VPN and Windows Domain Questions

[palindrome]

I'm helping out a family member with their small business. I'm trying to help them set up a VPN to some shared directories on their server. They want to be able to access their stuff as if they were in the office when they are at home or on the road.

Ideally, they would want a mapped network drive that becomes available when a VPN connection is established to the server. I'm hoping that if I follow the instructions on MS's blog to set up an SSL VPN, it would that do what I want. ( https://blogs.technet.microsoft.com...uration-in-windows-server-2012-r2-essentials/ )

Also, they want to get everyone on a Windows Domain so that they can begin hosting profiles on the server (or at least backups of their profiles) so that the limited space on their laptops isn't being wasted.

Would the laptops being on a Domain affect how it would set up the VPN?
Can I map a local network drive on their server from a client laptop and make it work over a VPN?

They have a router capable of VPN and their server has Windows 2012 R2 Essentials.

 

[Mushkins]

Their router is ultimately what determines the VPN configuration, if anything being on a domain makes it all easier. You'll need to configure your router to allow SSLVPN connections and configure account credentials or XAUTH against Active Directory to log in (and depending on the router you might need to use a specific VPN client to connect). You'll also need to configure it to use DHCP over VPN to assign the laptop's VPN connection an IP address on the business network.

And yes, you can map a network drive on the server and it will work over the VPN. The *best* way to do it is to assign the user a logon script in Active Directory that removes and remaps the drive letter and then use the VPN Clients "run AD login script upon connecting" option if it has it. In a pinch you can connect to the VPN, map the drive, and then leave it be, but it doesn't always work well when you disconnect and later reconnect to the VPN.

For such a small network I would not delve into Anywhere Access or running the VPN through the Windows server, just use what the router has built-in. It'll work, but it's more of an enterprise level solution and way more complex to get working.

 

[PliotronX]

You should check out the SoftEther VPN Server (trust me, just install it even on a workstation and play with it, it is very intuitive!). It is so easy to setup with the SoftEther client and can emulate OpenVPN which is SSL as well. No need to deal with CA business. You can have that VPN going in a few minutes by forwarding one port and it authenticates with NTLM or RADIUS. I don't like routers doing VPN because they tend to be limited in throughput while Xeons in servers, particularly AES-NI Xeons, will destroy routers in throughput. Mapping the drives via GPO is also very easily done and works over the VPN. I've even set up a site-to-site VPN with SoftEther with one side on a dynamic IP because the tunnel doesn't reference the satellite office at all, that 'spoke' sort of dials into the host server. You'll nary find a router that will carry a site-to-site tunnel over a dynamic IP.

 

[palindrome]

Thanks for the input! They just bought an ASUS RT​-AC88U. I assume that should work fine?

 

[John Connor]

Why not Team Viewer? I installed the service in my netbook that runs a FTP and Teamspeak server. I can use Team Viewer on my phone and computers to access it. Really cool because this netbook also runs Phonetray and I can check my home phone call log by logging into Team Viewer on my phone anywhere in the world and look at the netbook.

Team Viewer uses AES 256 and is HIPAA compliant. https://www.teamviewer.com/en/security/

 

[Mushkins]

Thanks for the input! They just bought an ASUS RT​-AC88U. I assume that should work fine?

https://www.asus.com/us/support/FAQ/113805 for instructions on configuring the VPN. I believe ASUS also supplies its own VPN client software that you can download from their website.

Just make sure your firmware is up to date when you install it, there have been a good number of SSL vulnerabilities that have been patched in the past year and who knows how long that particular router was sitting in a warehouse on a shelf.

 

[palindrome]

https://www.asus.com/us/support/FAQ/113805 for instructions on configuring the VPN. I believe ASUS also supplies its own VPN client software that you can download from their website.

Just make sure your firmware is up to date when you install it, there have been a good number of SSL vulnerabilities that have been patched in the past year and who knows how long that particular router was sitting in a warehouse on a shelf.

I always bring my firmwares up to date on any new appliance.

Thanks for the linky. Once I dive in, I may have more questions, but you have definitely given me some direction.

I do have one more question, while I am thinking about it. Is there anything special that I need to do to the Time Warner modem router. The routing functionalities would obviously be redundant, should I have them pick up a new modem that is just a cable modem? I've never had to bridge a cable modem/router before, but I can do a DSL/Uverse modem/router in less than 5 minutes (even the new fancy ones that you aren't supposed to be able to bridge)

 

[Yayo3p]

You are probably looking on setting up a Radius Dial-in VPN. With this setup they will be able to use Domain accounts to authenticate them onto their network from their office from a VPN connection. As long as the VPN connection is active (connected) from their Laptop/PC, they will be able to access Shared folders from their home network.

https://technet.microsoft.com/en-us/library/cc726017(v=ws.10).aspx