Questions

Networking and VPN quandary

Tags:
+
0 Votes
Locked

Networking and VPN quandary

NickBizzle
Morning all

I have a situation where I need to add a VPN server or device to our network to facilitate iPhone (and other handset) connectivity to Exchange. Unfortunately, it's not that straight forward as I have some caveats as well as security concerns over this.

I want to have the VPN server on a separate internet connection to our main company one. The main connection has a complex Sonicwall Firewall and VPN device on it both of which are on managed service contracts and hence cannot be altered. The Sonicwall VPN device uses a proprietary protocol which (surprise surprise) does not work on the iPhone. As far as I can find there is no app to facilitate this either.

I thought it may be possible to implement a Linux box to act as the VPN server, using a spare separate internet connection we have, that is also connected to our main comms, just as a backdoor option. And I think this is my main question....

Can I set up a linux box (or other machine) with a different gateway address (a firewall that I do have scope to change) to that of our exchange server (and hence all other servers and machines in the company) and still get VPN connectivity through that to Exchange? I'm sure I read somewhere that this would not work as the server has a different gateway address.

Alternatively is there a different method? I have a plethora of spare machines, xp pro etc. and I'm happy to install a linux box.

Any help gratefully received, thank you all.
  • +
    0 Votes
    Dedlbug

    I'm just curious, why is the VPN necessary for the iPhone / Exchange sync? I just am not seeing the need for the VPN here simply for iPhones. Maybe there is a security need or something, but using SSL on the Exchange server and making it available on the internet will allow all the iPhones to connect "hassle free"*. Do you know why the VPN is a requirement? Or rather, what does the managed service provider suggest for the iPhones?

    *hassle free does not apply in 100% of the cases.

    +
    0 Votes
    NickBizzle

    We're attacked regularly and considerably on a daily basis.

    The managed service provider is not being of particular help with the phones, other than suggesting additional equipment.

    +
    0 Votes
    christianshiflet

    I would suggest using SSL logins for your mobile devices as well as require a digital certificate to be locally installed on all mobile devices accessing your Exchange server. That way you security is not entirely dependent on passwords. This would remove your requirement for the VPN and ensure more than adequate security. You could even use a self-signed certificate if you have good control over client devices and a small enough user base.

    As for the SonicWall, it (most likely) can be modified to not require their own VPN client, which would allow the iPhone to VPN into the device but I really don't think that is a good solution (for any mobile device, not just the iPhone).

    Let me know if this helps or you have further questions.

    +
    0 Votes

    Re:

    NickBizzle

    Removal of existing VPN is not really an options though due to a multitude of existing VPN users and machines, plus site to site connectivity in place.

    I just need a freebie phone solution that's still reasonably secure. If I open 1723 on the firewall and set up PPTP VPN on the server I would have no problems for example, but I just worry about opening that port.

    +
    0 Votes
    christianshiflet

    You don't have to remove the existing VPN. Do you have Outlook Web Access enabled through your firewall? If so, you would setup the phones to use the same address as OWA. If not, you open up the appropriate SSL port (on your firewall) to your Exchange server and let it handle authentication (both user and certificate validation). Your existing site-to-site and client remote access VPNs should be unaffected.

    My comment about changing the existing VPN specifically refers to SonicWall devices, which can be setup to require their own GlobalVPN software to access the VPN. That requirement can be removed which allows you to configure the VPN however you want.

    Let me know if that makes sense or you have questions. Thanks.

    +
    0 Votes
    NickBizzle

    I think that's my way forward, or something similar.

    OWA is enabled and is a shortcut once you login to the VPN URL, so that's already in place. Phones can browse there already without a problem, but I'm focusing more on the sync'ing side.

    I think your idea of opening that port is the likely resolution, similarly I was wondering about opening PPTP port and having the server act as a VPN server too, purely for the phones so existing setup remains unaffected.

    SSL's an option too, but I know less about it. What sort of certificate do I need, where from and how much? Our webserver has one, can that be used?

    +
    0 Votes
    christianshiflet

    Your web server's certificate probably won't work, as it should be specific enough to that machine to not authenticate other servers, but not knowing the specifics about the certificate I couldn't answer that. As for what kind of certificate and from where, that depends. The certificate itself could be obtained from a third party such as Thawte or VeriSign for a price. Since you are running Exchange you must have Windows Server installed. I know on Server 2003 and later you can install Certificate Authority services and generate your own, self-signed certificates. Essentially you create the certificate, enable the certificate for your Exchange server, then install the certificate on any mobile devices that you want to allow access to your server.

    The benefit of creating your own certificate is cost (obviously) and a bit more control over the specific syntax and such. The downside is that it won't be automatically trusted (hence why it must be installed manually on each device). As for instructions on doing all of this, Google is your friend. Just make sure to find instructions pertaining to your own Server, Exchange, and IIS versions and you should be fine.

    I hope this helps. Let me know if you have questions.

    +
    0 Votes
    NickBizzle

    You've been a great help.

    Regards
    Nick

  • +
    0 Votes
    Dedlbug

    I'm just curious, why is the VPN necessary for the iPhone / Exchange sync? I just am not seeing the need for the VPN here simply for iPhones. Maybe there is a security need or something, but using SSL on the Exchange server and making it available on the internet will allow all the iPhones to connect "hassle free"*. Do you know why the VPN is a requirement? Or rather, what does the managed service provider suggest for the iPhones?

    *hassle free does not apply in 100% of the cases.

    +
    0 Votes
    NickBizzle

    We're attacked regularly and considerably on a daily basis.

    The managed service provider is not being of particular help with the phones, other than suggesting additional equipment.

    +
    0 Votes
    christianshiflet

    I would suggest using SSL logins for your mobile devices as well as require a digital certificate to be locally installed on all mobile devices accessing your Exchange server. That way you security is not entirely dependent on passwords. This would remove your requirement for the VPN and ensure more than adequate security. You could even use a self-signed certificate if you have good control over client devices and a small enough user base.

    As for the SonicWall, it (most likely) can be modified to not require their own VPN client, which would allow the iPhone to VPN into the device but I really don't think that is a good solution (for any mobile device, not just the iPhone).

    Let me know if this helps or you have further questions.

    +
    0 Votes

    Re:

    NickBizzle

    Removal of existing VPN is not really an options though due to a multitude of existing VPN users and machines, plus site to site connectivity in place.

    I just need a freebie phone solution that's still reasonably secure. If I open 1723 on the firewall and set up PPTP VPN on the server I would have no problems for example, but I just worry about opening that port.

    +
    0 Votes
    christianshiflet

    You don't have to remove the existing VPN. Do you have Outlook Web Access enabled through your firewall? If so, you would setup the phones to use the same address as OWA. If not, you open up the appropriate SSL port (on your firewall) to your Exchange server and let it handle authentication (both user and certificate validation). Your existing site-to-site and client remote access VPNs should be unaffected.

    My comment about changing the existing VPN specifically refers to SonicWall devices, which can be setup to require their own GlobalVPN software to access the VPN. That requirement can be removed which allows you to configure the VPN however you want.

    Let me know if that makes sense or you have questions. Thanks.

    +
    0 Votes
    NickBizzle

    I think that's my way forward, or something similar.

    OWA is enabled and is a shortcut once you login to the VPN URL, so that's already in place. Phones can browse there already without a problem, but I'm focusing more on the sync'ing side.

    I think your idea of opening that port is the likely resolution, similarly I was wondering about opening PPTP port and having the server act as a VPN server too, purely for the phones so existing setup remains unaffected.

    SSL's an option too, but I know less about it. What sort of certificate do I need, where from and how much? Our webserver has one, can that be used?

    +
    0 Votes
    christianshiflet

    Your web server's certificate probably won't work, as it should be specific enough to that machine to not authenticate other servers, but not knowing the specifics about the certificate I couldn't answer that. As for what kind of certificate and from where, that depends. The certificate itself could be obtained from a third party such as Thawte or VeriSign for a price. Since you are running Exchange you must have Windows Server installed. I know on Server 2003 and later you can install Certificate Authority services and generate your own, self-signed certificates. Essentially you create the certificate, enable the certificate for your Exchange server, then install the certificate on any mobile devices that you want to allow access to your server.

    The benefit of creating your own certificate is cost (obviously) and a bit more control over the specific syntax and such. The downside is that it won't be automatically trusted (hence why it must be installed manually on each device). As for instructions on doing all of this, Google is your friend. Just make sure to find instructions pertaining to your own Server, Exchange, and IIS versions and you should be fine.

    I hope this helps. Let me know if you have questions.

    +
    0 Votes
    NickBizzle

    You've been a great help.

    Regards
    Nick