Hi all, I’m a relative newbie to VPN, and I’ve been
asked to investigate setting up a VPN for a small office of about 50 people. The
network architecture is an external firewall (which may be replaced with a
firewall / VPN appliance, probably Astaro at this point), a DMZ containing
Linux-webservers (192.168.2.x), and an internal Linux firewall protecting the
LAN (192.168.1.x), composed of Windows XP machines, and also the file/mail
servers (which will be switched to WIndows Server as per management’s
request). Now my question – where is the best place for the VPN
to terminate, assuming that VPN users need access to the file servers inside
the LAN? With an external firewall / VPN appliance, as far as I understand it,
the VPN sessions would terminate inside the DMZ, with an IP of
192.168.2.something. Providing those VPN users with access to the fileservers
inside the LAN would require punching a bunch of holes in the internal
firewall, right? This isn’t something that sounds too appealing to me.
But what other solutions are there? Is it preferable to forward the VPN
connection to be terminated on the inside firewall instead, so sessions would
terminate inside the LAN with a 192.168.1.something IP? Could anybody with VPN experience suggest the best way to
solve this? And forgive me if I’m screwy with some of the details of how
VPN works, I’m still learning up on PPTP / L2TP / IPsec etc etc.... Regards, Nick Phillips |