Routes

Discussion in 'Server Networking' started by Buzz, Apr 12, 2007.

  1. Buzz

    Buzz Guest

    Hi
    I have a quick question about static routes. I have been asked to supply a
    VPN solution to access 2 servers for support purposes using a Sonicwall
    device which is not to impact any of the system as at present and to
    terminate at the servers and no further into the LAN.
    On the Site there is a Backup Dc, 2 Application servers, 60 Pc and routers.
    The Dc, Servers and printers on the site have static IP addresses and the Pc
    are Dhcp. The Sonicwall it to be used solely for a VPN connection in with no
    outgoing traffic.
    The Sonicwall internal IP address is 10.240.16.6
    The Servers have 2 NIC one for the LAN and One for the Sonicwall.
    Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
    Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
    Like this I cannot VPN to the server, but if I add The Sonicwall address to
    the gateway box in the Nic2 configuration I can VPN to the server and login
    with the Local Admin Account. Unfortunately I cannot Login with my Domain
    Account and neither can the users.
    Is there a way to add the static route that gets over his problem? Something
    like
    “Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12†or won't that work?
    Thanks
    John
     
    Buzz, Apr 12, 2007
    #1
    1. Advertisements

  2. You can't. when you successfullt connect the VPN and it works properly the
    whole LAN is available. That has always been the "weak point" of all the
    Hardware VPN Appliances.

    It takes a product like ISA Server operating as a VPN Server to control this. It
    will control access based on the user account. You can restrict as tightly as
    "one particular user, ...to one particular host, ...using one particular
    protocol, ...to one particular time of day on the clock.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Apr 12, 2007
    #2
    1. Advertisements

  3. Buzz

    Bill Grant Guest

    And even when you put them in different IP subnets you will still have
    problems with default gateway settings. A machine can only have on dg per
    machine, not one per interface. The VPN will work if you set the dg to go
    out through the Sonicwall, but the server will lose its normal Internet
    connection through the LAN router. (Not to mention the name resolution
    problems with multihomed servers).

    The LAN and Sonicwall NICs should be in different subnet, for example
    10.240.16.0/24 and 10.241.16.0/24. This case study may help,

    Troubleshooting ipconfigCannot use the 2nd NIC. Symptom: You have two
    computers and each one has two NICs. You are using the first NIC with
    192.168.1.0/24 to connect the Internet ...
    http://www.chicagotech.net/troubleshootingipconfig.htm


    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
    Hi
    I have a quick question about static routes. I have been asked to supply a
    VPN solution to access 2 servers for support purposes using a Sonicwall
    device which is not to impact any of the system as at present and to
    terminate at the servers and no further into the LAN.
    On the Site there is a Backup Dc, 2 Application servers, 60 Pc and
    routers.
    The Dc, Servers and printers on the site have static IP addresses and the
    Pc
    are Dhcp. The Sonicwall it to be used solely for a VPN connection in with
    no
    outgoing traffic.
    The Sonicwall internal IP address is 10.240.16.6
    The Servers have 2 NIC one for the LAN and One for the Sonicwall.
    Nic1 (LAN) = 10.240.16.12 Mask 255.255.255.0 Gateway 10.240.16.1
    Nic 2 (Sonicwall) = 10.240.16.8 Mask 255.255.255.0
    Like this I cannot VPN to the server, but if I add The Sonicwall address
    to
    the gateway box in the Nic2 configuration I can VPN to the server and
    login
    with the Local Admin Account. Unfortunately I cannot Login with my Domain
    Account and neither can the users.
    Is there a way to add the static route that gets over his problem?
    Something
    like
    "Route add 10.240.16.6 mask 255.255.255.255 10.240.16.12" or won't that
    work?
    Thanks
    John
     
    Bill Grant, Apr 13, 2007
    #3
  4. Buzz

    Buzz Guest

    The Application Servers are solely used to run an application and serve this
    via terminal services to the users, They have no access to the internet
    through these servers. The printers for the sessions are on the DC.

    If I set the DG to the IP address of the sonicwall what impact will it have
    on user verification and printing?

    Sorry I've been dropped into this with little knowledge if infrastructures!

    John
     
    Buzz, Apr 13, 2007
    #4
  5. Buzz

    Bill Grant Guest

    The basic problem is that you are trying to use VPN to do a job that it
    was not designed for. As Phillip pointed out, VPN is designed to make the
    remote client perform as if it was actually on the private network. For that
    reason it gets access to all the machines on the LAN.

    If you put a second NIC in the server, it really should be in a
    different IP subnet from the LAN NIC. This second NIC would need to be
    connected to a different hub/switch from the LAN NIC. The second NIC in the
    servers and the Sonicwall internal IP would then be in their own subnet on
    their own network (with the Sonicwall as the default gateway for this LAN).
    You would then make a VPN connection to the Sonicwall and would be able to
    see the two servers only.

    The big problem remaining is name resolution. As soon as you put two
    NICs in a machine you have two IP addresses associated with its name. This
    causes all sorts of problems (and is why Microsft recommends that you do not
    multihome DCs). It is workable if the LAN machines always use the LAN IP and
    "external" users always the other IP. This isn't as easy as it might seem.
    For instance, accessing printers on the LAN will be tricky because they
    often rely on Netbios names and/or the browser service.

    You could probably make it easier for yourself if you could set up the
    VPN to the Sonicwall, then connect by Remote Desktop or TS client to the
    servers over the VPN connection.
     
    Bill Grant, Apr 14, 2007
    #5
  6. Buzz

    Buzz Guest

    That is exactly what i want to do! but the only way I can get a Ts client
    to attach to the server is to have the Sonicwalls IP in the Default gateway
    in Nic2.

    John
     
    Buzz, Apr 16, 2007
    #6
  7. This is what you said:
    ---------------
    I have a quick question about static routes. I have been asked to supply a
    VPN solution to access 2 servers for support purposes using a Sonicwall
    device which is not to impact any of the system as at present and to
    terminate at the servers and no further into the LAN.
    ---------------

    You said,..."No futher into the LAN"

    I said,.....
    -------------------
    You can't. When you successfully connect the VPN and it works properly the
    whole LAN is available. That has always been the "weak point" of all the
    Hardware VPN Appliances.
    -------------------

    So this is the situation,...unless you throw out the Sonicwall and use a better
    product like ISA Server for the job,...it **will** go further into the LAN than
    just the one machine you want to target.

    So that leaves two questions:

    1. Do you still want to do it anyway even though the access will be to the
    entire LAN?

    2. If the answer to #1 is yes,...then what is the LAN Topology designed like so
    that the routing can be set up propterly.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 16, 2007
    #7
  8. Buzz

    Buzz Guest

    Hi Phillip,

    I have been told that I have been set up to fail! The IT departmant of the
    company involved are trying to get me to fail so they don't loose face.

    I think that the best way forward is to forget what constraints they have
    set and to give them a finished solution that will work!

    Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
    both. and connect the Sonicwall to the LAN Switch.

    I will allow full network access to the VPN clients.

    The Default Gateway on the network shall remain 10.24.16.1.

    The Sonicwall shall remain 10.240.16.6 and the servers will stay
    10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
    there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
    run citrix sessions to there head office which allows them access to
    Word/Excel, the internet and mail and routes there printing back up to there
    local printers

    The Backup domain controller is 10.24.16.14 and this runs the printers and
    DHCP server.

    John
     
    Buzz, Apr 16, 2007
    #8
  9. Buzz

    Buzz Guest

    Hi Phillip,

    I have been told that I have been set up to fail! The IT departmant of the
    company involved are trying to get me to fail so they don't loose face.

    I think that the best way forward is to forget what constraints they have
    set and to give them a finished solution that will work!

    Ok, Firstly I will get rid of NIC2 in both servers and work with a single in
    both. and connect the Sonicwall to the LAN Switch.

    I will allow full network access to the VPN clients.

    The Default Gateway on the network shall remain 10.24.16.1.

    The Sonicwall shall remain 10.240.16.6 and the servers will stay
    10.24.16.10/10.24.16.12/10.24.16.14. The Pcs addresses are via DHCP and are
    there to run terminal Sessions to 10.24.16.10 and 10.24.16.12. The Pc's also
    run citrix sessions to there head office which allows them access to
    Word/Excel, the internet and mail and routes there printing back up to there
    local printers

    The Backup domain controller is 10.24.16.14 and this runs the printers and
    DHCP server.

    John
     
    Buzz, Apr 16, 2007
    #9
  10. You can do that. It sounds pretty much correct. You would only partially
    succeed with the original requirements because it won't limit LAN access to the
    VPN Client

    Or you could buy/learn/understand ISA server,...succeed completely in the
    requirements and make the other IT guys look like idiots.

    However,..remember!,...according to one of your ealier posts, you are dealing
    with Terminal Services here,...that is important!!! Even if you restrict
    access to only the Terminal Server by using something like ISA,...once the user
    connects to the Terminal Server they have complete total access to the LAN via
    the Terminal Server itself,...they can see and get to anything the Terminal
    Server is capable of seeing or getting to.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft, or
    anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Apr 17, 2007
    #10
  11. Buzz

    Buzz Guest

    Thanks Phillip!

    I will not be able to get back into there site till monday next week. Once
    there I will see if i can get it to work and post an update.

    I've ordered an ISA book so i will get some reading done after this is
    finished.

    Thanks Again.

    John
     
    Buzz, Apr 17, 2007
    #11
  12. Buzz

    Buzz Guest

    Thanks for all your help over this,

    I got it sorted by attaching the Sonicwall to the directly to the Lan and
    setting it so that it could only attach to the IP addresses of the servers
    that I wanted to use.

    John
     
    Buzz, Apr 25, 2007
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.