Stand Alone Web Server VPN Configuration

[Scott Nichols]

I am new to creating a VPN.

I have a web server that is hosted outside of our company. I want to
create a VPN to this server. The server has 2 nic's. Both nic's face
the Internet.

I think I almost have the configuration, but just wanted to check a
few things...

1. Do i HAVE to use both NICs when creating a VPN? My current thinking
is 1 NIC is the VPN access to the box, the other NIC is for public
services like web.

2. Do I need to have the IP address on the second NIC on a different
subnet? My current thinking here is yes different subnets, but I'm not
sure - this is currently where I'm stuck. (It doesn't work on the same
subnet...)

Thanks,

Scott

 

[Marc Reynolds [MSFT]]

1. Do i HAVE to use both NICs when creating a VPN? My current thinking

is 1 NIC is the VPN access to the box, the other NIC is for public
services like web.

This would work fine

2. Do I need to have the IP address on the second NIC on a different
subnet? My current thinking here is yes different subnets, but I'm not
sure - this is currently where I'm stuck. (It doesn't work on the same
subnet...)

Yes it would be best to put each NIC on separate subnets.

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

 

[Scott Nichols]

Hi Marc,

Thanks for the reply - separate subnets is kinda what I figured. But
my hosting company is dragging their feet on getting me the different
subnets.

So, if I wanted to know if I put the NICs on the same subnet, is it
just a routing issue? If so, I'm confused as to how to proceed. Here's
my current setup:

NIC1 (Public) NIC2 (VPN)
ip address: x.x.x.x ip address: x.x.x.y
subnet: 255.255.255.0 subnet: 255.255.255.0
default gateway: not defined default gateway: not defined

STATIC ROUTES
Interface NIC1
Destination: 0.0.0.0
net mask: 0.0.0.0
gateway: 65.95.140.1

This allows my NIC1 interface to be reachable from tbe Internet, I
then try and add the same static route for NIC2 but it is not
accessible. What am I missing?

-Scott

 

[Bill Grant]

To establish a VPN across the Internet, you have to be able to reach the
server from the Internet using a registered IP address of FQDN. If your
server is directly connected to the Internet or to a public-addressed DMZ,
this isn't a problem.

If your server is in a privately-addressed network, you need some other
approach. If your LAN connects to the Internet via a router, you can forward
the VPN traffic (tcp port 1723 for PPTP) from the router to the VPN server.
The server itself has only one NIC. The router acts as the Internet
interface. The actual endpoint of the VPN connection is an internal
interface of the server. But the client makes the initial connection to the
router's public IP or FQDN.

Do not configure two NICs in the same subnet on a RRAS server. This
causes all sorts of problems with RRAS.

Hi Marc,

Thanks for the reply - separate subnets is kinda what I figured. But
my hosting company is dragging their feet on getting me the different
subnets.

So, if I wanted to know if I put the NICs on the same subnet, is it
just a routing issue? If so, I'm confused as to how to proceed. Here's
my current setup:

NIC1 (Public) NIC2 (VPN)
ip address: x.x.x.x ip address: x.x.x.y
subnet: 255.255.255.0 subnet: 255.255.255.0
default gateway: not defined default gateway: not defined

STATIC ROUTES
Interface NIC1
Destination: 0.0.0.0
net mask: 0.0.0.0
gateway: 65.95.140.1

This allows my NIC1 interface to be reachable from tbe Internet, I
then try and add the same static route for NIC2 but it is not
accessible. What am I missing?

-Scott


(e-mail address removed) (Marc Reynolds [MSFT]) wrote in message

This would work fine

Yes it would be best to put each NIC on separate subnets.

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.