This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting a Microsoft VPN server in the DMZ: how?

I wish to know if anyone has tried such configuration before.
A VPN server in the DMZ (reasonably a MS machine) connected to another VPN server (definitely a MS one) through Internet.

The documentation I found at the MS site (http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/deployguide/en-us/dnsbj_ips_schx.asp) states:” you need to open port 500 (ISAKMP) and 4500 (ISAKMP over NAT-T) but also enable protocols 50 (ESP) and 51 (AH)”.

The first two are easy to do, but: what about the latter ones (ESP and AH)?

They are surely enabled by default if we are going to use the VPN service included with ASL, but what is the situation if the server is a third box placed in the DMZ?

Any idea is warmly welcome!

friscom

This thread was automatically locked due to age.

Parents

0 omega over 21 years ago

Maybe going to definitions->Services and define an Service with ah and esp as protocol with default spi-entries is what you want to use for a later packet rule ?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 omega over 21 years ago

Maybe going to definitions->Services and define an Service with ah and esp as protocol with default spi-entries is what you want to use for a later packet rule ?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 friscom over 21 years ago in reply to omega

I wish you were right!

I give a try but would it be possible that also Astaro people have a look at my message and clarify this matter?

friscom
Cancel
Vote Up 0 Vote Down

Cancel
0 omega over 21 years ago in reply to friscom

[ QUOTE ]
I wish you were right!

I give a try but would it be possible that also Astaro people have a look at my message and clarify this matter?

friscom

[/ QUOTE ]

You really should try. And if it does not work, tell why it does not work, by posting packetfilter.log etc.
Cancel
Vote Up 0 Vote Down

Cancel
0 friscom over 21 years ago in reply to omega

Well,
Here I am after I deployed the suggested changs in the FW configuration in order to accommodate the VPN server in the DMZ.

The ports opened were as per the specified ones in my initial post, then AH and ESP protocols were included in a group service in order to create the appropriate rule.
Interestingly, the VPN server, that can also act as an initiator, needs to have a DNAT rule to accomplish the purpose of a bi-directional connection.
I mean: opening the incoming connection with a DNAT rule is not enough; it must be done also the reverse.

In my specific situation, the server has a "public" address" that had to be aliased on the external interface. Because of that a simple masquerading is not possible whilst a DNAT for the server in the DMZ to the aliased interface is.

I have been suggested to apply a routing instead, using a spare public address and apply a subnet in order to have a subnet address in the DMZ compatible with the original server address.
This sounded new to me and I wish to share somebody's opinion (and experience) to understand how that can be managed.

If the configuration is not clear, just let me know and I'll try with a sketch.

BTW, does anybody know some general purpose router mailing list where such topics can be shared?

Thanks in advance,
friscom

PS: a note for VelvetFog: the VPN server in the DMZ is justified by the needing to manage a remote VPN concentrator for some tens of VPNs installations, possibly supported (on the other sides) with networks protected by FW that are not necessarily ASL ones...
Cancel
Vote Up 0 Vote Down

Cancel