Active Directory and VPN on single server setup

7,346

Solution 1

Can't recommend running a DC as a vpn server... you'll spend loads of time trying to solve problems this will cause. Its not worth the effort you'll spend on it.

If its sbs then it comes with a wizard to do this for you. If not and its for home use then just use the Remote desktop gateway, which comes with 2008, to connect to an internal machine. It works like a dream.

Failing that, if you really want a vpn then just splash out on a small sonicwall or similar. They have some excellent sslvpn firewalls which will do the job for you. The next level up (still small soho firewalls) support an installable ipsec vpn client.

Go with one of the other routes - you'll save yourself a lot of grief in the long term.

Solution 2

Here is a pretty straight forward article on setting it up. http://www.thomasmaurer.ch/2010/10/how-to-install-vpn-on-windows-server-2008-r2/

I wouldn't suggest doing this for a business, but if it's just for your home well then its a risk you have to be ok with.

As mentioned before, multi homed configurations are less than ideal but this article lays out some changes you can make to prevent most of the issues caused by this. http://support.microsoft.com/kb/272294

However, since you're looking into a new config one thing you could do, is use hyper-v. Run one VM as your DC (which you're licenced to do) and then setup another VM running Linux VPN server like pfsense or IPCop. This was you keep everything seperate and a little more secure.

Share:
7,346

Related videos on Youtube

Neo
Author by

Neo

Updated on September 18, 2022

Comments

  • Neo
    Neo almost 2 years

    I've attempted this several times now and never got it exactly correct. I am looking to setup my ML5 server as a VPN Server, Domain server, DHCP Server and file server. However every time i have attempted this I've read different ways of doing it, all of which never work and always miss something out.

    The network has a single Virgin Media Modem, all features turned off so it is just a modem with a tplink router hooked up to that, the server has two different network cards installed both directly connected to the router, then there are several wireless devices, a 360 and a PC all of which require access to the files being shared on the server drives.

    I think that about covers it if you need any more info to point me in the right direction just ask.

    OS : Server 2008 R2 or SBS 2011, not sure on SBS2011 just yet.

    • Zoredache
      Zoredache over 12 years
      Trying to run a VPN from a domain controller seems like a bad idea. Bad things can happen when multi-homing a DC.
    • Neo
      Neo over 12 years
      Hi Zoredache, that may be so but for the number of machines it will be connecting with it shouldn't be an issue as its not a full blown business network
    • Zoredache
      Zoredache over 12 years
      It really has nothing to do with the number of machines, and has more to do with the DC publishing DNS/WINS records with IPs from the VPN network, which will be unreachable by machines on the lan.
    • Neo
      Neo over 12 years
      ZZZOOOMMM over my head on that one Zoredache, only reason I've chosen VPN is to make the system more secure so I don't have to forward ports for remote desktop when I'm not at home
    • Zoredache
      Zoredache over 12 years
      If this is for home-use, why not just install one a SSH daemon, and use an SSH client to tunnel ports.
    • Neo
      Neo over 12 years
      never heard of tunneling over ssh for this Zoredache, any links?
    • Zoredache
      Zoredache over 12 years
      It is so extremely common that a simple search for ssh port forward will return lots of good results.
  • Neo
    Neo over 12 years
    Eric Why wouldn't you recommend setting up a VPN for business?
  • Eric C. Singer
    Eric C. Singer over 12 years
    No it's not that i'm not reccomending a VPN, I'm reccomending that you don't make your DC your VPN server.
  • Eric C. Singer
    Eric C. Singer over 12 years
    The RDP gateway is another great idea, completely forgot about that. I also like idea of a dedicated VPN / firewall device as well.