Internet through VPN

  • Thread starter Thread starter Thomas Raasch
  • Start date Start date
T

Thomas Raasch

Guest
Hi,

I have a SBS2003 on a location A.
There is RRAS activated and fully functional.
With VPN I can connect to location A from a location B with a Windows XP
Client.
Everything works fine - too fine for me...
my Problem is, that the XP-Client on location B has also access to the
Internetconnection of location A!


cause of my bad english i will explain it clearly with IPs:


On location B the XP Client has the IP 192.168.0.10
There is a Router with IP 192.168.0.1
The Router is the Gateway for that XP-Client

The SBS on location A has the IP 10.0.0.2
There is also a Router with IP 10.0.0.1
The Router is the Gateway for this Network

When i make a
tracert www.google.com
on the XP-Client the first IP reached is the local Router (192.168.0.1)
- so far so good -

When I now connect from location B through VPN to location A then the
XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test".
With this connection XP changes its Default-Gateway to the 10.0.0-Subnet!
When I now make a
tracert www.google.com
then the first IP reached is the Router of the location A!

So every XP-Client use the Internet-Connection of location A as far as they
are connected through VPN! They use not there own local Router!
I know, I easiely can change the checkbox "Use default gateway on remote
network" on every XP-Client to solve this problem. But thats not enough
security! It is still possible to have access to the internet from a
XP-Client through the VPN. So it is still possible that a user on one
XP-Client changes this option back to its default and so using the
Internetconnection of my SBS2003. And further - I don't have access to every
XP-Client, so I can not be sure that every Client has this option set well.


So now finaly my question:
what do i have to set up on my SBS2003 that the VPN-Clients are not allowed
to use the Internet-Connection of my SBS2003?

The VPN-Clients get their IPs from the SBS-own DHCP and also use the SBS-own
DNS...
The VPN-Clients need access to the SBS2003-Server as well as to the rest of
the Network on location A! The XP-Clients from location B need access to
some Clients in the Network of location A! Else it would be possible to
deactivate the routing-option of the RRAS - but not in my case.


Thanks for your help
Thomas
 
Re: Internet through VPN

Thomas,
I don't know what firewall you are using, but you could block outbound
connections from the IP addresses assigned by the RRAS connection,
Anthony,
http://www.airdesk.com



"Thomas Raasch" <nospam@nospam.com> wrote in message
news:#i87mgV$IHA.1180@TK2MSFTNGP04.phx.gbl...
> Hi,
>
> I have a SBS2003 on a location A.
> There is RRAS activated and fully functional.
> With VPN I can connect to location A from a location B with a Windows XP
> Client.
> Everything works fine - too fine for me...
> my Problem is, that the XP-Client on location B has also access to the
> Internetconnection of location A!
>
>
> cause of my bad english i will explain it clearly with IPs:
>
>
> On location B the XP Client has the IP 192.168.0.10
> There is a Router with IP 192.168.0.1
> The Router is the Gateway for that XP-Client
>
> The SBS on location A has the IP 10.0.0.2
> There is also a Router with IP 10.0.0.1
> The Router is the Gateway for this Network
>
> When i make a
> tracert www.google.com
> on the XP-Client the first IP reached is the local Router (192.168.0.1)
> - so far so good -
>
> When I now connect from location B through VPN to location A then the
> XP-Client on B, of course, gets a 2nd Networkconnection named "VPN-Test".
> With this connection XP changes its Default-Gateway to the 10.0.0-Subnet!
> When I now make a
> tracert www.google.com
> then the first IP reached is the Router of the location A!
>
> So every XP-Client use the Internet-Connection of location A as far as
> they are connected through VPN! They use not there own local Router!
> I know, I easiely can change the checkbox "Use default gateway on remote
> network" on every XP-Client to solve this problem. But thats not enough
> security! It is still possible to have access to the internet from a
> XP-Client through the VPN. So it is still possible that a user on one
> XP-Client changes this option back to its default and so using the
> Internetconnection of my SBS2003. And further - I don't have access to
> every XP-Client, so I can not be sure that every Client has this option
> set well.
>
>
> So now finaly my question:
> what do i have to set up on my SBS2003 that the VPN-Clients are not
> allowed to use the Internet-Connection of my SBS2003?
>
> The VPN-Clients get their IPs from the SBS-own DHCP and also use the
> SBS-own DNS...
> The VPN-Clients need access to the SBS2003-Server as well as to the rest
> of the Network on location A! The XP-Clients from location B need access
> to some Clients in the Network of location A! Else it would be possible to
> deactivate the routing-option of the RRAS - but not in my case.
>
>
> Thanks for your help
> Thomas
>
 
Re: Internet through VPN


"Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag
news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...
> Thomas,
> I don't know what firewall you are using, but you could block outbound
> connections from the IP addresses assigned by the RRAS connection,
> Anthony,
> http://www.airdesk.com

Hi,

till now i don't use any special firewall
i thought that the Windows-integrated firewall on the SBS is active - but
it's not... when i try to configure the firewall it says that "ipnat.sys" is
in use :(
The Windows-Firewall-Service is deactivated

The router also has a internal firewall but there is no option to configure
this firewall - you can only activate or de-activate it

maybe i should install a "good" software-firewall on the SBS?!
Do you have any suggestions?


Greetings
 
Re: Internet through VPN



"Thomas Raasch" <nospam@nospam.com> wrote in message
news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl...
>
> "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag
> news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...
>> Thomas,
>> I don't know what firewall you are using, but you could block outbound
>> connections from the IP addresses assigned by the RRAS connection,
>> Anthony,
>> http://www.airdesk.com
>
> Hi,
>
> till now i don't use any special firewall
> i thought that the Windows-integrated firewall on the SBS is active - but
> it's not... when i try to configure the firewall it says that "ipnat.sys"
> is in use :(
> The Windows-Firewall-Service is deactivated
>
> The router also has a internal firewall but there is no option to
> configure this firewall - you can only activate or de-activate it
>
> maybe i should install a "good" software-firewall on the SBS?!
> Do you have any suggestions?
>
>
> Greetings
>
Thomas,

You really should post you question in an SBS newsgroup. SBS does not
behave like standard windows server and must be configured in its own way.
Try

microsoft.public.windows.server.sbs

The problem with the firewall settings is a standard RRAS message though.
You cannot configure the internal firewall if you are running RRAS as a NAT
router (ipnat.sys).
 
Re: Internet through VPN


"Bill Grant" <not.available@online> schrieb im Newsbeitrag
news:eUZOhIe$IHA.4816@TK2MSFTNGP06.phx.gbl...
>
> You really should post you question in an SBS newsgroup. SBS does not
> behave like standard windows server and must be configured in its own way.
> Try
>
> microsoft.public.windows.server.sbs


ok, i set the same post in that group
thanks
 
Re: Internet through VPN

Thomas,
I would install a good hardware firewall between the SBS and the Internet
(unless you have SBS premium with ISA, but I think you would have said if
you have).
Anthony,
http://www.airdesk.com

"Thomas Raasch" <nospam@nospam.com> wrote in message
news:OIZKL8d$IHA.5004@TK2MSFTNGP05.phx.gbl...
>
> "Anthony [MVP]" <anthony@no-reply.com> schrieb im Newsbeitrag
> news:uBz1eRZ$IHA.1016@TK2MSFTNGP03.phx.gbl...
>> Thomas,
>> I don't know what firewall you are using, but you could block outbound
>> connections from the IP addresses assigned by the RRAS connection,
>> Anthony,
>> http://www.airdesk.com
>
> Hi,
>
> till now i don't use any special firewall
> i thought that the Windows-integrated firewall on the SBS is active - but
> it's not... when i try to configure the firewall it says that "ipnat.sys"
> is in use :(
> The Windows-Firewall-Service is deactivated
>
> The router also has a internal firewall but there is no option to
> configure this firewall - you can only activate or de-activate it
>
> maybe i should install a "good" software-firewall on the SBS?!
> Do you have any suggestions?
>
>
> Greetings
>
 
Back
Top