1

We need a VPN for our office so people can connect and access files, etc. Currently we have a Netgear router with VPN capability but Netgear's ProShare VPN client (as far as I can tell) doesn't support Win7.

So instead I suggested we use our Win SBS 2K8 server that already provides remote desktop access (Terminal Services Gateway) to also be a VPN end point using Routing and Remote Access. My manager said he previously tried setting that up and it seriously mucked up the network; desktops lost connectivity, couldn't access shared files, etc. He believes that the SBS server can't be the RRAS at the same time our Netgear router is the main router and gateway for our subnet. This doesn't really make sense to me and I'm guessing there was some other problem in the setup (DHCP, DNS, default routes, etc) that was causing the problem.

Can we have our SBS server be a VPN endpoint while also using the Netgear router as our public gateway, firewall and router for our subnet?

Thanks
Dan

Malnizzle
  • 1,441
  • 2
  • 16
  • 30
Dan
  • 113
  • 2
  • 1
    Any reason you are not wanting to use RWW? Trying to avoid getting an SSL cert? http://blogs.technet.com/b/sbs/archive/2009/06/25/sbs-2008-introduction-to-remote-web-workplace.aspx – Malnizzle Jun 29 '10 at 13:56
  • We are using RWW, we already have a SSL cert, we do use remote desktop where appropriate, but in this case we actually do _need_ VPN access. – Dan Jun 29 '10 at 18:05

2 Answers2

0

Why don't you just use RDP to connect the users to the server or their workstations and avoid trying to pull files over the VPN connection?

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Or VPN then RDP. With just RDP you are punching a bunch of custom RDP ports in, unless you have a jumpbox, which seems excessive. – Malnizzle Jun 29 '10 at 13:55
  • A bunch of custom RDP ports? How so? SBS has the RWW, which should make this very easy. – joeqwerty Jun 29 '10 at 14:06
  • agreed on RWW, but you answer didn't make any mention of RWW, and if you did RDP ports without RWW, you'd have custom RDP ports. I think we are in agreement though that the answer should be RWW if it's possible. – Malnizzle Jun 29 '10 at 14:27
  • 1
    @Malnizzle: True enough. I assumed the OP was aware of RWW and would know what I meant. Thanks for clarifying. – joeqwerty Jun 29 '10 at 14:32
  • Wow, you guys are really in love with everything other than VPNs. Thanks for the suggestions, but we do use RDP and can copy files using the TS client, but we also have the need for a VPN and have direct access to files and other resources by remote computers. – Dan Jun 29 '10 at 18:11
0

The main problems with putting RRAS on an SBS installation come from the inherent fact that you're turning the SBS machine into a multihomed host. This isn't a "supported" configuration for SBS 2008 (and has, historically, been a pain in all prior versions of SBS).

Multihomed domain controllers are a pain, because the RRAS address gets registered in DNS (which can be prevented), and clients end up trying to reach the RRAS adapter's address. While this should work, in theory, it usually causes problems. (Multihomed DC's aren't "supported" by Microsoft either, if I recall properly.)

You're going to have the best time if you can terminate your VPN on some machine other than the SBS Server. If you don't mind using something like OpenVPN you could easily host the VPN on another machine running Windows (a Server version, if you want more than 10 incoming client connections and to be "license-legal"-- but, at that point, why not just use RRAS?) or Linux.

A WINNER IS YOU!

Congratulations on being my 1337th question answered. Your question was, indeed, 1337.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • Thank you Evan for answering the question. After a little research I found another post with more details. http://forums.techarena.in/active-directory/1231884.htm – Dan Jun 30 '10 at 14:22
  • You know, I didn't make the point of mentioning that this was my 1337th question answered. I'd been meaning to in the lead-up to 1337 but completely forgot. I guess I'll drop on an edit. – Evan Anderson Jun 30 '10 at 19:02