VPN solution for a small business

[CanonCam]

I have the possibility of taking a new job with a smaller company as their Network Administrator. I'm used to having HUGE IT budgets and using high-end corporate hardware.

They are looking to implement a VPN for their sales reps, who travel throughout the country. Basically, they would like to see the reps be able to access thier customer database and intranet from whatever hotel or WiFi spot they happen to be in. They have about 60 computers at their home office and 8 total servers. They already have a firewall and router in place on their T1. I don't know what models of hardware they have, but they are not able to VPN with it, as far as they know. What would you put in place to facilitate VPN access to the sales reps?

 

[JRock]

http://openvpn.net/ ?

 

[Genx87]

Windows 2003 has a VPN server that seems to work fine for me.

 

[CanonCam]

Originally posted by: Genx87
Windows 2003 has a VPN server that seems to work fine for me.

Will it allow VPN to other parts of the network? Their Exchange Server is running Windows 2003, so that is a possibility.

 

[Genx87]

Originally posted by: CanonCam

Originally posted by: Genx87
Windows 2003 has a VPN server that seems to work fine for me.

Will it allow VPN to other parts of the network? Their Exchange Server is running Windows 2003, so that is a possibility.

Guess it depends on what you mean by networks. I setup AD and all of the machines are part of the same subnet. You can specify a default router for the clients when they connect that should be able to route you to other subnets.

It is pretty simple to setup and windows users can easily setup and get onto the network.

 

[CanonCam]

Well, it's a really basic network. There are less than 100 network devices, so they are all on the same network. I would just need the 2003 server to be able to allow remote users to access the client info DB.

 

[blemoine]

Will it allow VPN to other parts of the network?

it will be like they were plugged into the local network. so anything they could access on the lan they can access on the vpn. How many clients would you have connecting through the vpn? you may not want to burden your exchange server with that role. also if your exchange server goes down (updates or repairs or a viruss) then your remote users are not connecting. you can use a seperate vpn server like ipcop or clarkconnect. both are free and run on old equipment. Openvpn is another alternative.

Server 2003 vpn works great but be careful with downtime. microsoft products seem to go down when you least expect it. good luck

 

[Genx87]

Originally posted by: CanonCam
Well, it's a really basic network. There are less than 100 network devices, so they are all on the same network. I would just need the 2003 server to be able to allow remote users to access the client info DB.

Like blemoine said, anything that can be seen on your LAN will be seen from the VPN client. I also would take his suggestion about not using your exchange server as the VPN server.

 

[SagaLore]

Just for kicks, I was successfully able to configure a Linksys VPN Router and another laptop with IPSEC rules that connected to that. It worked great - for the most part the vpn was rather transparent, basically any traffic that needed to access that subnet would route through the tunnel rather than to my default gateway.

 

[CanonCam]

Originally posted by: Genx87

Originally posted by: CanonCam
Well, it's a really basic network. There are less than 100 network devices, so they are all on the same network. I would just need the 2003 server to be able to allow remote users to access the client info DB.

Like blemoine said, anything that can be seen on your LAN will be seen from the VPN client. I also would take his suggestion about not using your exchange server as the VPN server.

Yeah, I was thinking that, too. The Exchange server works hard enough, it doesn't need another element thrown in the mix to cause downtime.

I'm considering setting up a FreeBSD or RedHat box and running that as a VPN server. I know they have a few old machines laying around that could run that with possibly just a memory boost.

 

[blemoine]

going with something free like linux and available old machines you can configure several boxes the same way and then you have a hot spare. talk about make everyones life alot easier.

 

[spidey07]

Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

 

[CanonCam]

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

That's definitely an option. Like I said, though, I'm not sure what they have in place, and since they are looking for a VPN solution, I would hope that they knew what their router and firewall are already capable of. The current guy, who's leaving the first week of Nov, does know his stuff, so I guess I'm assuming that their router doesn't have VPN support.

 

[spidey07]

Most all routers and firewalls offer VPNs. Its almost required functionality these days.

 

[CanonCam]

Thanks, I'll see what they have and then figure out what's holding them up from running it.

 

[cmetz]

CanonCam, get a PIX 506E if the users are running Windows. The Cisco VPN client is the best I've seen. You want sales guys in the field to have stuff that is as idiot proof as you can, because they ARE, well, sales guys.

 

[p0lar]

Originally posted by: cmetz

<snip>

The Cisco VPN client is the best I've seen.

<snip>

:shocked::shocked::shocked:

 

[Brazen]

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

Unless its a SonicWall.

 

[spidey07]

Originally posted by: Brazen

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

Unless its a SonicWall.

I remember they were very popular in the early 2000s. I really liked them.

The they have a penchant for flaking out? Haven't heard of much from them.

 

[n0cmonkey]

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

So do high quality PCs. Especially when you get seamless high availability failovers. :evil:

 

[spidey07]

Originally posted by: n0cmonkey

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

So do high quality PCs. Especially when you get seamless high availability failovers. :evil:

Yeah, but I can't stick a terminal to it and assign an IP address.

Therefor it isn't a real network device.

 

[n0cmonkey]

Originally posted by: spidey07

Originally posted by: n0cmonkey

Originally posted by: spidey07
Use the VPN on the router or firewall?

Depending on the model it should perform well.

Plus it doesn't have the hassles of a PC based system, it will always work.

So do high quality PCs. Especially when you get seamless high availability failovers. :evil:

Yeah, but I can't stick a terminal to it and assign an IP address.

Therefor it isn't a real network device.

Assign an ip address to the terminal, or just to the machine? If it's just the machine, sure you can. Attaching a laptop or something through a serial cable is increadibly easy.

 

[spidey07]

You're not getting me Noc.

14 years of attaching a serial cable and typing a few things has me spoiled.

 

[n0cmonkey]

Originally posted by: spidey07
You're not getting me Noc.

14 years of attaching a serial cable and typing a few things has me spoiled.

By all means, continue using what works for you. But there is some select (typically the server stuff) i386 hardware out there that allows you to connect a serial cable and access everything. Including the BIOS. The main problems are this hardware is typically harder to find and it often has CPUs as underpowered as the ones Cisco puts in their stuff.

Of course, there is also firmware based machines (from Sun, Apple :Q, and HP). I haven't tried doing this with my dual athlon machine yet, although I plan to sometime in the future.

 

[cmetz]

n0cmonkey, exactly which PC server hardware has a completely, non-kluge, and non-buggy serial console function? I'd really like to buy a few racks full of those.