[itdiscuss] PPTP VPN

Bobby Stewart bStewart at brentwoodbaptist.com
Wed Nov 4 15:56:41 EST 2009 

At present we are still using Virtual Server 2005 and our virtualization
is pretty limited. We've got three non- domain controller, AD member
servers operating on the host. The host is providing no services other
than providing the VM platform but is also a member server, principally
for administrative authentication.

 

The VPN endpoint server also serves as a SMTP smart host forwarding mail
to our exchange server. PPTP is facilitated by passing port 1723 traffic
from our outside firewall interface routing it to our endpoint server's
primary interface running RRAS. RRAS in turn routes clients through a
DHCP assigned address on the same NIC as the primary interface of the
server and passes DHCP information from our AD Domain controller (which
also provides DNS as all domain controllers do) to the clients for their
own address once the VPN is set up.

 

It's all quite painless and, frankly, one of the most stable things I've
been able to accomplish on a Windows server.

 

In the past I didn't have the luxury of a second server, virtual or not.
In that case, even back to Windows Server 4 and 2000, I've terminated
PPTP traffic on the domain controller. I agree, maybe not the best
practice but, it is effective and, of all the attack vectors I've had
exposed over the years, the profile on this one seems extremely small.

 

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
WWW.BrentwoodBaptist.com <http://WWW.BrentwoodBaptist.com> 
(615) 324-6149 office

(615) 830-0012 cell

 

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com
Sent: Wednesday, November 04, 2009 12:20 PM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] PPTP VPN

 

So you would open up the AD ip ports from the DMZ to the LAN so that the
VPN client can authenticate?  How do you get the client to tunnel from
the DMZ to the LAN so that the client can gain access to LAN services?
Usually you setup RRAS in Windows for PPTP, so would you use the RRAS
server as a router as well, with two NICs?  Finally, if you set it up as
a virtual machine, where would that machine "actually" reside in your
ESX farm?

 

 

Bill Lloyd 
IT Manager

 

2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com <mailto:blloyd at buskercom.com> 

This email and any accompanying attachments may contain confidential and
proprietary information. If you are not the intended recipient, you are
requested to delete this entire communication immediately. Emails cannot
be guaranteed to be secure or free of errors or viruses. The sender does
not accept any liability or responsibility for any problems that may
result from emails you receive.

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Bobby Stewart
Sent: Wednesday, November 04, 2009 12:17 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] PPTP VPN

 

We use Kevin's method of having a separate server (except for the DMZ
part) and the PPTP endpoint server is a virtual machine so there wasn't
any additional hardware outlay.

 

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
WWW.BrentwoodBaptist.com
(615) 324-6149 office

(615) 830-0012 cell

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Kevin Brunson
Sent: Wednesday, November 04, 2009 8:36 AM
To: 'IT Discussion Forum'
Subject: Re: [itdiscuss] PPTP VPN

 

Any port you have forwarded from your firewall to a domain controller is
a direct attack vector into your domain controller, and thus into AD.
If you have it going to an independent server (either member server or
workgroup), at least you have another step in the process.  They have to
take significantly more control of a server to use it as a jumping off
point to the rest of your network than they do to gain some piece of
data residing directly on the server.  

Even better, stick it in a DMZ, and then only open the ports users will
really need between the DMZ and the LAN.     

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of blloyd at buskercom.com
Sent: Wednesday, November 04, 2009 7:06 AM
To: discuss at itdiscuss.org
Subject: [itdiscuss] PPTP VPN

 

Just wondering, if I setup a PPTP VPN server on a domain controller, do
you think that is anymore insecure than setting it up on an independent
server?

 

Bill Lloyd 
IT Manager



2567 Athens Hwy.
Gainesville, GA 30507
Phone: 770-417-1604 Ext.: 250
Fax:     770-417-1747
Cell:     404-379-6963

blloyd at buskercom.com <mailto:blloyd at buskercom.com> 

This email and any accompanying attachments may contain confidential and
proprietary information. If you are not the intended recipient, you are
requested to delete this entire communication immediately. Emails cannot
be guaranteed to be secure or free of errors or viruses. The sender does
not accept any liability or responsibility for any problems that may
result from emails you receive.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20091104/0e1e1ce1/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 14873 bytes
Desc: image001.jpg
Url : http://optimus.thompsonic.com/pipermail/discuss/attachments/20091104/0e1e1ce1/attachment-0001.jpeg

More information about the discuss mailing list