Routes

Hi
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
On the Site there is a Backup Dc, 2 Application servers, 60 Pc and routers.
The Dc, Servers and printers on the site have static IP addresses and the Pc
are Dhcp. The Sonicwall it to be used solely for a VPN connection in with no
outgoing traffic.
The Sonicwall internal IP address is 10.240.16.6
The Servers have 2 NIC one for the LAN and One for the Sonicwall.
Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
Like this I cannot VPN to the server, but if I add The Sonicwall address to
the gateway box in the Nic2 configuration I can VPN to the server and login
with the Local Admin Account. Unfortunately I cannot Login with my Domain
Account and neither can the users.
Is there a way to add the static route that gets over his problem? Something
like
“Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12†or won't that work?
Thanks
John

 

You can't. when you successfullt connect the VPN and it works properly the
whole LAN is available. That has always been the "weak point" of all the
Hardware VPN Appliances.

It takes a product like ISA Server operating as a VPN Server to control this. It
will control access based on the user account. You can restrict as tightly as
"one particular user, ...to one particular host, ...using one particular
protocol, ...to one particular time of day on the clock.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

 

And even when you put them in different IP subnets you will still have
problems with default gateway settings. A machine can only have on dg per
machine, not one per interface. The VPN will work if you set the dg to go
out through the Sonicwall, but the server will lose its normal Internet
connection through the LAN router. (Not to mention the name resolution
problems with multihomed servers).

The LAN and Sonicwall NICs should be in different subnet, for example
10.240.16.0/24 and 10.241.16.0/24. This case study may help,

Troubleshooting ipconfigCannot use the 2nd NIC. Symptom: You have two
computers and each one has two NICs. You are using the first NIC with
192.168.1.0/24 to connect the Internet ...
http://www.chicagotech.net/troubleshootingipconfig.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
Hi
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
On the Site there is a Backup Dc, 2 Application servers, 60 Pc and
routers.
The Dc, Servers and printers on the site have static IP addresses and the
Pc
are Dhcp. The Sonicwall it to be used solely for a VPN connection in with
no
outgoing traffic.
The Sonicwall internal IP address is 10.240.16.6
The Servers have 2 NIC one for the LAN and One for the Sonicwall.
Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
Like this I cannot VPN to the server, but if I add The Sonicwall address
to
the gateway box in the Nic2 configuration I can VPN to the server and
login
with the Local Admin Account. Unfortunately I cannot Login with my Domain
Account and neither can the users.
Is there a way to add the static route that gets over his problem?
Something
like
"Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12" or won't that
work?
Thanks
John

 

The Application Servers are solely used to run an application and serve this
via terminal services to the users, They have no access to the internet
through these servers. The printers for the sessions are on the DC.

If I set the DG to the IP address of the sonicwall what impact will it have
on user verification and printing?

Sorry I've been dropped into this with little knowledge if infrastructures!

John

 

The basic problem is that you are trying to use VPN to do a job that it
was not designed for. As Phillip pointed out, VPN is designed to make the
remote client perform as if it was actually on the private network. For that
reason it gets access to all the machines on the LAN.

If you put a second NIC in the server, it really should be in a
different IP subnet from the LAN NIC. This second NIC would need to be
connected to a different hub/switch from the LAN NIC. The second NIC in the
servers and the Sonicwall internal IP would then be in their own subnet on
their own network (with the Sonicwall as the default gateway for this LAN).
You would then make a VPN connection to the Sonicwall and would be able to
see the two servers only.

The big problem remaining is name resolution. As soon as you put two
NICs in a machine you have two IP addresses associated with its name. This
causes all sorts of problems (and is why Microsft recommends that you do not
multihome DCs). It is workable if the LAN machines always use the LAN IP and
"external" users always the other IP. This isn't as easy as it might seem.
For instance, accessing printers on the LAN will be tricky because they
often rely on Netbios names and/or the browser service.

You could probably make it easier for yourself if you could set up the
VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
servers over the VPN connection.

 

That is exactly what i want to do! but the only way I can get a Ts client
to attach to the server is to have the Sonicwalls IP in the Default gateway
in Nic2.

John

 

This is what you said:
---------------
I have a quick question about static routes. I have been asked to supply a
VPN solution to access 2 servers for support purposes using a Sonicwall
device which is not to impact any of the system as at present and to
terminate at the servers and no further into the LAN.
---------------

You said,..."No futher into the LAN"

I said,.....
-------------------
You can't. When you successfully connect the VPN and it works properly the
whole LAN is available. That has always been the "weak point" of all the
Hardware VPN Appliances.
-------------------

So this is the situation,...unless you throw out the Sonicwall and use a better
product like ISA Server for the job,...it **will** go further into the LAN than
just the one machine you want to target.

So that leaves two questions:

1. Do you still want to do it anyway even though the access will be to the
entire LAN?

2. If the answer to #1 is yes,...then what is the LAN Topology designed like so
that the routing can be set up propterly.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

 

Hi Phillip,

I have been told that I have been set up to fail! The IT departmant of the
company involved are trying to get me to fail so they don't loose face.

I think that the best way forward is to forget what constraints they have
set and to give them a finished solution that will work!

Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
both. and connect the Sonicwall to the LAN Switch.

I will allow full network access to the VPN clients.

The Default Gateway on the network shall remain 10.24.16.1.

The Sonicwall shall remain 10.240.16.6 and the servers will stay
10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
run citrix sessions to there head office which allows them access to
Word/Excel, the internet and mail and routes there printing back up to there
local printers

The Backup domain controller is 10.24.16.14 and this runs the printers and
DHCP server.

John

 

Hi Phillip,

I have been told that I have been set up to fail! The IT departmant of the
company involved are trying to get me to fail so they don't loose face.

I think that the best way forward is to forget what constraints they have
set and to give them a finished solution that will work!

Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
both. and connect the Sonicwall to the LAN Switch.

I will allow full network access to the VPN clients.

The Default Gateway on the network shall remain 10.24.16.1.

The Sonicwall shall remain 10.240.16.6 and the servers will stay
10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
run citrix sessions to there head office which allows them access to
Word/Excel, the internet and mail and routes there printing back up to there
local printers

The Backup domain controller is 10.24.16.14 and this runs the printers and
DHCP server.

John

 

You can do that. It sounds pretty much correct. You would only partially
succeed with the original requirements because it won't limit LAN access to the
VPN Client

Or you could buy/learn/understand ISA server,...succeed completely in the
requirements and make the other IT guys look like idiots.

However,..remember!,...according to one of your ealier posts, you are dealing
with Terminal Services here,...that is important!!! Even if you restrict
access to only the Terminal Server by using something like ISA,...once the user
connects to the Terminal Server they have complete total access to the LAN via
the Terminal Server itself,...they can see and get to anything the Terminal
Server is capable of seeing or getting to.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft, or
anyone else associated with me, including my cats.
-----------------------------------------------------

 

Thanks Phillip!

I will not be able to get back into there site till monday next week. Once
there I will see if i can get it to work and post an update.

I've ordered an ISA book so i will get some reading done after this is
finished.

Thanks Again.

John

 

Thanks for all your help over this,

I got it sorted by attaching the Sonicwall to the directly to the Lan and
setting it so that it could only attach to the IP addresses of the servers
that I wanted to use.

John