Registered users    
MembershipMembership:
Latest New UserLatest:Phil Clarkson
New TodayNew Today:5
New YesterdayNew Yesterday:6
User CountOverall:22929
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12490
Marina Roos12181
Eriq Neale2071
Michael Patrick1901
Stan Guinn1817
Robert Pearman1720
Nick Pieters1425
Stewart Brown609
Kevin D.563
Eddie Kerr534
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Smallbusiness Server > ISA Server 2004
Subject: Need to set up site to site VPN without ISA, any insights before I start?
Prev Next
You are not authorized to post a reply.

Author Messages
Sol Rodriguez User is Offline
United States
Member since
7/21/2006

Silver Membership
Posts: 12
6/16/2008 08:22 PM  
Hello,
 
After doing extensive research, it seems that our network configuration which has a small Linksys router at the network edge (as recommended for SBS by many including ISA guru Tom Shinder) will not work when trying to set up a Site to Site VPN for the network on the internal NIC side of SBS.  It also seems that my only two options (if I don't want my ISA at the network edge) are to bring in a second dedicated internet connection/line (which is not recommended by some: Tony Su)or to use a hardware firewall and remove ISA.
 
I'm leaning toward using a hardware firewall and removing ISA, but I'm concerned about how SBS and all the services on SBS like RWW, Sharepoint, Exchange will react. 
 
Any thoughts, insights, guides, etc?
 
Thanks in advance.
 
Sol
Eriq Neale User is Offline
Texas, USA
Member since
5/3/2005

Microsoft MVP
Posts: 2071
6/17/2008 02:26 PM  
Sol -

This all really depends on what you're using on the remote end to initiate the VPN connection. If you're trying to do a hardware point-to-point, then yes, you're going to have issues with ISA. When ISA is in the mix, it must be the endpoint for a VPN tunnel, as it's the gatekeeper of what passes from the external NIC to the internal NIC.

that being said, I have set up a rather complex network with 4 sites and the client wanted everything to route through ISA for Internet connectivity. We did set up a separate dedicated Internet connection in parallel with ISA and set up a hardware device on that connection that acted as the VPN endpoint for the other three sites. We configured that device so it ONLY allowed VPN traffic in and out on its connection, and all other traffic routed through ISA. It works very well for the client, but we also went through and did a lot of work to ensure that the traffic was limited as expected. This operation is subject to HIPAA regulations, and we were still able to put it in place successfully. The real beauty of the solution is that when he is ready to bring in additional remote sites, we don't have to reinvent the wheel at the host site. We simply tie another VPN endpoint to the second line at the main site and make adjustments to a couple of routing tables and none of the existing connections are affected.

A couple of other comments:
1. A small Linksys router is fine in front of ISA, but I would certainly not count on that to protect my network if you did choose to remove ISA from the network.
2. Reconfiguring SBS 2003 to use a single NIC instead of ISA is not that difficult, and will not adversely impact RWW, sharepoint, Exchange, etc.
3. If you are wanting to bring in a business-class hardware firewall to sit at the edge of your network and act as the VPN endpoint, you will have to change your SBS server to be a single-NIC solution in addition to removing ISA. In all actuality, ISA isn't really the limiting factor here, it's using the SBS box as a firewal in general, ISA or not.

HTH...

-Eriq
Eriq Neale - Small Business Specialist, SBS MVP, Mac Guru
EON Consulting LLC www.eonconsulting.net
Author of Microsoft Small Business Server 2003 Unleashed
Listen to eOnCall at AIRtunZ or visit www.eoncall.com.

If you need professional support please contact us here.
We offer remote support for every Small Business Server owner.
Sol Rodriguez User is Offline
United States
Member since
7/21/2006

Silver Membership
Posts: 12
6/18/2008 06:19 PM  
Thanks Eriq.  It looks like we'll be looking at a hardware appliance at the network edge and removing ISA.
Sol Rodriguez User is Offline
United States
Member since
7/21/2006

Silver Membership
Posts: 12
7/23/2008 02:16 AM  
We've decided to make the network edge firewall a standalone ISA 2004 box since I have experience with ISA. Are there any guides/articles on using ISA 2004 and SBS 2003 in this manner? I've found articles on setting up ISA 2004 in a domain that doesn't use SBS, but I haven't found any about setting up ISA 2004 in an SBS domain where ISA was in a standalone box.

I heard SBS 2008 will be required to be setup as a single NIC box with a standalone/hardware firewall. Are there any articles on best practices or concerns. What about any insights or comments from some of you here at SmallBizserver.net.

Thanks in advance?
Marina Roos User is Offline
The Netherlands
Member since
3/24/2005

Forum Admins
Posts: 12181
8/31/2008 02:54 AM  
Hi Sol,
 
Have you tried isaserver.org for clues?
Marina Roos Smallbizserver.Net AdministratorMission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local  network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain'
You are not authorized to post a reply.
Forums > Microsoft Smallbusiness Server > ISA Server 2004 > Need to set up site to site VPN without ISA, any insights before I start?


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.2656267 seconds.   :   Terms Of Use   :   Privacy Statement