Network GURUS..Is this possible with VPN?

[mboy]

Ok, kind of along the lines of last post. Hopefully someone can help with this one. This is what I am trying to accomplish, not sure if possible.

Equipment:
Frame relay T1--Netopia5300 router, sonicwall Pro 200 firewall---switches (5-24 port 10/100 unmanaged)---LAN

Using the sonic wall VPN client, would it be possible to connect a remote computer to the actual domain itself. Say for example, the owner of the company has a 5mb connection (OOL cable) at home and wants to log into the domain with his work laptop at home.
Is this possible? NO webserver or anything. Basically log into network like he was dialing up to RAS server to access the network, but use broadband thru internet in an encrypted tunnel instead of just dialing up with 19kb connection.

If this is even possible, would the firewall be the actual endpoint?
Any advice in trying to get it going? I have a few public IP's free that I can route.

Spidey07, Jack, Tallgheese, Garion, SML, Scottmac, any of you network masters?

Thanx.

 

[ScottMac]

I believe that is a workable setup. If anything, the timing of when the computer tried to actually log into the domain can be a problem.

You boot the computer and at some point, it wants the user to log in (to the domain), this usually happens before the VPN connection , so you get an error resembling "Unable to find the Domain Controller" ... Unable to Authenticate...something like that.

There is a workable sequence and setup, I just don't know what it is (I use a VPN, but don't use Domain authentication). I'm also not familiar with the SonicWall firewall or VPN client.

I'm pretty sure you have a good setup, this is the kind of thing that VPNs were designed to do. I'm don't think the Domain login thing is even that big of a deal, but I wanted to bring it out because I know some folks have seen it happen. It may even be addressed in a FAQ on the SonicWall site....

Good Luck

Scott

 

[spidey07]

Sure its possible. when you complete your VPN connection there should be some sort of "log on to domain" setting. check the setup and documentation of your vpn client.

 

[Woodie]

Yes. Setup of the VPN vpn client is key:

MS has designed W2K/XP to use the DialUpNetworking setup to enable Domain Logons while the client is not connected. So, setup the VPN connection as a DUN connection.

Then, when the user wants to dial in, have them do a domain logon, and check the "logon using DUN" box. It should then prompt the user to select the DUN connection they want to use, and go ahead and initiate the connection, and follow it with a domain logon, which will trigger both User and Machine GPOs, etc....

 

[mboy]

I am actually testing it on my win2k rig at home which is NOT set to log into the domian. I am just trying to get the Phase 1 and 2 handshakes to work. I am soo close, they at least see each other, but I cant not get phase 1 completed. Well, I am going to bring home my domain laptop tonite and try it out over the weekend.
Thanks for the help fellas.

Keep throwing ideas out at me, if I cant get it to work, I will post my logs to see whasts up. I thikn I can pull this off

 

[Santa]

I am learning how to do it right now on Checkpoint's Secure Remote VPN client. There is an option there for what they call SDL or Secure Domain Login which triggers a Domain Authentication after VPN authentication.

I have not successfully made it work yet but one work around that I have been able to do for Windows 2000 OS machines is to get them connected to the domain first (bring in the machine and add it to the domain)

Then when they are at home have them log into the machine using cached credentials so when authenticated to the VPN they will pass through the login they logged into their system to the domain.

So basically because Windows 2000 has this cached credentials capability you will be logging into the disconnected domain to just pass those authenticated credentials along when accessing a resource on your network via the VPN.

I would keep looking into the documentation though for that client to see if there is a way to do a secure authentication with the VPN client though since the work around I suggested will only work if the domain password does not change.

 

[Tallgeese]

Cisco's VPN client supports Domain Auth on Win NT/2000/XP, using an option in the client software called "Start before logon"

Basically, it allows a user to initiate a VPN connection BEFORE they log in to the local machine.
Then, after the VPN connection is established, the credentials are sent to a domain controller for login. (paraphrasing from the Cisco help files, heh)

Other VPN client software may support a similar feature.

Another option: a SOHO router that supports VPN endpoint at the owner's house. Instead of client software on the laptop, the router itself would be the endpoint, and would open the tunnel automagically. Domain login is a snap then. SMC's SMC7004FW supports this feature as do many others.

*** NOTE: Best to check with vendors about interoperability before buying anything.

 

[Garion]

A lot of it depends on your client PC. Windows 95/98/ME have the ability to initiate a domain login AFTER the VPN connects. NT/2K/XP can't, since you've already logged in.

Most of my experience has been with the Nortel Contivity VPN client. With a NT/2K/XP machine, it has the option of "running as a service" - In this mode, you login to your machine locally, connect to the VPN, then it immediately logs you out of the machine while the VPN is still connected. It takes you back to the login prompt, where you can login to the domain just like you're at your desk PC. Works like a champ. Just make very sure your login script and GPO's aren't going to be too much bandwidth for a VPN connection.

That being said.. What does he want to do? Even if a machine isn't logged into a domain, you can still do most of the essentials. Map drives, open up Exchange, etc.

From the sounds of things, none of us have used the SonicWall VPN client. Check their site and read up on it, to figure out how to make it tick.

Edit: I think TG has, by far, the best idea. Confince them to go out and get another little SonicWall box, like their Tele3 for his house. It's about $420, and would make it a piece of cake for this guy to connect to the network. Sit down, plug in, turn on, and you're there. There's other solutions that might be slightly cheaper, but it's ALWAYS best to stick with one vendor.

- G

 

[Tallgeese]

Originally posted by: Garion
There's other solutions that might be slightly cheaper, but it's ALWAYS best to stick with one vendor.

Amen and AMEN to that brother, when talking about VPN equipment.

 

[mboy]

You are dead on about getting hardware solution for the remote endpoint of the VPN. The story is, my company could care less about the VPN, or anything even related to the matter or spending any money on computing equipment,
Before I got their 11 mos ago (this is my 1st IT gig), their place was/is a mess. p100 workstations, 10mb unswitched network (3 nix based (sco unix and unixware,lol) and 5 NT servers with 50 PCs or so.
I have since upgraded everything from the main file server, HR server, 10/100 switched network etc and finally convinced them to drop the $$$ on a hardware firewall. They are completely happy dialing into to a RAS server and getting 19200 k/s. I, on the ohter hand, am convinced on bringingthem into the 21st century and the VPN thing is more for myslef to learn how to implent it etc. So, I have no finanvial backing in it and have to make do with what I have. I have been reading a lot on the sonicwall stuff on their site and should hopefully have it completed by the weekend on my TEST laptop fromwork.
Thanx for all the help.
Wish I had the budgets some of you guys have (not to mention the knowledge. I cant help with the $$$, but I sure can do whatever I can to learn

I am close to making it work right now, I am having a problem with the initial handshake for some reason. All the settings appear to be ok on the surface, but something aint right.

 

[Santa]

One thing you may want to be aware of is how your machine is getting resolution information.

Exchange works based on WINS resolution or Netbios resolution alot and if you can't get the name to IP then your pretty much sunk.

One way to fix this is to place an entry in the Host table.. my perferred method for ease of administration is to have them point to your internal company WINS. VPN endpoints may or may not allow you to pass this information to your client at the other end but just keep that in mind.

WINS traffic can sometimes getting burdensome but most times I don't see much of a performance hit at all.

Cisco does this automatically with their VPN client but if you do an endpoint then again its dependent on the type of box and the DHCP built into that box.

 

[mboy]

MS exchange are you crazy . My company is too damn cheap to even upgrade the 486 machine that one of our finance girls uses as her workstation They wont even give me $$ to build a basic Mdaemon mail server), we have it hosted by our ISP

All I really need it to do is get it to be able to view folders on our mian file server, or log into our cryptic, sco/unix (p150mhz peice of sh!t), that they manage their ENTIRE business on (ERp system).

Man if the IT market was better,lol.... ANyone hiring in Northern NJ/NYC area

Well, its not bad for a first IT job, at least I can learn and figure stuff out even tho the tech isnt very high tech at all here.

 

[Tallgeese]

Originally posted by: mboy
Well, its not bad for a first IT job, at least I can learn and figure stuff out even tho the tech isnt very high tech at all here.

I think you'll get a better foundation in disciplined spending and true problem-solving, rather than just trying to throw money at every problem, which WAY too many folks in this line of work think is the only answer (fueled largely by ignorant or lazy developers and tech support, quite frankly)

Important lesson, no matter if you move to bigger environments or stick with smaller setups.

 

[mboy]

AGreed. They won't spend money on any problem tho until whatever system completely fails and they have no other option. Anti virus for an example. They wouldn't pay to upgrade their antivirus after the license ran out 6months prior. Then they had 3-4 machines and 1 server infected. I was able to contain it within a couple of hours, but you better believe the next day they coughed up $3k for an up to date Global antivrus solution. I try to spend my time fixing whatever I CAN THERE AND SPEND MY FREE TIME learning new tech where I can and without asking them to spend money which they wont.

I think you can agree that it is very silly to be running a $15mm company on 486 and P100 (win 98/95) machines with 32 and 64mb ram in this day and age. They Won't upgrade their software until it flat out wont run anymore.

We manufacture plastics. Their QA programs still run in Dos. Their ERp system which is responsible for their invoices, sales orders, material orders, etc is run on a p150 in a PC with the cover off the case thats is based in Sco Unix. They company which they purchased the software from (developed in 1992) has not supported the version we have for 2 years now. That means I get NO SUPPORT from the vendor at all. If this server fails (which it will for certain), they are without invoices, inventory, etc for at LEAST a month until newer hardware can be ordered and this vendor or a competitor comes in, installs their product and converst the databases. In addition, none of the modern vendors software will run on our current workstations, so 30 or so need to be upgraded before that can even happen.
See where I am coming from?

At least by setting up this VPN, I get to see how the theory of VPN works and how it is implemented. Even if I am forced to do it half A$$ed!

 

[Tallgeese]

Originally posted by: mboy
They won't spend money on any problem tho until whatever system completely fails and they have no other option. See where I am coming from?

Not only do I see, I've been there. My previous employer was TERRIBLE in that regard (unless it involved laptops for the corporate executives..then NO EXPENSE was spared, of course). This was just one of the many reasons I no longer work there.

I've worked for a company for nearly 5 years that used to approach technology the exact same way. Luckily for me, they had decided to change their approach just after I came aboard (thanks to some important groundwork laid by the previous admin). We've worked very hard to maximize return on every technology investment.

Much to their surprise, the less miserly they have been when it's really needed, the more cost-effective the entire operation has been. Our budget has been running well under industry norms for our type of business, and they have been extremely supportive of our initiatives, seeing those kind of budgetary results.

Unfortunately, changing attitudes is a LOT harder than changing equipment, and my experience is that such attitudes rarely (if ever) change.

 

[mboy]

WOW, you hit the laptop thing right on the head. Only the owner and his sons have new equipment (laptops less then 1 yr old). If I ddn't know the last admin myself, I would have thought you you worked at my company before me. I see you do understand. Well, I have upgraded where I have been able to (new servers using raid 5 etc), switches, new router. I guess I will wait it out until they do spend on stuff to upgrade.l In the meantime, I am doing what I can to keep myslef somewhat competitive in the JOb field and learn where I can. Including this VPN stuff, building my own Linux server with APACHE, SAMBA, Bind, etc at home. In addition, since we use NT 4 at work, setting up my own 2k Advanced server and reconfguring my Lan at home to login into it and use AD and learn that.

 

[HypNoTic]

If you have Windows box at both end, why dont you simply run a Terminal Service ? For your boss, with his 5Mbps connection, it will be almost as fast if he was directly connected in his office. In case you need a little more decent security, you can send you TS trough an encrypted VPN or simply add IPSec to your TS connection. If you are a much more crazy, set your VPN to authentify on the Firewall via Radius/Tacacs+ then create a SSH 2 tunnel to the server trough a gateway and finally open a IPsec securised session, it a real mess but it work. Just dont forget it remain a Windows box...

Just my .02$


-Hyp