[itdiscuss] PPTP VPN

Kevin Brunson kevinb at highergroundtech.com
Wed Nov 4 13:40:13 EST 2009 

Bill
I would install IAS on your LAN (this can go on your AD server without any real security concerns) and then use RADIUS auth for your VPN clients.  That way you don't have to make the vpn server a domain member and you will only have to open the RADIUS ports for authentication from the VPN server to your DC.
Most firewalls allow routing between the DMZ and LAN, so you could just let the VPN clients route between firewall ports, with firewall rules allowing or disallowing traffic flow.


From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com
Sent: Wednesday, November 04, 2009 12:20 PM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] PPTP VPN

So you would open up the AD ip ports from the DMZ to the LAN so that the VPN client can authenticate?  How do you get the client to tunnel from the DMZ to the LAN so that the client can gain access to LAN services?  Usually you setup RRAS in Windows for PPTP, so would you use the RRAS server as a router as well, with two NICs?  Finally, if you set it up as a virtual machine, where would that machine "actually" reside in your ESX farm?



Bill Lloyd
IT Manager
[cid:image001.jpg at 01CA5D4B.6B61C3A0]

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com
This email and any accompanying attachments may contain confidential and proprietary information. If you are not the intended recipient, you are requested to delete this entire communication immediately. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any problems that may result from emails you receive.
From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Bobby Stewart
Sent: Wednesday, November 04, 2009 12:17 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] PPTP VPN

We use Kevin's method of having a separate server (except for the DMZ part) and the PPTP endpoint server is a virtual machine so there wasn't any additional hardware outlay.

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
WWW.BrentwoodBaptist.com<http://WWW.BrentwoodBaptist.com>
(615) 324-6149 office
(615) 830-0012 cell

From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of Kevin Brunson
Sent: Wednesday, November 04, 2009 8:36 AM
To: 'IT Discussion Forum'
Subject: Re: [itdiscuss] PPTP VPN

Any port you have forwarded from your firewall to a domain controller is a direct attack vector into your domain controller, and thus into AD.  If you have it going to an independent server (either member server or workgroup), at least you have another step in the process.  They have to take significantly more control of a server to use it as a jumping off point to the rest of your network than they do to gain some piece of data residing directly on the server.
Even better, stick it in a DMZ, and then only open the ports users will really need between the DMZ and the LAN.

From: discuss-bounces at itdiscuss.org [mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com
Sent: Wednesday, November 04, 2009 7:06 AM
To: discuss at itdiscuss.org
Subject: [itdiscuss] PPTP VPN

Just wondering, if I setup a PPTP VPN server on a domain controller, do you think that is anymore insecure than setting it up on an independent server?


Bill Lloyd
IT Manager
[cid:image001.jpg at 01CA5D4B.6B61C3A0]

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com<mailto:blloyd at buskercom.com>
This email and any accompanying attachments may contain confidential and proprietary information. If you are not the intended recipient, you are requested to delete this entire communication immediately. Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any problems that may result from emails you receive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20091104/f08e86ad/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 14873 bytes
Desc: image001.jpg
Url : http://optimus.thompsonic.com/pipermail/discuss/attachments/20091104/f08e86ad/attachment-0001.jpg

More information about the discuss mailing list