VPN With Public IP on a Domain Controller

  • Thread starter Thread starter Tom M
  • Start date Start date
T

Tom M

Guest
I have been asked to setup a vpn on one of my servers. I have a dual nic on
my dc with one port assigned to the lan and the other port assigned to a
public ip. I setup the vpn on the public port and turned on the static
filtering. It works fine but I have serious concerns about an unfirewalled
nic with a public address on my dc. Can anyone comment on the security
problems with this and recommend a firewall that works well for them?
--
Tom M
 
Re: VPN With Public IP on a Domain Controller

"Tom M" <TomM@discussions.microsoft.com> wrote in message
news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com...
>I have been asked to setup a vpn on one of my servers. I have a dual nic on
> my dc with one port assigned to the lan and the other port assigned to a
> public ip. I setup the vpn on the public port and turned on the static
> filtering. It works fine but I have serious concerns about an unfirewalled
> nic with a public address on my dc. Can anyone comment on the security
> problems with this and recommend a firewall that works well for them?

Find another Server to use.
Running RRAS for VPN makes the machine multi-homed.
Never ever ever ever ever multi-home a Domain Controller.

272294 - Active Directory Communication Fails on Multihomed Domain
Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;272294

191611 - Symptoms of Multihomed Browsers
http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Re: VPN With Public IP on a Domain Controller

I was not aware of that. Thanks for the reply.
--
Tom M


"Phillip Windell" wrote:

> "Tom M" <TomM@discussions.microsoft.com> wrote in message
> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com...
> >I have been asked to setup a vpn on one of my servers. I have a dual nic on
> > my dc with one port assigned to the lan and the other port assigned to a
> > public ip. I setup the vpn on the public port and turned on the static
> > filtering. It works fine but I have serious concerns about an unfirewalled
> > nic with a public address on my dc. Can anyone comment on the security
> > problems with this and recommend a firewall that works well for them?
>
> Find another Server to use.
> Running RRAS for VPN makes the machine multi-homed.
> Never ever ever ever ever multi-home a Domain Controller.
>
> 272294 - Active Directory Communication Fails on Multihomed Domain
> Controllers
> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
>
> 191611 - Symptoms of Multihomed Browsers
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
>
 
Re: VPN With Public IP on a Domain Controller

No problem.
A lot of people are not aware, I see posts written here of people trying to
multi-home a DC almost every other day.

There is one exception,...Small Business Server,...but it has been specially
taylored to operate that way. Also those article I listed, if I remember
correctly, do describe how to work around the problem for those who insist
on doing it anyway,..but I don't recommend it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Tom M" <TomM@discussions.microsoft.com> wrote in message
news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com...
>I was not aware of that. Thanks for the reply.
> --
> Tom M
>
>
> "Phillip Windell" wrote:
>
>> "Tom M" <TomM@discussions.microsoft.com> wrote in message
>> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com...
>> >I have been asked to setup a vpn on one of my servers. I have a dual nic
>> >on
>> > my dc with one port assigned to the lan and the other port assigned to
>> > a
>> > public ip. I setup the vpn on the public port and turned on the static
>> > filtering. It works fine but I have serious concerns about an
>> > unfirewalled
>> > nic with a public address on my dc. Can anyone comment on the security
>> > problems with this and recommend a firewall that works well for them?
>>
>> Find another Server to use.
>> Running RRAS for VPN makes the machine multi-homed.
>> Never ever ever ever ever multi-home a Domain Controller.
>>
>> 272294 - Active Directory Communication Fails on Multihomed Domain
>> Controllers
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
>>
>> 191611 - Symptoms of Multihomed Browsers
>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>>
>>
 
Re: VPN With Public IP on a Domain Controller

In addition, even if the DC only has one NIC, making it a remote access
server makes it mutlihomed as soon as the first remote user connects (and
the server acquires an IP for its internal "RAS" interface). And there is
another KB about that. KB292822.

"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:OqVL5i6BJHA.4384@TK2MSFTNGP04.phx.gbl...
> No problem.
> A lot of people are not aware, I see posts written here of people trying
> to multi-home a DC almost every other day.
>
> There is one exception,...Small Business Server,...but it has been
> specially taylored to operate that way. Also those article I listed, if I
> remember correctly, do describe how to work around the problem for those
> who insist on doing it anyway,..but I don't recommend it.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Tom M" <TomM@discussions.microsoft.com> wrote in message
> news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com...
>>I was not aware of that. Thanks for the reply.
>> --
>> Tom M
>>
>>
>> "Phillip Windell" wrote:
>>
>>> "Tom M" <TomM@discussions.microsoft.com> wrote in message
>>> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com...
>>> >I have been asked to setup a vpn on one of my servers. I have a dual
>>> >nic on
>>> > my dc with one port assigned to the lan and the other port assigned to
>>> > a
>>> > public ip. I setup the vpn on the public port and turned on the static
>>> > filtering. It works fine but I have serious concerns about an
>>> > unfirewalled
>>> > nic with a public address on my dc. Can anyone comment on the security
>>> > problems with this and recommend a firewall that works well for them?
>>>
>>> Find another Server to use.
>>> Running RRAS for VPN makes the machine multi-homed.
>>> Never ever ever ever ever multi-home a Domain Controller.
>>>
>>> 272294 - Active Directory Communication Fails on Multihomed Domain
>>> Controllers
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
>>>
>>> 191611 - Symptoms of Multihomed Browsers
>>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611
>>>
>>> --
>>> Phillip Windell
>>> www.wandtv.com
>>>
>>> The views expressed, are my own and not those of my employer, or
>>> Microsoft,
>>> or anyone else associated with me, including my cats.
>>> -----------------------------------------------------
>>>
>>>
>>>
>
>
 
Re: VPN With Public IP on a Domain Controller

I'll have to add that to my list :-)


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Bill Grant" <not.available@online> wrote in message
news:OZFiMj9BJHA.3348@TK2MSFTNGP04.phx.gbl...
> In addition, even if the DC only has one NIC, making it a remote access
> server makes it mutlihomed as soon as the first remote user connects (and
> the server acquires an IP for its internal "RAS" interface). And there is
> another KB about that. KB292822.
>
> "Phillip Windell" <philwindell@hotmail.com> wrote in message
> news:OqVL5i6BJHA.4384@TK2MSFTNGP04.phx.gbl...
>> No problem.
>> A lot of people are not aware, I see posts written here of people trying
>> to multi-home a DC almost every other day.
>>
>> There is one exception,...Small Business Server,...but it has been
>> specially taylored to operate that way. Also those article I listed, if
>> I remember correctly, do describe how to work around the problem for
>> those who insist on doing it anyway,..but I don't recommend it.
>>
>> --
>> Phillip Windell
>> www.wandtv.com
>>
>> The views expressed, are my own and not those of my employer, or
>> Microsoft,
>> or anyone else associated with me, including my cats.
>> -----------------------------------------------------
>>
>> "Tom M" <TomM@discussions.microsoft.com> wrote in message
>> news:14744973-04F6-4D92-BE3A-2642798D395F@microsoft.com...
>>>I was not aware of that. Thanks for the reply.
>>> --
>>> Tom M
>>>
>>>
>>> "Phillip Windell" wrote:
>>>
>>>> "Tom M" <TomM@discussions.microsoft.com> wrote in message
>>>> news:94C1C323-9ACC-4F70-9080-58103988D3F0@microsoft.com...
>>>> >I have been asked to setup a vpn on one of my servers. I have a dual
>>>> >nic on
>>>> > my dc with one port assigned to the lan and the other port assigned
>>>> > to a
>>>> > public ip. I setup the vpn on the public port and turned on the
>>>> > static
>>>> > filtering. It works fine but I have serious concerns about an
>>>> > unfirewalled
>>>> > nic with a public address on my dc. Can anyone comment on the
>>>> > security
>>>> > problems with this and recommend a firewall that works well for them?
>>>>
>>>> Find another Server to use.
>>>> Running RRAS for VPN makes the machine multi-homed.
>>>> Never ever ever ever ever multi-home a Domain Controller.
>>>>
>>>> 272294 - Active Directory Communication Fails on Multihomed Domain
>>>> Controllers
>>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;272294
>>>>
>>>> 191611 - Symptoms of Multihomed Browsers
>>>> http://support.microsoft.com/default.aspx?scid=kb;EN-US;191611
>>>>
>>>> --
>>>> Phillip Windell
>>>> www.wandtv.com
>>>>
>>>> The views expressed, are my own and not those of my employer, or
>>>> Microsoft,
>>>> or anyone else associated with me, including my cats.
>>>> -----------------------------------------------------
>>>>
>>>>
>>>>
>>
>>
 
Re: VPN With Public IP on a Domain Controller

"Bill Grant" <not.available@online> wrote in message
news:OZFiMj9BJHA.3348@TK2MSFTNGP04.phx.gbl...
> In addition, even if the DC only has one NIC, making it a remote access
> server makes it mutlihomed as soon as the first remote user connects (and
> the server acquires an IP for its internal "RAS" interface). And there is
> another KB about that. KB292822.


Ok, I added that to my list.
It looks like a really ugly solution. Seems you have to hack the crap out of
the registry. Maybe that is what the SBS Wizards do to SBS to make it work.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 

Similar threads

S
TCP IP Listener C# Server Problem
Replies
0
Views
118
saqsaqPK
S
G
Socket connection to a IP NFC card reader
Replies
0
Views
129
G-Oker
G
C
Google bundles a free VPN service with its most expensive cloud storage plan
Replies
0
Views
100
Chris Smith
C
D
Issue with Exchange Server 2016 after Win32/IISExchgSpawnCMD.A
Replies
0
Views
153
DennisW-1
D
J
Apple rolls out iOS 14.5 public beta 3 with new Find My Items tab
Replies
0
Views
85
Jacob Siegal
J
Back
Top