Guest Tom M Posted August 26, 2008 Posted August 26, 2008 I have been asked to setup a vpn on one of my servers. I have a dual nic on my dc with one port assigned to the lan and the other port assigned to a public ip. I setup the vpn on the public port and turned on the static filtering. It works fine but I have serious concerns about an unfirewalled nic with a public address on my dc. Can anyone comment on the security problems with this and recommend a firewall that works well for them? -- Tom M
Guest Phillip Windell Posted August 26, 2008 Posted August 26, 2008 Re: VPN With Public IP on a Domain Controller "Tom M" <TomM@discussions.microsoft.com> wrote in message news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com... >I have been asked to setup a vpn on one of my servers. I have a dual nic on > my dc with one port assigned to the lan and the other port assigned to a > public ip. I setup the vpn on the public port and turned on the static > filtering. It works fine but I have serious concerns about an unfirewalled > nic with a public address on my dc. Can anyone comment on the security > problems with this and recommend a firewall that works well for them? Find another Server to use. Running RRAS for VPN makes the machine multi-homed. Never ever ever ever ever multi-home a Domain Controller. 272294 - Active Directory Communication Fails on Multihomed Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 191611 - Symptoms of Multihomed Browsers http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611 -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Tom M Posted August 26, 2008 Posted August 26, 2008 Re: VPN With Public IP on a Domain Controller I was not aware of that. Thanks for the reply. -- Tom M "Phillip Windell" wrote: > "Tom M" <TomM@discussions.microsoft.com> wrote in message > news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com... > >I have been asked to setup a vpn on one of my servers. I have a dual nic on > > my dc with one port assigned to the lan and the other port assigned to a > > public ip. I setup the vpn on the public port and turned on the static > > filtering. It works fine but I have serious concerns about an unfirewalled > > nic with a public address on my dc. Can anyone comment on the security > > problems with this and recommend a firewall that works well for them? > > Find another Server to use. > Running RRAS for VPN makes the machine multi-homed. > Never ever ever ever ever multi-home a Domain Controller. > > 272294 - Active Directory Communication Fails on Multihomed Domain > Controllers > http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 > > 191611 - Symptoms of Multihomed Browsers > http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611 > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > >
Guest Phillip Windell Posted August 26, 2008 Posted August 26, 2008 Re: VPN With Public IP on a Domain Controller No problem. A lot of people are not aware, I see posts written here of people trying to multi-home a DC almost every other day. There is one exception,...Small Business Server,...but it has been specially taylored to operate that way. Also those article I listed, if I remember correctly, do describe how to work around the problem for those who insist on doing it anyway,..but I don't recommend it. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Tom M" <TomM@discussions.microsoft.com> wrote in message news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com... >I was not aware of that. Thanks for the reply. > -- > Tom M > > > "Phillip Windell" wrote: > >> "Tom M" <TomM@discussions.microsoft.com> wrote in message >> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com... >> >I have been asked to setup a vpn on one of my servers. I have a dual nic >> >on >> > my dc with one port assigned to the lan and the other port assigned to >> > a >> > public ip. I setup the vpn on the public port and turned on the static >> > filtering. It works fine but I have serious concerns about an >> > unfirewalled >> > nic with a public address on my dc. Can anyone comment on the security >> > problems with this and recommend a firewall that works well for them? >> >> Find another Server to use. >> Running RRAS for VPN makes the machine multi-homed. >> Never ever ever ever ever multi-home a Domain Controller. >> >> 272294 - Active Directory Communication Fails on Multihomed Domain >> Controllers >> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 >> >> 191611 - Symptoms of Multihomed Browsers >> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611 >> >> -- >> Phillip Windell >> http://www.wandtv.com >> >> The views expressed, are my own and not those of my employer, or >> Microsoft, >> or anyone else associated with me, including my cats. >> ----------------------------------------------------- >> >> >>
Guest Bill Grant Posted August 27, 2008 Posted August 27, 2008 Re: VPN With Public IP on a Domain Controller In addition, even if the DC only has one NIC, making it a remote access server makes it mutlihomed as soon as the first remote user connects (and the server acquires an IP for its internal "RAS" interface). And there is another KB about that. KB292822. "Phillip Windell" <philwindell@hotmail.com> wrote in message news:OqVL5i6BJHA.4384@TK2MSFTNGP04.phx.gbl... > No problem. > A lot of people are not aware, I see posts written here of people trying > to multi-home a DC almost every other day. > > There is one exception,...Small Business Server,...but it has been > specially taylored to operate that way. Also those article I listed, if I > remember correctly, do describe how to work around the problem for those > who insist on doing it anyway,..but I don't recommend it. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > "Tom M" <TomM@discussions.microsoft.com> wrote in message > news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com... >>I was not aware of that. Thanks for the reply. >> -- >> Tom M >> >> >> "Phillip Windell" wrote: >> >>> "Tom M" <TomM@discussions.microsoft.com> wrote in message >>> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com... >>> >I have been asked to setup a vpn on one of my servers. I have a dual >>> >nic on >>> > my dc with one port assigned to the lan and the other port assigned to >>> > a >>> > public ip. I setup the vpn on the public port and turned on the static >>> > filtering. It works fine but I have serious concerns about an >>> > unfirewalled >>> > nic with a public address on my dc. Can anyone comment on the security >>> > problems with this and recommend a firewall that works well for them? >>> >>> Find another Server to use. >>> Running RRAS for VPN makes the machine multi-homed. >>> Never ever ever ever ever multi-home a Domain Controller. >>> >>> 272294 - Active Directory Communication Fails on Multihomed Domain >>> Controllers >>> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 >>> >>> 191611 - Symptoms of Multihomed Browsers >>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611 >>> >>> -- >>> Phillip Windell >>> http://www.wandtv.com >>> >>> The views expressed, are my own and not those of my employer, or >>> Microsoft, >>> or anyone else associated with me, including my cats. >>> ----------------------------------------------------- >>> >>> >>> > >
Guest Phillip Windell Posted August 27, 2008 Posted August 27, 2008 Re: VPN With Public IP on a Domain Controller I'll have to add that to my list :-) -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "Bill Grant" <not.available@online> wrote in message news:OZFiMj9BJHA.3348@TK2MSFTNGP04.phx.gbl... > In addition, even if the DC only has one NIC, making it a remote access > server makes it mutlihomed as soon as the first remote user connects (and > the server acquires an IP for its internal "RAS" interface). And there is > another KB about that. KB292822. > > "Phillip Windell" <philwindell@hotmail.com> wrote in message > news:OqVL5i6BJHA.4384@TK2MSFTNGP04.phx.gbl... >> No problem. >> A lot of people are not aware, I see posts written here of people trying >> to multi-home a DC almost every other day. >> >> There is one exception,...Small Business Server,...but it has been >> specially taylored to operate that way. Also those article I listed, if >> I remember correctly, do describe how to work around the problem for >> those who insist on doing it anyway,..but I don't recommend it. >> >> -- >> Phillip Windell >> http://www.wandtv.com >> >> The views expressed, are my own and not those of my employer, or >> Microsoft, >> or anyone else associated with me, including my cats. >> ----------------------------------------------------- >> >> "Tom M" <TomM@discussions.microsoft.com> wrote in message >> news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com... >>>I was not aware of that. Thanks for the reply. >>> -- >>> Tom M >>> >>> >>> "Phillip Windell" wrote: >>> >>>> "Tom M" <TomM@discussions.microsoft.com> wrote in message >>>> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com... >>>> >I have been asked to setup a vpn on one of my servers. I have a dual >>>> >nic on >>>> > my dc with one port assigned to the lan and the other port assigned >>>> > to a >>>> > public ip. I setup the vpn on the public port and turned on the >>>> > static >>>> > filtering. It works fine but I have serious concerns about an >>>> > unfirewalled >>>> > nic with a public address on my dc. Can anyone comment on the >>>> > security >>>> > problems with this and recommend a firewall that works well for them? >>>> >>>> Find another Server to use. >>>> Running RRAS for VPN makes the machine multi-homed. >>>> Never ever ever ever ever multi-home a Domain Controller. >>>> >>>> 272294 - Active Directory Communication Fails on Multihomed Domain >>>> Controllers >>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294 >>>> >>>> 191611 - Symptoms of Multihomed Browsers >>>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611 >>>> >>>> -- >>>> Phillip Windell >>>> http://www.wandtv.com >>>> >>>> The views expressed, are my own and not those of my employer, or >>>> Microsoft, >>>> or anyone else associated with me, including my cats. >>>> ----------------------------------------------------- >>>> >>>> >>>> >> >>
Guest Phillip Windell Posted August 27, 2008 Posted August 27, 2008 Re: VPN With Public IP on a Domain Controller "Bill Grant" <not.available@online> wrote in message news:OZFiMj9BJHA.3348@TK2MSFTNGP04.phx.gbl... > In addition, even if the DC only has one NIC, making it a remote access > server makes it mutlihomed as soon as the first remote user connects (and > the server acquires an IP for its internal "RAS" interface). And there is > another KB about that. KB292822. Ok, I added that to my list. It looks like a really ugly solution. Seems you have to hack the crap out of the registry. Maybe that is what the SBS Wizards do to SBS to make it work. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts