General discussion

Locked

RADIUS authentication and VPN

By Blackcurrant ·
Hi

I am trying to set up remote access using a VPN connection. It is for staff who need to work from home using Win98SE, WinME, Win2k and WinXP Pro. They will be connecting to our network which comprises a single site Win2k/SBS server running AD. A Vigor 2600 ADSL router is setup at work for Internet access. Users will be connecting from home using broadband modems.

I am experimenting with this from my home machine first. So far, I can connect to the router and can see the shares on any machine. In order to do this I had to type \\ipaddress\sharename in I.E. Then I edited the LMHOSTS file and mapped ipaddress to hostname to make navigation easier. However, although I can access some of the shares, I receive Access Denied messages for those with restricted access, because I am not logged on to the domain

My first question is: would setting up a RADIUS server on the domain controller be sufficient to provide authentication for users who dial-in to the network, and indeed, is RADIUS the best way to go about it? The router has an option where a RADIUS adress can be specified, so presumably I would tell it go to the DC. Access is neccessary for less than 20 users so the workload should be minimal. Also, only file data will be transferred through the VPN - all applications will be installed locally. Does anyone have any thoughts about this?

My second question regards email. We use Pegasus Mail at work, whereas nearly all the home users use Outlook Express on their home machines. I was thinking about setting up Pegasus Mail on their home machines and configuring it to use the VPN to access the mail. Alternatively, and I think the users would be happier with this, I could setup the master Pegasus Mail account to forward work mail to their personal accounts as soon as it is received so they can read their mail with Outlook. Is this a good thing to do?

This conversation is currently closed to new comments.

32 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Blackcurrant In reply to RADIUS authentication and ...

I am learning this as I go along (it's taken me ages just to see the shares on the remote network), so any comments about this will be gratefully received. Also, is there anything else which I need to take into consideration when implementing the VPN?

I look forward to reading some excellent answers and comments...

Collapse -

by CG IT In reply to RADIUS authentication and ...

you could use RADIUS if you want. Depends upon how much administration you want to do. If your running SBS 2000 I assume you have ISA 2000 running as it comes with SBS 2000. Since ISA will handle authentication for remote inbound users though VPN, using Active Directory, RADIUS is overkill imo.

If you have SBS 2000 again, you've got Exchange 2000 as part of SBS 2000 [like ISA server Exchange is part of the SBS package] I would just use Exchange 2000.

Collapse -

by Blackcurrant In reply to

Hi CG IT, many thanks for your answer. I have reluctantly rejected your answer because although I know that your answer is essentially correct, setting up IAS on my DC has made no difference.

Presumably, I need to forward information from the router to the IAS server? I can find no information about this.

Does anyone know how this may be done, or even if this is the right thing to do??

I am at my wits end trying to get this to work.

Thanks again.

Collapse -

by CG IT In reply to RADIUS authentication and ...

ISA or IAS?

ISA 2000 requires a couple of different things in configuration. If your going to have internal services made available to external users you "publish" that service in ISA 2000 [run the publishing wizard]. Further, you need to create site and content rules and protocol rules [these 2 rules are required for access regardless if traffic in outbound or inbound. For VPN on ISA you have to determine what VPN role ISA server will operate as. End Point [e.g. point to point between ISA and another VPN server], Accept VPN client connections e.g. ISA acts as RRAS], etc.

The thing about ISA server is that to allow internal services to be accessible to external users, you have to publish that service. ISA then accepts those inbound requests on behalf of the internal service, retrieves the requested information, then provides it to the requestor. The inbound never actually connects to the service inside the LAN therefore as I said you publish whatever service by running the publishing wizard so that ISA can accept connections for that service. Then you create site and content rules and protocol rules [site and content means who what where when with who determined by AD or whatever authentication you want, what is the service, when is the hours and days] protocol rules mean how [e.g. http, ftp, RPC, etc.]

Thats why I say RADIUS is overkill with SBS2000 because ISA server 2000 is a part of SBS 2000 as is Exchange 2000. Both work with AD on the SBS2000 box.

Collapse -

by Blackcurrant In reply to

Thanks for answering. Please see my last two comments

Collapse -

by CG IT In reply to RADIUS authentication and ...

I'll go on to say about fowarding info from router to ISA server, whatever service you want external users to access you have to foward that service to the external inteface on ISA server. e.g. port fowarding 80 for HTTP, port fowarding 21/20 for FTP port 53 for DNS port 1723 and 47 for PPTP, etc. you have to have a static IP address for the external interface on ISA server 2000 to map to fowarding.

Collapse -

by CG IT In reply to

humm one suggestion didn't seem to post....

Collapse -

by Blackcurrant In reply to

Thanks for answering. Please see my last two comments

Collapse -

by curlergirl In reply to RADIUS authentication and ...

OK - a comment and then I'm going to suggest maybe you want to go in a different direction.

Comment - I think you and CGIT are talking at cross-purposes. ISA and IAS are two entirely different things. CGIT is definitely talking about ISA server, not IAS. You need to figure out if you are talking about two entirely different things, or you are just dyslexic.

Now, my suggestion for a different direction would be to use your SBS server as a VPN server, rather than using the router as your VPN server. This would allow you to use Windows authentication rather than a more complicated setup like RADIUS. However, it does require that your users log on with domain accounts, so if that's not what you want, then you should continue with what you're doing. And I can't help you with RADIUS because I've never used it - hope someone else has.

Hope this helps!

Collapse -

by Blackcurrant In reply to

Thanks for answering. Please see my last two comments

Back to Networks Forum
32 total posts (Page 1 of 4)   01 | 02 | 03 | 04   Next

Related Discussions

Related Forums