Jump to content

Internet through VPN

Guest Thomas Raasch

By Guest Thomas Raasch
in Windows 2003 Server

 Share

Recommended Posts

Guest Thomas Raasch

Guest Thomas Raasch

Posted
Posted

Hi,

 

I have a SBS2003 on a location A.

There is RRAS activated and fully functional.

With VPN I can connect to location A from a location B with a Windows XP

Client.

Everything works fine - too fine for me...

my Problem is, that the XP-Client on location B has also access to the

Internetconnection of location A!

 

 

cause of my bad english i will explain it clearly with IPs:

 

 

On location B the XP Client has the IP 192.168.0.10

There is a Router with IP 192.168.0.1

The Router is the Gateway for that XP-Client

 

The SBS on location A has the IP 10.0.0.2

There is also a Router with IP 10.0.0.1

The Router is the Gateway for this Network

 

When i make a

tracert http://www.google.com

on the XP-Client the first IP reached is the local Router (192.168.0.1)

- so far so good -

 

When I now connect from location B through VPN to location A then the

XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test".

With this connection XP changes its Default-Gateway to the 10.0.0-Subnet!

When I now make a

tracert http://www.google.com

then the first IP reached is the Router of the location A!

 

So every XP-Client use the Internet-Connection of location A as far as they

are connected through VPN! They use not there own local Router!

I know, I easiely can change the checkbox "Use default gateway on remote

network" on every XP-Client to solve this problem. But thats not enough

security! It is still possible to have access to the internet from a

XP-Client through the VPN. So it is still possible that a user on one

XP-Client changes this option back to its default and so using the

Internetconnection of my SBS2003. And further - I don't have access to every

XP-Client, so I can not be sure that every Client has this option set well.

 

 

So now finaly my question:

what do i have to set up on my SBS2003 that the VPN-Clients are not allowed

to use the Internet-Connection of my SBS2003?

 

The VPN-Clients get their IPs from the SBS-own DHCP and also use the SBS-own

DNS...

The VPN-Clients need access to the SBS2003-Server as well as to the rest of

the Network on location A! The XP-Clients from location B need access to

some Clients in the Network of location A! Else it would be possible to

deactivate the routing-option of the RRAS - but not in my case.

 

 

Thanks for your help

Thomas

  • Replies 5
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: Internet through VPN

 

Thomas,

I don't know what firewall you are using, but you could block outbound

connections from the IP addresses assigned by the RRAS connection,

Anthony,

http://www.airdesk.com

 

 

 

"Thomas Raasch" <nospam@nospam.com> wrote in message

news:#i87mgV$IHA.1180@TK2MSFTNGP04.phx.gbl...

> Hi,

>

> I have a SBS2003 on a location A.

> There is RRAS activated and fully functional.

> With VPN I can connect to location A from a location B with a Windows XP

> Client.

> Everything works fine - too fine for me...

> my Problem is, that the XP-Client on location B has also access to the

> Internetconnection of location A!

>

>

> cause of my bad english i will explain it clearly with IPs:

>

>

> On location B the XP Client has the IP 192.168.0.10

> There is a Router with IP 192.168.0.1

> The Router is the Gateway for that XP-Client

>

> The SBS on location A has the IP 10.0.0.2

> There is also a Router with IP 10.0.0.1

> The Router is the Gateway for this Network

>

> When i make a

> tracert http://www.google.com

> on the XP-Client the first IP reached is the local Router (192.168.0.1)

> - so far so good -

>

> When I now connect from location B through VPN to location A then the

> XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test".

> With this connection XP changes its Default-Gateway to the 10.0.0-Subnet!

> When I now make a

> tracert http://www.google.com

> then the first IP reached is the Router of the location A!

>

> So every XP-Client use the Internet-Connection of location A as far as

> they are connected through VPN! They use not there own local Router!

> I know, I easiely can change the checkbox "Use default gateway on remote

> network" on every XP-Client to solve this problem. But thats not enough

> security! It is still possible to have access to the internet from a

> XP-Client through the VPN. So it is still possible that a user on one

> XP-Client changes this option back to its default and so using the

> Internetconnection of my SBS2003. And further - I don't have access to

> every XP-Client, so I can not be sure that every Client has this option

> set well.

>

>

> So now finaly my question:

> what do i have to set up on my SBS2003 that the VPN-Clients are not

> allowed to use the Internet-Connection of my SBS2003?

>

> The VPN-Clients get their IPs from the SBS-own DHCP and also use the

> SBS-own DNS...

> The VPN-Clients need access to the SBS2003-Server as well as to the rest

> of the Network on location A! The XP-Clients from location B need access

> to some Clients in the Network of location A! Else it would be possible to

> deactivate the routing-option of the RRAS - but not in my case.

>

>

> Thanks for your help

> Thomas

>

Guest Thomas Raasch

Guest Thomas Raasch

Posted
Posted

Re: Internet through VPN

 

 

"Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag

news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...

> Thomas,

> I don't know what firewall you are using, but you could block outbound

> connections from the IP addresses assigned by the RRAS connection,

> Anthony,

> http://www.airdesk.com

 

Hi,

 

till now i don't use any special firewall

i thought that the Windows-integrated firewall on the SBS is active - but

it's not... when i try to configure the firewall it says that "ipnat.sys" is

in use :(

The Windows-Firewall-Service is deactivated

 

The router also has a internal firewall but there is no option to configure

this firewall - you can only activate or de-activate it

 

maybe i should install a "good" software-firewall on the SBS?!

Do you have any suggestions?

 

 

Greetings

Guest Bill Grant

Guest Bill Grant

Posted
Posted

Re: Internet through VPN

 

 

 

"Thomas Raasch" <nospam@nospam.com> wrote in message

news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl...

>

> "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag

> news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...

>> Thomas,

>> I don't know what firewall you are using, but you could block outbound

>> connections from the IP addresses assigned by the RRAS connection,

>> Anthony,

>> http://www.airdesk.com

>

> Hi,

>

> till now i don't use any special firewall

> i thought that the Windows-integrated firewall on the SBS is active - but

> it's not... when i try to configure the firewall it says that "ipnat.sys"

> is in use :(

> The Windows-Firewall-Service is deactivated

>

> The router also has a internal firewall but there is no option to

> configure this firewall - you can only activate or de-activate it

>

> maybe i should install a "good" software-firewall on the SBS?!

> Do you have any suggestions?

>

>

> Greetings

>

Thomas,

 

You really should post you question in an SBS newsgroup. SBS does not

behave like standard windows server and must be configured in its own way.

Try

 

microsoft.public.windows.server.sbs

 

The problem with the firewall settings is a standard RRAS message though.

You cannot configure the internal firewall if you are running RRAS as a NAT

router (ipnat.sys).

Guest Thomas Raasch

Guest Thomas Raasch

Posted
Posted

Re: Internet through VPN

 

 

"Bill Grant" <not.available@online> schrieb im Newsbeitrag

news:eUZOhIe$IHA.4816@TK2MSFTNGP06.phx.gbl...

>

> You really should post you question in an SBS newsgroup. SBS does not

> behave like standard windows server and must be configured in its own way.

> Try

>

> microsoft.public.windows.server.sbs

 

 

ok, i set the same post in that group

thanks

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: Internet through VPN

 

Thomas,

I would install a good hardware firewall between the SBS and the Internet

(unless you have SBS premium with ISA, but I think you would have said if

you have).

Anthony,

http://www.airdesk.com

 

"Thomas Raasch" <nospam@nospam.com> wrote in message

news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl...

>

> "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag

> news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...

>> Thomas,

>> I don't know what firewall you are using, but you could block outbound

>> connections from the IP addresses assigned by the RRAS connection,

>> Anthony,

>> http://www.airdesk.com

>

> Hi,

>

> till now i don't use any special firewall

> i thought that the Windows-integrated firewall on the SBS is active - but

> it's not... when i try to configure the firewall it says that "ipnat.sys"

> is in use :(

> The Windows-Firewall-Service is deactivated

>

> The router also has a internal firewall but there is no option to

> configure this firewall - you can only activate or de-activate it

>

> maybe i should install a "good" software-firewall on the SBS?!

> Do you have any suggestions?

>

>

> Greetings

>

 Share
Go to topic listing
×
×
  • Create New...