SBS 2003 Software VPN

Can someone remind me of what VPN functionallity is built into SBS2003?

For a number of years we have been using Hardware VPNs (which have been very
reliable) that terminate at the Router and also RWW to allow access to
individual workstations from anywhere on the Internet. We now have need to
give a number of others access to shared drives on the network via VPN.
This will be usually from known trusted laptops but it might also be good to
provide occassional VPN access from a public machine if that is possible.

Thanks,
Nick

Thanks Brian,

So if I have understood this correctly SBS 2003 built-in VPN will allow any
laptop to connect over the Internet, it doesn't need to be part of the
domain then. Is there any limit on the number of concurrent connections?

If that is the case is there any advantage to having a hardware SSL VPN?

Nick


"Brian Cryer" <not.here@localhost> wrote in message
news:...
> "Nick" <> wrote in message
> news:...
>> Can someone remind me of what VPN functionallity is built into SBS2003?
>
> Probably very similar to your hardware VPN, with the added advantage that
> access to VPN is tied to user accounts so you can allow/deny VPN on a per
> user basis. Your hardware VPN solution probably gives you the ability to
> restrict by IP address, mac key etc, which the 2003 solution doesn't
> provide.
>
>> For a number of years we have been using Hardware VPNs (which have been
>> very reliable) that terminate at the Router and also RWW to allow access
>> to individual workstations from anywhere on the Internet. We now have
>> need to give a number of others access to shared drives on the network
>> via VPN. This will be usually from known trusted laptops but it might
>> also be good to provide occassional VPN access from a public machine if
>> that is possible.
>
> Like I've implied above, I don't think the 2003 VPN solution has the
> concept of a "trusted laptop", but otherwise all of what you refer to
> should be achievable using the VPN in SBS 2003.
>
> I appreciate that this answer is a bit superficial, but I hope it answers
> your initial question.
>
>> Thanks,
>> Nick
> --
> Brian Cryer
> http://www.cryer.co.uk/brian
>

On 25/08/10 15:22, Brian Cryer wrote:
> "Nick" <> wrote in message
> news:...
>> Can someone remind me of what VPN functionallity is built into SBS2003?

Basically, PPTP, IPSec and L2TP, the latter two being difficult to get
running with devices which do not carry the public IP address of the
network, hence their usual use on edge devices such as routers. The
endpoint IP addresses are part of the security.

>
> Probably very similar to your hardware VPN, with the added advantage
> that access to VPN is tied to user accounts so you can allow/deny VPN on
> a per user basis. Your hardware VPN solution probably gives you the
> ability to restrict by IP address, mac key etc, which the 2003 solution
> doesn't provide.
>
You might be surprised by what can be done. Have a poke around in RRAS
management, in particular, Remote Access Policies. But IP connection
restrictions are best applied at the Internet router, if possible.

>> For a number of years we have been using Hardware VPNs (which have
>> been very reliable) that terminate at the Router and also RWW to allow
>> access to individual workstations from anywhere on the Internet. We
>> now have need to give a number of others access to shared drives on
>> the network via VPN. This will be usually from known trusted laptops
>> but it might also be good to provide occassional VPN access from a
>> public machine if that is possible.
>
This would be a public machine which is guaranteed free of keyloggers
and other malware? A 3G dongle on a (reasonably) trusted portable is
likely to be the best means of mobile access. There are many free WiFi
locations, but they tend to be limited to basic http web surfing, and
even that is almost always unencrypted over the air.

--
Joe

On 25/08/10 18:09, Nick wrote:
> Thanks Brian,
>
> So if I have understood this correctly SBS 2003 built-in VPN will allow any
> laptop to connect over the Internet, it doesn't need to be part of the
> domain then.

No, it doesn't even need to be a Windows machine. But my experience of
network browsing and share visibility with non-domain clients is that of
severe intermittency. Only the SBS web-based services can be pretty much
guaranteed to work reliably.

Human VPN users do need to be domain members, and if you are considering
offering some kind of network access to non-members, then you need to be
looking at a solution which is completely independent of the SBS and its
means of authentication.

> Is there any limit on the number of concurrent connections?
>
By default, five PPTP and five L2TP connections are allocated, this can
be adjusted in RRAS management. I don't know what the absolute limit is,
but I suspect the server will die of overwork long before getting
anywhere near it.

Note that only one VPN tunnel will normally work between any pair of
public IP addresses, so multiple users in one location will need the
hardware site-to-site VPN. That's not an SBS limitation, but is
dependent on the Internet routers involved being able to manage multiple
protocol 47 or 50 tunnels between the same endpoints i.e. they typically
can't.

> If that is the case is there any advantage to having a hardware SSL VPN?
>
You're not adding extra load to the organisation's only server, VPN is
quite CPU-intensive. Users of an SBS VPN might well notice if another
user does a heavy bit of SQL work, or the backup starts running. And in
general, the more functions a device carries out, the less well does any
particular one work. And I have a preference for minimising the number
of eggs in any one basket...

--
Joe