L2TP/IPSec VPN Configuration

Can sucessfully configure the VPN as a PPTP connection, but after trying to
set up as a L2TP/IPSec with a pre-shared key the connection fails.
Is this possible with SBS2003R2 and can anyone provide a basic walk-through
of the steps?
Thanks

It is possible, but extremely fussy. If you do everything exactly right it
works, but one misstep and it doesn't.

This is covered extensively in chapter 15 of our SBS R2 book, but the basic
steps are:
1.) Install IAS
2.) Open the IAS console and disable MS-CHAP, and set the encryption to use
128-bit only.
3.) Install Certificate Services (the self signed cert that SBS creates
isn't the right one for L2TP.)
4.) Create an enterprise root CA.
5.) Create local computer and current user Certs
6.) Create a server cert for the SBS server
7.) Deploy the certs in steps 5 and 6 to the VPN client(s) and the SBS
server respectively.
8.) Modify the SBS Remote Access Policy to allow authentication via
certificates (this is in the IAS console)
9.) Set the EAP method to Smart Card or other Cert and use the SBS server
cert you created in 6.
10.) Open the ports required in the RRAS console (IKE, IKE NAT Traversal,
and L2TP/IPSec)
11.) Enable EAP in RRAS
12.) Add L2TP ports in RRAS.

There are thirteen pages on this in chapter 15. And another batch in chapter
16 if you're using ISA 2k4. It's not trivial, but is possible if you follow
the steps exactly. Unfortunately, all the steps are actually required.

--
Charlie Russel
Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
Companion (MS Press)
http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8


--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Al" <nospamplease@nospamplease.co.uk> wrote in message
news:fo9k2g$22kn$2@energise.enta.net...
> Can sucessfully configure the VPN as a PPTP connection, but after trying
> to set up as a L2TP/IPSec with a pre-shared key the connection fails.
> Is this possible with SBS2003R2 and can anyone provide a basic
> walk-through of the steps?
> Thanks
>

Thanks Charlie - I've got your book (!!) so will read up those chapters. Am
I right in thinking that by using L2TP/IPSec I increase security on the vpn
in particular that the client has to have the certificate? Is it
alternatively possible to use the "shared key" rather than a certificate?
Thanks


"Charlie Russel - MVP" <charlie@mvKILLALLSPAMMERSps.org> wrote in message
news:255E8029-7D8A-4C95-AF91-AC9273268D95@microsoft.com...
> It is possible, but extremely fussy. If you do everything exactly right it
> works, but one misstep and it doesn't.
>
> This is covered extensively in chapter 15 of our SBS R2 book, but the
> basic
> steps are:
> 1.) Install IAS
> 2.) Open the IAS console and disable MS-CHAP, and set the encryption to
> use
> 128-bit only.
> 3.) Install Certificate Services (the self signed cert that SBS creates
> isn't the right one for L2TP.)
> 4.) Create an enterprise root CA.
> 5.) Create local computer and current user Certs
> 6.) Create a server cert for the SBS server
> 7.) Deploy the certs in steps 5 and 6 to the VPN client(s) and the SBS
> server respectively.
> 8.) Modify the SBS Remote Access Policy to allow authentication via
> certificates (this is in the IAS console)
> 9.) Set the EAP method to Smart Card or other Cert and use the SBS server
> cert you created in 6.
> 10.) Open the ports required in the RRAS console (IKE, IKE NAT Traversal,
> and L2TP/IPSec)
> 11.) Enable EAP in RRAS
> 12.) Add L2TP ports in RRAS.
>
> There are thirteen pages on this in chapter 15. And another batch in
> chapter
> 16 if you're using ISA 2k4. It's not trivial, but is possible if you
> follow
> the steps exactly. Unfortunately, all the steps are actually required.
>
> --
> Charlie Russel
> Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
> Companion (MS Press)
> http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8
>
>
> --
> Charlie.
> http://msmvps.com/xperts64
> http://mvp.support.microsoft.com/profile/charlie.russel
>
>
> "Al" <nospamplease@nospamplease.co.uk> wrote in message
> news:fo9k2g$22kn$2@energise.enta.net...
>> Can sucessfully configure the VPN as a PPTP connection, but after trying
>> to set up as a L2TP/IPSec with a pre-shared key the connection fails.
>> Is this possible with SBS2003R2 and can anyone provide a basic
>> walk-through of the steps?
>> Thanks
>>
>

On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
<charlie@mvKILLALLSPAMMERSps.org> wrote:

>It is possible, but extremely fussy. If you do everything exactly right it
>works, but one misstep and it doesn't.

>This is covered extensively in chapter 15 of our SBS R2 book, but the basic
>steps are:

[SNIP]

>There are thirteen pages on this in chapter 15. And another batch in chapter
>16 if you're using ISA 2k4. It's not trivial, but is possible if you follow
>the steps exactly. Unfortunately, all the steps are actually required.

>Charlie Russel
>Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
>Companion (MS Press)
>http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8

The book details all steps in an excellent way. However, I still
wonder about IPSec from a client behind a NAT to a server behind a
different NAT.

MS has at least two KB articles on this subject, and MS says: IPSec
NAT-T is not recommended for Windows Server 2003 computers that are
behind network address translators
http://support.microsoft.com/kb/885348

The default behavior of IPSec NAT traversal (NAT-T) is changed in
Windows XP Service Pack 2
http://support.microsoft.com/kb/885407/

It should not be too uncommon that clients and SBS servers are located
behind different NATs. Does this really mean that best practice is to
use PPTP / MPPE instead?

jas

Jon - hopefully Charlie can give input on that as I would assume that most
SBS's would be behind a NAT router, although I have set mine to forward the
appropriate protocols/ports. Having read the sections in Charlie's book
(have to confess I use it as a reference bible for SBS as I am not a
techie), it seems that although complicated the L2TP/IPSec vpn is far more
secure than PPTP & if I am right (?) it is not just the encryption but
rather than there is a certificate given to the legitimate client pc's
thereby making it more difficult for hackers?, so hopefully it does still
work!
Charlie - input please



"Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
news:pojhq3p9hbmrdtcs4hl517i8o7atkdv2d1@4ax.com...
> On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>
>>It is possible, but extremely fussy. If you do everything exactly right it
>>works, but one misstep and it doesn't.
>
>>This is covered extensively in chapter 15 of our SBS R2 book, but the
>>basic
>>steps are:
>
> [SNIP]
>
>>There are thirteen pages on this in chapter 15. And another batch in
>>chapter
>>16 if you're using ISA 2k4. It's not trivial, but is possible if you
>>follow
>>the steps exactly. Unfortunately, all the steps are actually required.
>
>>Charlie Russel
>>Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
>>Companion (MS Press)
>>http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8
>
> The book details all steps in an excellent way. However, I still
> wonder about IPSec from a client behind a NAT to a server behind a
> different NAT.
>
> MS has at least two KB articles on this subject, and MS says: IPSec
> NAT-T is not recommended for Windows Server 2003 computers that are
> behind network address translators
> http://support.microsoft.com/kb/885348
>
> The default behavior of IPSec NAT traversal (NAT-T) is changed in
> Windows XP Service Pack 2
> http://support.microsoft.com/kb/885407/
>
> It should not be too uncommon that clients and SBS servers are located
> behind different NATs. Does this really mean that best practice is to
> use PPTP / MPPE instead?
>
> jas

Yes, it can work. Honestly, however, I am moving away from VPN at all. I use
RWW for everything, and don't allow anyone to VPN on to the networks I
support. The reason is simple - once you VPN in, you have exposed your
network to whatever is on that client PC, and you really don't have the same
level of control of a remote PC as you do one in your office. In the Windows
2008/SBS_Next time frame, we have Network Access Protection and System
Health checks that allow segregating VPN clients until they pass system
health checks for AV, etc.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Al" <nospamplease@nospamplease.co.uk> wrote in message
news:foala2$rgk$1@energise.enta.net...
> Jon - hopefully Charlie can give input on that as I would assume that most
> SBS's would be behind a NAT router, although I have set mine to forward
> the appropriate protocols/ports. Having read the sections in Charlie's
> book (have to confess I use it as a reference bible for SBS as I am not a
> techie), it seems that although complicated the L2TP/IPSec vpn is far more
> secure than PPTP & if I am right (?) it is not just the encryption but
> rather than there is a certificate given to the legitimate client pc's
> thereby making it more difficult for hackers?, so hopefully it does still
> work!
> Charlie - input please
>
>
>
> "Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
> news:pojhq3p9hbmrdtcs4hl517i8o7atkdv2d1@4ax.com...
>> On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
>> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>>
>>>It is possible, but extremely fussy. If you do everything exactly right
>>>it
>>>works, but one misstep and it doesn't.
>>
>>>This is covered extensively in chapter 15 of our SBS R2 book, but the
>>>basic
>>>steps are:
>>
>> [SNIP]
>>
>>>There are thirteen pages on this in chapter 15. And another batch in
>>>chapter
>>>16 if you're using ISA 2k4. It's not trivial, but is possible if you
>>>follow
>>>the steps exactly. Unfortunately, all the steps are actually required.
>>
>>>Charlie Russel
>>>Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
>>>Companion (MS Press)
>>>http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8
>>
>> The book details all steps in an excellent way. However, I still
>> wonder about IPSec from a client behind a NAT to a server behind a
>> different NAT.
>>
>> MS has at least two KB articles on this subject, and MS says: IPSec
>> NAT-T is not recommended for Windows Server 2003 computers that are
>> behind network address translators
>> http://support.microsoft.com/kb/885348
>>
>> The default behavior of IPSec NAT traversal (NAT-T) is changed in
>> Windows XP Service Pack 2
>> http://support.microsoft.com/kb/885407/
>>
>> It should not be too uncommon that clients and SBS servers are located
>> behind different NATs. Does this really mean that best practice is to
>> use PPTP / MPPE instead?
>>
>> jas
>
>

Oh, and just for a point of reference. On the only SBS network I support
that allows VPN, my own personal one where I know every single machine that
might ever connect via VPN, and know it's health, I stopped using L2TP for
VPN after about 3 months and switched back to PPTP. The L2TP was just too
fragile. I still use Remote Web Workplace, securing that with RWWGuard and
AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the
last 5 months. RWW with a good two factor authentication solution is a
better bet all the way round.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
news:pojhq3p9hbmrdtcs4hl517i8o7atkdv2d1@4ax.com...
> On Tue, 5 Feb 2008 07:31:15 -0800, "Charlie Russel - MVP"
> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>
>>It is possible, but extremely fussy. If you do everything exactly right it
>>works, but one misstep and it doesn't.
>
>>This is covered extensively in chapter 15 of our SBS R2 book, but the
>>basic
>>steps are:
>
> [SNIP]
>
>>There are thirteen pages on this in chapter 15. And another batch in
>>chapter
>>16 if you're using ISA 2k4. It's not trivial, but is possible if you
>>follow
>>the steps exactly. Unfortunately, all the steps are actually required.
>
>>Charlie Russel
>>Author: Microsoft Windows Small Business Server 2003 R2 Administrator's
>>Companion (MS Press)
>>http://www.amazon.com/Microsoft-Busi...767969?ie=UTF8
>
> The book details all steps in an excellent way. However, I still
> wonder about IPSec from a client behind a NAT to a server behind a
> different NAT.
>
> MS has at least two KB articles on this subject, and MS says: IPSec
> NAT-T is not recommended for Windows Server 2003 computers that are
> behind network address translators
> http://support.microsoft.com/kb/885348
>
> The default behavior of IPSec NAT traversal (NAT-T) is changed in
> Windows XP Service Pack 2
> http://support.microsoft.com/kb/885407/
>
> It should not be too uncommon that clients and SBS servers are located
> behind different NATs. Does this really mean that best practice is to
> use PPTP / MPPE instead?
>
> jas

On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
<charlie@mvKILLALLSPAMMERSps.org> wrote:

>Oh, and just for a point of reference. On the only SBS network I support
>that allows VPN, my own personal one where I know every single machine that
>might ever connect via VPN, and know it's health, I stopped using L2TP for
>VPN after about 3 months and switched back to PPTP. The L2TP was just too
>fragile. I still use Remote Web Workplace, securing that with RWWGuard and
>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the
>last 5 months. RWW with a good two factor authentication solution is a
>better bet all the way round.

Thanks a lot for clarifying answers. And we are also looking into
products from Scorpion Software for customers and our selves.

jas

Thanks Charlie - I had actually looked into the RWWGuard & AuthAnvil but had
3 concerns:
1. they are not supported in the UK so would be relying on support from
Canada!
2. I found that if we were using only fixed IP's we could restrict the RWW
to those only, which created a degree of additional authentication and
3. Cost - I know I will be told that the cost of a breach of security is
high, but for a very small office, although we could have justified the
initial cost, even for a 5 user set up the ongoing cost was going to be $500
per year which we felt was disproportionate to the cost of SBS itself! Had
there not been these ongoing "licence" costs, that's teh route we woudl have
taken.




"Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
news:io0jq35p9q4js4c106hh77mfpo58vqvvb8@4ax.com...
> On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>
>>Oh, and just for a point of reference. On the only SBS network I support
>>that allows VPN, my own personal one where I know every single machine
>>that
>>might ever connect via VPN, and know it's health, I stopped using L2TP for
>>VPN after about 3 months and switched back to PPTP. The L2TP was just too
>>fragile. I still use Remote Web Workplace, securing that with RWWGuard and
>>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the
>>last 5 months. RWW with a good two factor authentication solution is a
>>better bet all the way round.
>
> Thanks a lot for clarifying answers. And we are also looking into
> products from Scorpion Software for customers and our selves.
>
> jas

Well, a disclaimer here - the author of AuthAnvil and RWWGuard is a friend
and a fellow MVP. But, that being said, I wouldn't recommend if I didn't
think his product was exceptional.

1.) Not really an issue. In this modern world, location is less important
than the quality of the support person answering the question, IME. On that
basis, I can't fault them.

2.) Do none of your users ever have to travel? Connect while at a
conference? Etc. If not, then I'd say a reasonable solution. While certainly
possible to spoof an IP address as the source, it would take someone
specifically targetting you.

3.) The solution is actually quite a bit cheaper, even on going, than
anything else out there doing similar things. And is very much designed
around SBS. But your needs and cost structures are up to you to evaluate, I
wouldn't presume to tell you.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Al" <nospamplease@nospampleaseto me.co.uk> wrote in message
news:foc3iu$9rc$1@energise.enta.net...
> Thanks Charlie - I had actually looked into the RWWGuard & AuthAnvil but
> had 3 concerns:
> 1. they are not supported in the UK so would be relying on support from
> Canada!
> 2. I found that if we were using only fixed IP's we could restrict the
> RWW to those only, which created a degree of additional authentication and
> 3. Cost - I know I will be told that the cost of a breach of security is
> high, but for a very small office, although we could have justified the
> initial cost, even for a 5 user set up the ongoing cost was going to be
> $500 per year which we felt was disproportionate to the cost of SBS
> itself! Had there not been these ongoing "licence" costs, that's teh
> route we woudl have taken.
>
>
>
>
> "Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
> news:io0jq35p9q4js4c106hh77mfpo58vqvvb8@4ax.com...
>> On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
>> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>>
>>>Oh, and just for a point of reference. On the only SBS network I support
>>>that allows VPN, my own personal one where I know every single machine
>>>that
>>>might ever connect via VPN, and know it's health, I stopped using L2TP
>>>for
>>>VPN after about 3 months and switched back to PPTP. The L2TP was just too
>>>fragile. I still use Remote Web Workplace, securing that with RWWGuard
>>>and
>>>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the
>>>last 5 months. RWW with a good two factor authentication solution is a
>>>better bet all the way round.
>>
>> Thanks a lot for clarifying answers. And we are also looking into
>> products from Scorpion Software for customers and our selves.
>>
>> jas
>
>

Charlie - thanks, actually the very fact that it was a fellow MVP of yours
that wrote the program was a positive factor in my evaluation as I greatly
value the opinions of MVP's & your own book has been a huge help in a
non-techie like me learning to run & manage my firms SBS!
Just a shame the ongoing costs were not so high, or they would have had
another sale! - perhaps you could flag up to the author that there is
actually an "ultra-lite" market that slips below his/her business model eg
myself with only 3 users requiring such access, so the RWW Guard licence is
then $85pa per user effective, whereas if you have 25 users it is $10 per
user effective & means the total cost gets disproportionate for the 3 user
outfit (who may later grown to require aditioal units). Maybe for the sub-5
user market they will come up with a package eg 3 tokens @ $75 each+
RWWGuard at a reduced capital cost for restricted numbers of licences, then
licencing at normal $50pa per user + RWW Guard at a reduced rate, & suddenly
the economics work for the very small business!
Thanks for all the input - I am going to try the L2TP/IPSec approach (while
retaining PPTP to begin with), as vpn would provide a good secured fallback
should anyone be unable to use RWW from their fixed IP - the only pc's
involved are under the firm's control although I note your point about that
issue with VPN

Regards



"Charlie Russel - MVP" <charlie@mvKILLALLSPAMMERSps.org> wrote in message
news:B0B315F2-7444-458F-8D49-C0C59B3CDAF2@microsoft.com...
> Well, a disclaimer here - the author of AuthAnvil and RWWGuard is a friend
> and a fellow MVP. But, that being said, I wouldn't recommend if I didn't
> think his product was exceptional.
>
> 1.) Not really an issue. In this modern world, location is less important
> than the quality of the support person answering the question, IME. On
> that basis, I can't fault them.
>
> 2.) Do none of your users ever have to travel? Connect while at a
> conference? Etc. If not, then I'd say a reasonable solution. While
> certainly possible to spoof an IP address as the source, it would take
> someone specifically targetting you.
>
> 3.) The solution is actually quite a bit cheaper, even on going, than
> anything else out there doing similar things. And is very much designed
> around SBS. But your needs and cost structures are up to you to evaluate,
> I wouldn't presume to tell you.
>
> --
> Charlie.
> http://msmvps.com/xperts64
> http://mvp.support.microsoft.com/profile/charlie.russel
>
>
> "Al" <nospamplease@nospampleaseto me.co.uk> wrote in message
> news:foc3iu$9rc$1@energise.enta.net...
>> Thanks Charlie - I had actually looked into the RWWGuard & AuthAnvil but
>> had 3 concerns:
>> 1. they are not supported in the UK so would be relying on support from
>> Canada!
>> 2. I found that if we were using only fixed IP's we could restrict the
>> RWW to those only, which created a degree of additional authentication
>> and
>> 3. Cost - I know I will be told that the cost of a breach of security is
>> high, but for a very small office, although we could have justified the
>> initial cost, even for a 5 user set up the ongoing cost was going to be
>> $500 per year which we felt was disproportionate to the cost of SBS
>> itself! Had there not been these ongoing "licence" costs, that's teh
>> route we woudl have taken.
>>
>>
>>
>>
>> "Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
>> news:io0jq35p9q4js4c106hh77mfpo58vqvvb8@4ax.com...
>>> On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
>>> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>>>
>>>>Oh, and just for a point of reference. On the only SBS network I support
>>>>that allows VPN, my own personal one where I know every single machine
>>>>that
>>>>might ever connect via VPN, and know it's health, I stopped using L2TP
>>>>for
>>>>VPN after about 3 months and switched back to PPTP. The L2TP was just
>>>>too
>>>>fragile. I still use Remote Web Workplace, securing that with RWWGuard
>>>>and
>>>>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in the
>>>>last 5 months. RWW with a good two factor authentication solution is a
>>>>better bet all the way round.
>>>
>>> Thanks a lot for clarifying answers. And we are also looking into
>>> products from Scorpion Software for customers and our selves.
>>>
>>> jas
>>
>>
>

Dana and I have talked about the really small market (after all, I'm a 2
user shop!), and he knows the issues. But from his perspective it's also a
cost issue as well, and at some point the cost of getting the business
exceeds the return from it, and he had to make a business decision. I
respect that, though I might not agree. When you consider that everyone else
doing the same thing starts out with 25 tokens as their minimum, he's
definitely come a long way closer to the SBS market. (And, I might add, he
runs his business on SBS.)

Thanks again for your kind words on the book.

--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel


"Al" <nospamplease@nospamplease.co.uk> wrote in message
news:fod012$1rrt$1@energise.enta.net...
> Charlie - thanks, actually the very fact that it was a fellow MVP of
> yours that wrote the program was a positive factor in my evaluation as I
> greatly value the opinions of MVP's & your own book has been a huge help
> in a non-techie like me learning to run & manage my firms SBS!
> Just a shame the ongoing costs were not so high, or they would have had
> another sale! - perhaps you could flag up to the author that there is
> actually an "ultra-lite" market that slips below his/her business model eg
> myself with only 3 users requiring such access, so the RWW Guard licence
> is then $85pa per user effective, whereas if you have 25 users it is $10
> per user effective & means the total cost gets disproportionate for the 3
> user outfit (who may later grown to require aditioal units). Maybe for the
> sub-5 user market they will come up with a package eg 3 tokens @ $75 each+
> RWWGuard at a reduced capital cost for restricted numbers of licences,
> then licencing at normal $50pa per user + RWW Guard at a reduced rate, &
> suddenly the economics work for the very small business!
> Thanks for all the input - I am going to try the L2TP/IPSec approach
> (while retaining PPTP to begin with), as vpn would provide a good secured
> fallback should anyone be unable to use RWW from their fixed IP - the only
> pc's involved are under the firm's control although I note your point
> about that issue with VPN
>
> Regards
>
>
>
> "Charlie Russel - MVP" <charlie@mvKILLALLSPAMMERSps.org> wrote in message
> news:B0B315F2-7444-458F-8D49-C0C59B3CDAF2@microsoft.com...
>> Well, a disclaimer here - the author of AuthAnvil and RWWGuard is a
>> friend and a fellow MVP. But, that being said, I wouldn't recommend if I
>> didn't think his product was exceptional.
>>
>> 1.) Not really an issue. In this modern world, location is less important
>> than the quality of the support person answering the question, IME. On
>> that basis, I can't fault them.
>>
>> 2.) Do none of your users ever have to travel? Connect while at a
>> conference? Etc. If not, then I'd say a reasonable solution. While
>> certainly possible to spoof an IP address as the source, it would take
>> someone specifically targetting you.
>>
>> 3.) The solution is actually quite a bit cheaper, even on going, than
>> anything else out there doing similar things. And is very much designed
>> around SBS. But your needs and cost structures are up to you to evaluate,
>> I wouldn't presume to tell you.
>>
>> --
>> Charlie.
>> http://msmvps.com/xperts64
>> http://mvp.support.microsoft.com/profile/charlie.russel
>>
>>
>> "Al" <nospamplease@nospampleaseto me.co.uk> wrote in message
>> news:foc3iu$9rc$1@energise.enta.net...
>>> Thanks Charlie - I had actually looked into the RWWGuard & AuthAnvil but
>>> had 3 concerns:
>>> 1. they are not supported in the UK so would be relying on support from
>>> Canada!
>>> 2. I found that if we were using only fixed IP's we could restrict the
>>> RWW to those only, which created a degree of additional authentication
>>> and
>>> 3. Cost - I know I will be told that the cost of a breach of security
>>> is high, but for a very small office, although we could have justified
>>> the initial cost, even for a 5 user set up the ongoing cost was going to
>>> be $500 per year which we felt was disproportionate to the cost of SBS
>>> itself! Had there not been these ongoing "licence" costs, that's teh
>>> route we woudl have taken.
>>>
>>>
>>>
>>>
>>> "Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
>>> news:io0jq35p9q4js4c106hh77mfpo58vqvvb8@4ax.com...
>>>> On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
>>>> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>>>>
>>>>>Oh, and just for a point of reference. On the only SBS network I
>>>>>support
>>>>>that allows VPN, my own personal one where I know every single machine
>>>>>that
>>>>>might ever connect via VPN, and know it's health, I stopped using L2TP
>>>>>for
>>>>>VPN after about 3 months and switched back to PPTP. The L2TP was just
>>>>>too
>>>>>fragile. I still use Remote Web Workplace, securing that with RWWGuard
>>>>>and
>>>>>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in
>>>>>the
>>>>>last 5 months. RWW with a good two factor authentication solution is a
>>>>>better bet all the way round.
>>>>
>>>> Thanks a lot for clarifying answers. And we are also looking into
>>>> products from Scorpion Software for customers and our selves.
>>>>
>>>> jas
>>>
>>>
>>
>
>

Nice to know I'm not the only one thinking about the sub-small market! Oh
well, back to trying to understandL2TP/IPSec as at least it will give some
added security (from what I can work out each pc will have to get a
"certificate" on it & also the user, so that goes a long way to what I want
to achieve.
I have installed IAS & Certificate Services per "the Book" (Enterprise Root
CA), created a Console from a Local PC (logged on as the domain admin) with
local computer & user certificates & stored in network share - all seemed
well, have managed to Request a Certificate for the SBS server, however on
Client PC's although I can create User Certificates, when trying to create
Computer certificates the wizard always terminates with a message that "The
certificate request failed. The RPC server is unavailable". I suspect there
may be a filter required (although the error is present regardless of
whether setting up on main network or via existing PPTP VPN connection)
Going to have to re-read Charlie's instructions!!




"Charlie Russel - MVP" <charlie@mvKILLALLSPAMMERSps.org> wrote in message
news:24ADFE2B-5762-4DA0-9EAF-333C7E5E4D87@microsoft.com...
> Dana and I have talked about the really small market (after all, I'm a 2
> user shop!), and he knows the issues. But from his perspective it's also a
> cost issue as well, and at some point the cost of getting the business
> exceeds the return from it, and he had to make a business decision. I
> respect that, though I might not agree. When you consider that everyone
> else doing the same thing starts out with 25 tokens as their minimum, he's
> definitely come a long way closer to the SBS market. (And, I might add, he
> runs his business on SBS.)
>
> Thanks again for your kind words on the book.
>
> --
> Charlie.
> http://msmvps.com/xperts64
> http://mvp.support.microsoft.com/profile/charlie.russel
>
>
> "Al" <nospamplease@nospamplease.co.uk> wrote in message
> news:fod012$1rrt$1@energise.enta.net...
>> Charlie - thanks, actually the very fact that it was a fellow MVP of
>> yours that wrote the program was a positive factor in my evaluation as I
>> greatly value the opinions of MVP's & your own book has been a huge help
>> in a non-techie like me learning to run & manage my firms SBS!
>> Just a shame the ongoing costs were not so high, or they would have had
>> another sale! - perhaps you could flag up to the author that there is
>> actually an "ultra-lite" market that slips below his/her business model
>> eg myself with only 3 users requiring such access, so the RWW Guard
>> licence is then $85pa per user effective, whereas if you have 25 users it
>> is $10 per user effective & means the total cost gets disproportionate
>> for the 3 user outfit (who may later grown to require aditioal units).
>> Maybe for the sub-5 user market they will come up with a package eg 3
>> tokens @ $75 each+ RWWGuard at a reduced capital cost for restricted
>> numbers of licences, then licencing at normal $50pa per user + RWW Guard
>> at a reduced rate, & suddenly the economics work for the very small
>> business!
>> Thanks for all the input - I am going to try the L2TP/IPSec approach
>> (while retaining PPTP to begin with), as vpn would provide a good secured
>> fallback should anyone be unable to use RWW from their fixed IP - the
>> only pc's involved are under the firm's control although I note your
>> point about that issue with VPN
>>
>> Regards
>>
>>
>>
>> "Charlie Russel - MVP" <charlie@mvKILLALLSPAMMERSps.org> wrote in message
>> news:B0B315F2-7444-458F-8D49-C0C59B3CDAF2@microsoft.com...
>>> Well, a disclaimer here - the author of AuthAnvil and RWWGuard is a
>>> friend and a fellow MVP. But, that being said, I wouldn't recommend if I
>>> didn't think his product was exceptional.
>>>
>>> 1.) Not really an issue. In this modern world, location is less
>>> important than the quality of the support person answering the question,
>>> IME. On that basis, I can't fault them.
>>>
>>> 2.) Do none of your users ever have to travel? Connect while at a
>>> conference? Etc. If not, then I'd say a reasonable solution. While
>>> certainly possible to spoof an IP address as the source, it would take
>>> someone specifically targetting you.
>>>
>>> 3.) The solution is actually quite a bit cheaper, even on going, than
>>> anything else out there doing similar things. And is very much designed
>>> around SBS. But your needs and cost structures are up to you to
>>> evaluate, I wouldn't presume to tell you.
>>>
>>> --
>>> Charlie.
>>> http://msmvps.com/xperts64
>>> http://mvp.support.microsoft.com/profile/charlie.russel
>>>
>>>
>>> "Al" <nospamplease@nospampleaseto me.co.uk> wrote in message
>>> news:foc3iu$9rc$1@energise.enta.net...
>>>> Thanks Charlie - I had actually looked into the RWWGuard & AuthAnvil
>>>> but had 3 concerns:
>>>> 1. they are not supported in the UK so would be relying on support
>>>> from Canada!
>>>> 2. I found that if we were using only fixed IP's we could restrict the
>>>> RWW to those only, which created a degree of additional authentication
>>>> and
>>>> 3. Cost - I know I will be told that the cost of a breach of security
>>>> is high, but for a very small office, although we could have justified
>>>> the initial cost, even for a 5 user set up the ongoing cost was going
>>>> to be $500 per year which we felt was disproportionate to the cost of
>>>> SBS itself! Had there not been these ongoing "licence" costs, that's
>>>> teh route we woudl have taken.
>>>>
>>>>
>>>>
>>>>
>>>> "Jon-Alfred Smith" <jonsmi@community.nospam> wrote in message
>>>> news:io0jq35p9q4js4c106hh77mfpo58vqvvb8@4ax.com...
>>>>> On Tue, 5 Feb 2008 15:17:34 -0800, "Charlie Russel - MVP"
>>>>> <charlie@mvKILLALLSPAMMERSps.org> wrote:
>>>>>
>>>>>>Oh, and just for a point of reference. On the only SBS network I
>>>>>>support
>>>>>>that allows VPN, my own personal one where I know every single machine
>>>>>>that
>>>>>>might ever connect via VPN, and know it's health, I stopped using L2TP
>>>>>>for
>>>>>>VPN after about 3 months and switched back to PPTP. The L2TP was just
>>>>>>too
>>>>>>fragile. I still use Remote Web Workplace, securing that with RWWGuard
>>>>>>and
>>>>>>AuthAnvil (www.scorpionsoft.com), and I don't think I've used VPN in
>>>>>>the
>>>>>>last 5 months. RWW with a good two factor authentication solution is a
>>>>>>better bet all the way round.
>>>>>
>>>>> Thanks a lot for clarifying answers. And we are also looking into
>>>>> products from Scorpion Software for customers and our selves.
>>>>>
>>>>> jas
>>>>
>>>>
>>>
>>
>>
>