RE: Looking for a PVN-only server to put behind the firewll

[Ben Nagy <bnagy () cpms com au>]

At first glance, I thought this reply was Just Dumb (tm). After all, IIS
doesn't have any VPN functionality - it's just a webserver (of questionable
merit).

I'll get back to the second glance in a while.

Your biggest problem is likely to be your NAT. I've actually played with the
little NetGear boxes before and the NAT implementation isn't very good - try
to get MS network browsing to work via (their) NAT for example. 

Firstly, since you're using dynamic NAT, that will blow any VPN that uses IP
transports other than TCP (there goes PPTP, IPSec etc). Static NAT, or at
least a combination of static  and dynamic is required for those, since
dynamic NAT (as someone succinctly pointed out last time this was kicked
around) uses TCP ports to multiplex the connections. Cisco can do it. With
your hardware - well, YMMV.

Someone posted to one of these lists a while ago looking for a TCP-based VPN
solution - that might work. Maybe. Grep the archives and you might have some
luck.

Now back to IIS. If your main aim is to access files etc, you probably
_could_ set up something with IIS. IIS will let your users authenticate
using your NT domain stuff, and you could use SSL for encryption. There's
even a web connector for Exchange, if that's your email platform. All in
all, at the second glance, it didn't sound so dumb. You could at least look
into it, I agree.

BIG DISCLAIMER: However, I am _not_ recommending IIS, especially not in a
public forum where the main focus is security. Then again, I wouldn't call a
NetGear router a firewall, either.

Cheers,

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520 

> -----Original Message-----
> From: Myles_Keough () corpsoft com [mailto:Myles_Keough () corpsoft com]
> Sent: Tuesday, 5 October 1999 11:37 PM
> To: Steven W. Engle
> Cc: firewall-wizards () nfr net; sengle () dhtinc com
> Subject: Re: Looking for a PVN-only server to put behind the firewll
>
>
> Have you looked into MS IIS?  It sounds like you're a MS shop 
> and if that's the
> case IIS would be a great fit.
>
>
>
> Looking for recommendations for a private virtual network "server"
> (95/98/NT software or "network appliance") to place on the internal
> network side of a firewall.
>
> Objective is to have external/Internet users, via software on their
> Win 95/98/NT laptop / PC and their standard connection to the
> Internet, to be able to mount shares being made available by the
> corporate NT server on the internal network. The firewall would allow
> external connections to tunnel through it to the internal VPN server.
> The VPN server would handle authentication, data encryption /
> decryption, addressing / routing, etc.
>
> The way I see it, the remote user's PC/Laptop would appear as a node
> on the internal network and would have access to all devices on the
> internal network.
>
> So far all the solutions I have found are associated with full blow
> firewalls - this is not an option due to cost and skill constraints
> on part of the end user organization. All that is needed is a
> PVN-only solution with maintenance limited to add/deleting users and
> delivering software to remote end users.
>
> BTW: The "firewall" is a NetGear RH348 ISDN Router with Dynamic NAT
> turned on. It supports tunneling one external IP address (the
> router's) to an internal network IP address.
>
> Thanx!
> --
> Steven W. Engle                          Voice: (281) 333-9085
> Diversified High Technologies, Inc.        Fax: (281) 333-9087
> 1350 NASA Road One, Suite 105           http://www.dhtinc.com/
> Houston, TX  77058                    mailto:sengle () dhtinc com