create a VPN tunnel using
IPSec (refer to “Appendix C: Configuring IPSec between a Windows 2000 or XP
PC and the Routerâ€).
Other versions of Microsoft operating systems require additional,
third-party VPN client software applications that support IPSec to be
installed."

So, I guess the section about IPsec is necessary to configure the computers
behind the router if you don't want to use the supplied software.

Thanks for spending the time to look into this! If we look at other hardware
options from the online vendor who I buy all my computer hardware, what would
you choose if you were in my shoes?

The link is to the vendor (site is available in English by clicking flag in
top header - middle)

http://www.dustin.se/lp_5009_3035.aspx

The link takes you directly to the Firewalls section.

I know I'm asking a lot, but if you are willing to endure a little longer I
am most grateful!

 

[yo.natan]

There must be some problem with the forum because I have posted a reply
several times and one minute it is there and the next it is gone! What's
going on?!

 

[yo.natan]

Trying to post again!

Thanks for looking at this in depth! I wrote a long reply yesterday, but for
some reason it has not been posted. I'll rewrite!

I had a look at the manual again and found the following on p. 4-5 it says

"If you choose not to run the VPN client software, any computer with the
built-in IPSec Security Manager (Microsoft 2000 and XP) allows the VPN Router
to create a VPN tunnel using IPSec (refer to “Appendix C: Configuring IPSec
between a Windows 2000 or XP PC and the Routerâ€)."

I guess that explains the section on IPsec.

Ok, I know I'm asking a lot, but if you are willing to endure a little
longer and help me find a good solution can you please take a look at the
online vendor where I purchase all my computer equipment and suggest which
hardware solution you would pick if you were in my shoes?

http://www.dustin.se/productlist.aspx?lgroup=5009&dgroup=3035

The website address takes you straight to the Firewall section (the site is
Swedish, but there is a flag at the top that enables the English version).

Thank you very much for your continued help!

 

[Phillip Windell]

I see this one.

Although it fouled up all the formating of my post. I can correct it below.

Stop using the "web interface" and start using a real NewsReader. I use
Outlook express and do just fine with it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

There must be some problem with the forum because I have posted a reply
several times and one minute it is there and the next it is gone! What's
going on?!

This part of their docs is very clear. There are two types of VPN in
thiscontext:

1. Router-to-Router VPN (aka Site-to-Site VPN)

2. Computer to VPN Router (aka User Initiated, Remote Access VPN)

The second one is what I interpret you are trying to do. Notice that issays
it requires the "Linksys VPN client software" installed on the usermachine
to function. In Appendix B it calls it "QuickVPN for Windows". In any
case it means you have to install "stuff" on the workstation to be ableto
use the VPN. That is what I am generally opposed to doing. But it is up to
you of course.

--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or
Microsoft,or anyone else associated with me, including my cats.[/QUOTE]

 

[yo.natan]

I sent you an email since my post is still not showing! I contacted my online
hardware vendor and they recommended the following product: PROSAFE® VPN
FIREWALL WITH 8-PORT 10/100 SWITCH
FVS338
(http://netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS338.aspx).
Netgear has a sample interface of the device to play with here
(http://tools.netgear.com/landing/gui/security/fvs338/simulators/fvs338/wan1_setup.htm).

Looks like a good product. What's your opinion?

 

[Phillip Windell]

I sent you an email since my post is still not showing! I contacted my
online
hardware vendor and they recommended the following product: PROSAFE® VPN
FIREWALL WITH 8-PORT 10/100 SWITCH
FVS338
(http://netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS338.aspx).
Netgear has a sample interface of the device to play with here
(http://tools.netgear.com/landing/gui/security/fvs338/simulators/fvs338/wan1_setup.htm).

As long as it worked with the regular Windows DUN without installing
anything on the workstation/laptop then I would be satisfied. I cannot
verify that from those links. You may have to call them and just ask them
straight-up.

In the end it is up to you,...you can still use the ones that require a
special "client" be installed if you wish,...I'm only saying that I would
not like that, it is just my personal preference.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Technet Library
ISA2004
http://technet.microsoft.com/en-us/library/cc302436(TechNet.10).aspx
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx

Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

 

[yo.natan]

I'll go for this one! I've done extensive research and it does not require
any special software just proper configuration!

Thank you very much for all your help Phillip!!