Guest Thomas Raasch Posted August 13, 2008 Posted August 13, 2008 Hi, I have a SBS2003 on a location A. There is RRAS activated and fully functional. With VPN I can connect to location A from a location B with a Windows XP Client. Everything works fine - too fine for me... my Problem is, that the XP-Client on location B has also access to the Internetconnection of location A! cause of my bad english i will explain it clearly with IPs: On location B the XP Client has the IP 192.168.0.10 There is a Router with IP 192.168.0.1 The Router is the Gateway for that XP-Client The SBS on location A has the IP 10.0.0.2 There is also a Router with IP 10.0.0.1 The Router is the Gateway for this Network When i make a tracert http://www.google.com on the XP-Client the first IP reached is the local Router (192.168.0.1) - so far so good - When I now connect from location B through VPN to location A then the XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test". With this connection XP changes its Default-Gateway to the 10.0.0-Subnet! When I now make a tracert http://www.google.com then the first IP reached is the Router of the location A! So every XP-Client use the Internet-Connection of location A as far as they are connected through VPN! They use not there own local Router! I know, I easiely can change the checkbox "Use default gateway on remote network" on every XP-Client to solve this problem. But thats not enough security! It is still possible to have access to the internet from a XP-Client through the VPN. So it is still possible that a user on one XP-Client changes this option back to its default and so using the Internetconnection of my SBS2003. And further - I don't have access to every XP-Client, so I can not be sure that every Client has this option set well. So now finaly my question: what do i have to set up on my SBS2003 that the VPN-Clients are not allowed to use the Internet-Connection of my SBS2003? The VPN-Clients get their IPs from the SBS-own DHCP and also use the SBS-own DNS... The VPN-Clients need access to the SBS2003-Server as well as to the rest of the Network on location A! The XP-Clients from location B need access to some Clients in the Network of location A! Else it would be possible to deactivate the routing-option of the RRAS - but not in my case. Thanks for your help Thomas
Guest Anthony [MVP] Posted August 13, 2008 Posted August 13, 2008 Re: Internet through VPN Thomas, I don't know what firewall you are using, but you could block outbound connections from the IP addresses assigned by the RRAS connection, Anthony, http://www.airdesk.com "Thomas Raasch" <nospam@nospam.com> wrote in message news:#i87mgV$IHA.1180@TK2MSFTNGP04.phx.gbl... > Hi, > > I have a SBS2003 on a location A. > There is RRAS activated and fully functional. > With VPN I can connect to location A from a location B with a Windows XP > Client. > Everything works fine - too fine for me... > my Problem is, that the XP-Client on location B has also access to the > Internetconnection of location A! > > > cause of my bad english i will explain it clearly with IPs: > > > On location B the XP Client has the IP 192.168.0.10 > There is a Router with IP 192.168.0.1 > The Router is the Gateway for that XP-Client > > The SBS on location A has the IP 10.0.0.2 > There is also a Router with IP 10.0.0.1 > The Router is the Gateway for this Network > > When i make a > tracert http://www.google.com > on the XP-Client the first IP reached is the local Router (192.168.0.1) > - so far so good - > > When I now connect from location B through VPN to location A then the > XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test". > With this connection XP changes its Default-Gateway to the 10.0.0-Subnet! > When I now make a > tracert http://www.google.com > then the first IP reached is the Router of the location A! > > So every XP-Client use the Internet-Connection of location A as far as > they are connected through VPN! They use not there own local Router! > I know, I easiely can change the checkbox "Use default gateway on remote > network" on every XP-Client to solve this problem. But thats not enough > security! It is still possible to have access to the internet from a > XP-Client through the VPN. So it is still possible that a user on one > XP-Client changes this option back to its default and so using the > Internetconnection of my SBS2003. And further - I don't have access to > every XP-Client, so I can not be sure that every Client has this option > set well. > > > So now finaly my question: > what do i have to set up on my SBS2003 that the VPN-Clients are not > allowed to use the Internet-Connection of my SBS2003? > > The VPN-Clients get their IPs from the SBS-own DHCP and also use the > SBS-own DNS... > The VPN-Clients need access to the SBS2003-Server as well as to the rest > of the Network on location A! The XP-Clients from location B need access > to some Clients in the Network of location A! Else it would be possible to > deactivate the routing-option of the RRAS - but not in my case. > > > Thanks for your help > Thomas >
Guest Thomas Raasch Posted August 14, 2008 Posted August 14, 2008 Re: Internet through VPN "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl... > Thomas, > I don't know what firewall you are using, but you could block outbound > connections from the IP addresses assigned by the RRAS connection, > Anthony, > http://www.airdesk.com Hi, till now i don't use any special firewall i thought that the Windows-integrated firewall on the SBS is active - but it's not... when i try to configure the firewall it says that "ipnat.sys" is in use :( The Windows-Firewall-Service is deactivated The router also has a internal firewall but there is no option to configure this firewall - you can only activate or de-activate it maybe i should install a "good" software-firewall on the SBS?! Do you have any suggestions? Greetings
Guest Bill Grant Posted August 14, 2008 Posted August 14, 2008 Re: Internet through VPN "Thomas Raasch" <nospam@nospam.com> wrote in message news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl... > > "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag > news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl... >> Thomas, >> I don't know what firewall you are using, but you could block outbound >> connections from the IP addresses assigned by the RRAS connection, >> Anthony, >> http://www.airdesk.com > > Hi, > > till now i don't use any special firewall > i thought that the Windows-integrated firewall on the SBS is active - but > it's not... when i try to configure the firewall it says that "ipnat.sys" > is in use :( > The Windows-Firewall-Service is deactivated > > The router also has a internal firewall but there is no option to > configure this firewall - you can only activate or de-activate it > > maybe i should install a "good" software-firewall on the SBS?! > Do you have any suggestions? > > > Greetings > Thomas, You really should post you question in an SBS newsgroup. SBS does not behave like standard windows server and must be configured in its own way. Try microsoft.public.windows.server.sbs The problem with the firewall settings is a standard RRAS message though. You cannot configure the internal firewall if you are running RRAS as a NAT router (ipnat.sys).
Guest Thomas Raasch Posted August 14, 2008 Posted August 14, 2008 Re: Internet through VPN "Bill Grant" <not.available@online> schrieb im Newsbeitrag news:eUZOhIe$IHA.4816@TK2MSFTNGP06.phx.gbl... > > You really should post you question in an SBS newsgroup. SBS does not > behave like standard windows server and must be configured in its own way. > Try > > microsoft.public.windows.server.sbs ok, i set the same post in that group thanks
Guest Anthony [MVP] Posted August 14, 2008 Posted August 14, 2008 Re: Internet through VPN Thomas, I would install a good hardware firewall between the SBS and the Internet (unless you have SBS premium with ISA, but I think you would have said if you have). Anthony, http://www.airdesk.com "Thomas Raasch" <nospam@nospam.com> wrote in message news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl... > > "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag > news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl... >> Thomas, >> I don't know what firewall you are using, but you could block outbound >> connections from the IP addresses assigned by the RRAS connection, >> Anthony, >> http://www.airdesk.com > > Hi, > > till now i don't use any special firewall > i thought that the Windows-integrated firewall on the SBS is active - but > it's not... when i try to configure the firewall it says that "ipnat.sys" > is in use :( > The Windows-Firewall-Service is deactivated > > The router also has a internal firewall but there is no option to > configure this firewall - you can only activate or de-activate it > > maybe i should install a "good" software-firewall on the SBS?! > Do you have any suggestions? > > > Greetings >
Recommended Posts