Prev: iSCSI or SMB using SBS 2003
Next: SBS 2008 Stuck Applying Computer Settings
From: David Carl on 1 Mar 2010 14:06
I have been using sbs2003 with 2-nic / ISA configuration. I am now upgrading
to new server and sbs2008. I realize I need to get a router. We have 14
workstations on the LAN and 6 more people work from home full time currently
using XP VPN. Just about everyone uses OWA and/or RWW from time to time when
not in the office. My question is this. I am looking at Cisco RV042,
because I want 2 WAN ports to add a second DSL and balance remote users, but
there are VPN tunnel limits. Am I going to just open ports my router
firewall and SBS takes care of the rest or do I need to be concerned about
the routers max tunnel limit. I asked these questions of the Cisco TS and
they started pointing me to a series 1941 that sells for $1500, and I think
that's a bit pricey for what I am trying to do. I know this is really not an
SBS question, but would appreciate any guidance. Thank you.
From: Cliff Galiher - MVP on 1 Mar 2010 14:15
In your current configuration, ISA is also providing full security, so when
you move to SBS 2008, you need to consider that as well. The RV042 is a
simple router and provides no security features whatsoever. You'd want to
deploy an additional firewall appliance between the router and your network,
which adds quite a bit of complexity. Or alternatively, you can purchase a
good firewall appliance that also does routing (most SMB firewalls do) that
also has the features you need, like dual WAN ports.

As far as keeping your current features, OWA and RWW are HTTPS traffic which
no router should be interfering with. VPN support gets a bit more sticky as
you haven't indicated the type of VPN you use. PPTP VPNs can have an
endpoint behind a NAT router as long as the router knows how to handle GRE
packets. In this case, any restrictions on VPN tunnels that the router has
*usually* (but not always) applies to how many tunnels it is the end-point
for. Since SBS is the end-point in this configuration, the VPN limits would
not apply.

L2TP/IPSec tunnels cannot operate behind a NAT, however, so you'd be moving
your end-point from SBS to the router and, as above, that is usually the
deciding factor on how VPN restrictions are applied. In this scenario, you'd
want to make sure your device has the capacity for the number of concurrent
VPN tunnels you usually have open.

-Cliff


"David Carl" <DavidCarl(a)discussions.microsoft.com> wrote in message
news:765A8B7F-4754-4B91-A685-BE12C19C1D47(a)microsoft.com...
> I have been using sbs2003 with 2-nic / ISA configuration. I am now
> upgrading
> to new server and sbs2008. I realize I need to get a router. We have 14
> workstations on the LAN and 6 more people work from home full time
> currently
> using XP VPN. Just about everyone uses OWA and/or RWW from time to time
> when
> not in the office. My question is this. I am looking at Cisco RV042,
> because I want 2 WAN ports to add a second DSL and balance remote users,
> but
> there are VPN tunnel limits. Am I going to just open ports my router
> firewall and SBS takes care of the rest or do I need to be concerned about
> the routers max tunnel limit. I asked these questions of the Cisco TS and
> they started pointing me to a series 1941 that sells for $1500, and I
> think
> that's a bit pricey for what I am trying to do. I know this is really not
> an
> SBS question, but would appreciate any guidance. Thank you.

From: Joe on 1 Mar 2010 15:23
Cliff Galiher - MVP wrote:

> VPN you use. PPTP VPNs can
> have an endpoint behind a NAT router as long as the router knows how to
> handle GRE packets. In this case, any restrictions on VPN tunnels that
> the router has *usually* (but not always) applies to how many tunnels it
> is the end-point for. Since SBS is the end-point in this configuration,
> the VPN limits would not apply.
>

I'd go a bit further and say that there must be a router limit on PPTP
passthrough, because in addition to forwarding the two protocols
involved, it must associate them. The router must know that it has to
accept unsolicited protocol 47 packets from an external IP address which
currently maintains a TCP/1723 session. It needs to maintain a lookup
table containing these entries, and there will be a limit to the number
of table entries. There are a number of protocols which need such lookup
tables, FTP being another.

That does not mean there is necessarily a low limit on VPN tunnels, as
with some loss of speed, these entries can be shared in the NAT table,
which will have quite a large maximum size. But if the router
specification explicitly states a limit on PPTP passthrough connections,
you should believe it, as the implementation will have optimised the
table structures for speed, and there will be a fixed number of entries
in each of a number of different small tables.

--
Joe
From: David Carl on 1 Mar 2010 15:33
In reading the documentatation of the RV042, it seems to have a firewall that
blocks everything and allows for 50 access rules, which would be more than
enough as we currently are only using 16 on our ISA. What "security
features" does this simple router not have that I should be concerned about?
What Cisco product (or other vendor) would you recommend for a small SBS2008
environment that i describedin my first post. Thanks.


"Cliff Galiher - MVP" wrote:

> In your current configuration, ISA is also providing full security, so when
> you move to SBS 2008, you need to consider that as well. The RV042 is a
> simple router and provides no security features whatsoever. You'd want to
> deploy an additional firewall appliance between the router and your network,
> which adds quite a bit of complexity. Or alternatively, you can purchase a
> good firewall appliance that also does routing (most SMB firewalls do) that
> also has the features you need, like dual WAN ports.
>
> As far as keeping your current features, OWA and RWW are HTTPS traffic which
> no router should be interfering with. VPN support gets a bit more sticky as
> you haven't indicated the type of VPN you use. PPTP VPNs can have an
> endpoint behind a NAT router as long as the router knows how to handle GRE
> packets. In this case, any restrictions on VPN tunnels that the router has
> *usually* (but not always) applies to how many tunnels it is the end-point
> for. Since SBS is the end-point in this configuration, the VPN limits would
> not apply.
>
> L2TP/IPSec tunnels cannot operate behind a NAT, however, so you'd be moving
> your end-point from SBS to the router and, as above, that is usually the
> deciding factor on how VPN restrictions are applied. In this scenario, you'd
> want to make sure your device has the capacity for the number of concurrent
> VPN tunnels you usually have open.
>
> -Cliff
>
>
> "David Carl" <DavidCarl(a)discussions.microsoft.com> wrote in message
> news:765A8B7F-4754-4B91-A685-BE12C19C1D47(a)microsoft.com...
> > I have been using sbs2003 with 2-nic / ISA configuration. I am now
> > upgrading
> > to new server and sbs2008. I realize I need to get a router. We have 14
> > workstations on the LAN and 6 more people work from home full time
> > currently
> > using XP VPN. Just about everyone uses OWA and/or RWW from time to time
> > when
> > not in the office. My question is this. I am looking at Cisco RV042,
> > because I want 2 WAN ports to add a second DSL and balance remote users,
> > but
> > there are VPN tunnel limits. Am I going to just open ports my router
> > firewall and SBS takes care of the rest or do I need to be concerned about
> > the routers max tunnel limit. I asked these questions of the Cisco TS and
> > they started pointing me to a series 1941 that sells for $1500, and I
> > think
> > that's a bit pricey for what I am trying to do. I know this is really not
> > an
> > SBS question, but would appreciate any guidance. Thank you.
>
From: Cliff Galiher - MVP on 1 Mar 2010 15:47
Access rules are easy, as they just bolt on top of the routing engine.
After all, the routing engine already has to look at IP and port (if NAT is
involved) so adding a simple layer to block IPs or ports is trivial.

But a good business firewall does several other things. They can monitor
the state of a connection to prevent certain attacks (sometimes called
stateful packet inspection.) Many are application aware, so they can
inspect certain types of traffic for abuses, such as buffer-overflow
attempts in HTTP headers or SMTP violations, or even the ability to inspect
attachments in SMTP or binary downloads (HTTP, FTP, etc) for intentionally
malicious acts (there are several attack vectors in these protocols.)

And the very best can even authenticate connections via AD, perform HTTPS
inspection (via SSL Bridging) and a few other fancy tricks. ISA, in fact,
falls in this last category. You may look at the rules and thing "20 rules,
easy" but it is *what* those rules do that suddenly things become very
impressive.

For me, I'm still a big ISA/TMG fan. I prefer to buy an ISA "appliance"
(what is an appliance but a headless server with a preconfigured OS), but
Sonicwall and Watchguard also make good devices.

Also, don't forget, that ISA provided quite a bit of network reporting that,
although not security related, you may have gotten accustomed to. ISA could
do this because SBS sat at the network edge. With 2008, the change in
to;pology means that SBS isn't there to monitor all traffic, so many people
are surprised to find they can't generate detailed network usage reports
anymore in SBS. If you used that functionality, you'll want to make sure
your edge device can step in provide those types of reports so you can make
the transition.

-Cliff

"David Carl" <DavidCarl(a)discussions.microsoft.com> wrote in message
news:79DA7C9B-4DBC-405A-BBA0-2D37780E9CE5(a)microsoft.com...
> In reading the documentatation of the RV042, it seems to have a firewall
> that
> blocks everything and allows for 50 access rules, which would be more than
> enough as we currently are only using 16 on our ISA. What "security
> features" does this simple router not have that I should be concerned
> about?
> What Cisco product (or other vendor) would you recommend for a small
> SBS2008
> environment that i describedin my first post. Thanks.
>
>
> "Cliff Galiher - MVP" wrote:
>
>> In your current configuration, ISA is also providing full security, so
>> when
>> you move to SBS 2008, you need to consider that as well. The RV042 is a
>> simple router and provides no security features whatsoever. You'd want
>> to
>> deploy an additional firewall appliance between the router and your
>> network,
>> which adds quite a bit of complexity. Or alternatively, you can purchase
>> a
>> good firewall appliance that also does routing (most SMB firewalls do)
>> that
>> also has the features you need, like dual WAN ports.
>>
>> As far as keeping your current features, OWA and RWW are HTTPS traffic
>> which
>> no router should be interfering with. VPN support gets a bit more sticky
>> as
>> you haven't indicated the type of VPN you use. PPTP VPNs can have an
>> endpoint behind a NAT router as long as the router knows how to handle
>> GRE
>> packets. In this case, any restrictions on VPN tunnels that the router
>> has
>> *usually* (but not always) applies to how many tunnels it is the
>> end-point
>> for. Since SBS is the end-point in this configuration, the VPN limits
>> would
>> not apply.
>>
>> L2TP/IPSec tunnels cannot operate behind a NAT, however, so you'd be
>> moving
>> your end-point from SBS to the router and, as above, that is usually the
>> deciding factor on how VPN restrictions are applied. In this scenario,
>> you'd
>> want to make sure your device has the capacity for the number of
>> concurrent
>> VPN tunnels you usually have open.
>>
>> -Cliff
>>
>>
>> "David Carl" <DavidCarl(a)discussions.microsoft.com> wrote in message
>> news:765A8B7F-4754-4B91-A685-BE12C19C1D47(a)microsoft.com...
>> > I have been using sbs2003 with 2-nic / ISA configuration. I am now
>> > upgrading
>> > to new server and sbs2008. I realize I need to get a router. We have
>> > 14
>> > workstations on the LAN and 6 more people work from home full time
>> > currently
>> > using XP VPN. Just about everyone uses OWA and/or RWW from time to
>> > time
>> > when
>> > not in the office. My question is this. I am looking at Cisco RV042,
>> > because I want 2 WAN ports to add a second DSL and balance remote
>> > users,
>> > but
>> > there are VPN tunnel limits. Am I going to just open ports my router
>> > firewall and SBS takes care of the rest or do I need to be concerned
>> > about
>> > the routers max tunnel limit. I asked these questions of the Cisco TS
>> > and
>> > they started pointing me to a series 1941 that sells for $1500, and I
>> > think
>> > that's a bit pricey for what I am trying to do. I know this is really
>> > not
>> > an
>> > SBS question, but would appreciate any guidance. Thank you.
>>
 |  Next  |  Last
Pages: 1 2
Prev: iSCSI or SMB using SBS 2003
Next: SBS 2008 Stuck Applying Computer Settings