PPTP Authentication

J

Jennie

Hi,

I am a Network Administrator for a number of different
companies within a division. I have just implemented an
MPLS infrastructure so all the companies are on a WAN.

I am installing a VPN Concentrator as our current
solution is v.expensive but until this point i have a
need to offer VPN access to a further 150 users. I don't
currently use Microsoft but i am thinking of using PPTP
to authenticate as an interim solution.

The problem is i want the PPTP server to sit in the DMZ
of our firewall. I want it to authenticate users then
allow the traffic through to our network. As the server
will be authenticating users from a number of different
domains i don't want to join it to a current domain. The
PPTP server has to be in a domain though because of AD.

How can i get all my users to authenticate to this server
and then allow the traffic through once authenticated?
Do i use security groups and trusts or is the fact that
the PPTP server is on its own domain irrelevant as it
will only be authenticating and passing traffic through?

Any help is appreciated.

Thanks in advance!

Regards,

Jennie
 
B

Bill Grant

The VPN server doesn't have to be in a domain. You can authenticate
against its local SAM database if it is a standalone, and use a local remote
access policy.

If it is in a domain, you can authenticate against AD. The RRAS server
doesn't have to be a domain controller. As long as it is a member of the IAS
and RAS server group in AD, it will offload the authentication to a DC in
AD.

I guess you already know that the username/password used for VPN
connection is used solely for that purpose. It does not log you on to the
domain and this username/password combination is not used for file access
credentials. It is only used to validate your permission to establish a
remote connection.
 
J

Jennie

Hi Bill,

I am in the process of testing this now. Thanks for your
feedback.

Do i just filter the packets back onto my network once
they have authenticated?

Regards,

Jennie
 
B

Bill Grant

That's where putting the VPN server in a DMZ gets tricky. The first
thing is to get the traffic to the private LAN. What IP addresses are you
going to give to the remote clients?

The best bet is probably to put the VPN clients in their own IP
subnet, and route that subnet through the RRAS server to the private
network. Then you need to get the name resolution working before you can
look at the filtering.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Remote authentication from PPTP clients 4
PPTP Pass through for VPN not on RRAS 3
VPN Routing Problems...Cannot route from server side to client sid 3
PPTP Ports Missing 1
Can't ping VPN clients from LAN 1
RRAS output filters do not seem to have any effect 1
How to use NETSH to delete PPTP/L2TP ports? 0
Unable to login to PPTP server 4

Top