• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN outside of dmz

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN outside of dmz Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN outside of dmz - 21.Dec.2001 11:26:00 PM   
logan ramirez

 

Posts: 64
Joined: 18.Dec.2001
From: san antonio, tx, usa
Status: offline
We have a VPN which allows our sales reps to dial in and connect to our network.

We are mounting a back to back DMZ and my question is how can we allow our reps to still VPN onto our network? Should we make the outside DMZ the VPN server or leave the VPN server we have and mount it outside of the external server and allow ONLY certain clients in. It just seems so shaky from a security stand point.

Any help will be extremely beneficial.
Thanks.

------------------
Logan

Post #: 1
RE: VPN outside of dmz - 23.Dec.2001 7:41:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Logan,

This is a very problematic configuration, from what I've read. The problem is if you terminate the VPN at the external server, you will only be able to access resources on the DMZ segment, except for those resources that you publish on the internal ISA Server. The reason for this is that you can't publish the VPN server because publishing rules don't work for GRE. Now, you could use a public address DMZ, but there is a problem with the packet filtering mechanism that appears to break passing GRE packets through to the external interface of the internal ISA Server. You *should* be able to do this, but people report to me that they have a hard time making this work. I haven't tested this out yet, but will in the near future for the 2nd edition of our book.

One solution that I think should work is to tunnel a PPTP connection inside another PPTP connection. For example, you establish a PPTP connection to the external interface of the external ISA/VPN server. Then after establishing this connection, establish a PPTP tunnel inside of the one that you already created so that you can connect to the ISA/VPN server on the inside of the DMZ. This should work, and I hope to demonstrate that soon.

I don't even want to think about how to make this work with L2TP/IPSec. However, if I did think about it, the same tunnel inside a tunnel approach should work. You may be able to use packet filters, but you wouldn't be able to publish the internal L2TP/IPSec VPN server because the IP Protocols could not be published.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to logan ramirez)
Post #: 2
RE: VPN outside of dmz - 24.Dec.2001 5:33:00 PM   
logan ramirez

 

Posts: 64
Joined: 18.Dec.2001
From: san antonio, tx, usa
Status: offline
Thanks, Tom. Indeed, I knew there would be some issues and it is going to take a great deal more planning.

So PPTP connections from client to external firewall and from external to internal firewall would allow the access. Does this mean configuring both ISA's to serve as a VPN and then have a client to site and site to site PPTP? Sure is going to be tough to lock down.

Thank you again for your continued support and insight.

Hope this helps all who are reading it.

------------------
Logan


(in reply to logan ramirez)
Post #: 3
RE: VPN outside of dmz - 24.Dec.2001 10:32:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Logan,

What I'm thinking of that will work best is that when you create the back to back ISA Server DMZ, you are going to need to use public addresses on the DMZ segment if you want uses to be able to access the internal network.

Both of the ISA Servers will be configured as VPN servers. The callers will first establish a PPTP connection with the external ISA Server. After the link to the external ISA Server is complete, the users will establish a second VPN connection, this time to the internal ISA Server. When the users configure the VPN connectioid on their computers, the dial-up interface through which the VPN connection to the internal ISA Server will be made will be through the VPN link for the external ISA Server.

Make sense? Should work. I'll test this in the coming week's because I think its an important subject.

Also, if you use private addresses on the DMZ, there *might* be problems, but it still might work since we're tunneling inside of a tunnel. I'll try it both ways.

I'll be sure to include this information in the second edition of the book (due in May).

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to logan ramirez)
Post #: 4
RE: VPN outside of dmz - 25.Dec.2001 7:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Logan,

I just tested this out, and it works fine! So you can tunnel inside of another tunnel. This is how you get your VPN to terminate at the external ISA Server, encrypt traffic through the DMZ segment, and access the internal network resources, all safe and sound via a VPN.

This is how I spend my Christmas Day

HTH,
Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to logan ramirez)
Post #: 5
RE: VPN outside of dmz - 26.Dec.2001 4:08:00 PM   
logan ramirez

 

Posts: 64
Joined: 18.Dec.2001
From: san antonio, tx, usa
Status: offline

That is how you spend your Christmas day, eh? Good stuff...funny, funny....

Great to hear it works! Did you try it with a private and public DMZ? We are pretty set on using private addresses, but if there are overbearing problems, we would use public.

Any particular issues I should pay attention to during setup which you encountered?

Thank you once again. I can't wait to get the 2nd edition in May!

Hope this finds you well,

------------------
Logan


(in reply to logan ramirez)
Post #: 6
RE: VPN outside of dmz - 28.Dec.2001 7:05:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Logan,

I only tried it with the private address DMZ. From what I've read about problems with the packet filter driver, you won't be able to make it work with a public address DMZ until SP1 comes out.

Let us know how it works for you!

Thanks!

Tom

------------------
http://www.isaserver.org/shinder/


Get It Here!


(in reply to logan ramirez)
Post #: 7
RE: VPN outside of dmz - 28.Dec.2001 7:12:00 PM   
logan ramirez

 

Posts: 64
Joined: 18.Dec.2001
From: san antonio, tx, usa
Status: offline
Whew! SO glad to hear it works with PRIVATE right now and not the other way around...

I will definitely let you know how it works out for us and any problems/notes/comments I have. The phases span over the next month, so VPN will fall a couple of weeks down the road.

Thank you, once again, for your support.

------------------
Logan


(in reply to logan ramirez)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> VPN >> VPN outside of dmz Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts