News Stay informed about the latest enterprise technology news and product updates.

Answers from the VPN vault

Continuing from "Make peace with your VPN," our experts offer more veteran advice on dealing with the pitfalls of VPN management.

Continuing from "Make peace with your VPN," part one of this two-part series, our experts offer more veteran advice on dealing with the pitfalls of VPN management.

Tony Northrup
Laura Hunter
Jerry Honeycutt
Mark Edmead
William Boswell
Scott Blake
Frank Alperstaedt member: I have been offered a VPN solution (e-mail and files access) using Win2000 Server with Terminal Services. Our dispersed users are on Windows XP. Will XP work on Terminal Services and are there significant overheads when synchronizing?

William Boswell: Terminal Services makes a great solution for remote user access. The key thing to watch for is the speed of the VPN interface. Is this a software or hardware solution? If hardware, get the fastest VPN processor your budget will allow. The user machines will also be affected if the client side of the VPN runs in software. Plan on upgrading older laptops if performance is bad. member: I have a network behind a Windows 2000 NAT (Network Address Translation). I would like to be able to have a machine behind the Win2k NAT connect to a VPN. I know some of the newer cable/DSL routers can pass the packets, so I figure that Windows 2000 should be able to be configured to do the same, but I have not been able to figure out how to do it.

Laura Hunter: To accomplish this, you'll need to map the private NAT IP addressees to externally routable public IPs. Reference Microsoft Knowledge Base article 329754 for detailed instructions on how to do this. member: Can you clarify for me whether PPTP VPN connections are encrypted and if they go through a router and a NAT? I have read somewhere that the communications are not encrypted if they go through a router. I am forced to connect to a NT4 host. Am I correct in thinking that this means I cannot use IPsec or L2TP?

Mark Edmead: NAT, as you know, is used to reassign the private IP addresses of client machines inside a network to be published. One of the advantages of NAT is that fewer published (or officially assigned) IP addresses are required, because the NAT can reuse the same IPs at different times. For security reasons, another advantage is that the internal IPs are never made known outside the enterprise.

With this in mind, a disadvantage of NAT is that some protocols, such as IPsec and L2TP, cannot pass through the "translation" process. Both the IPsec and L2TP/IPSec are not able to do the automated exchange of keys across a NAT.

A VPN is a private channel typically created across a network (like the Internet) that connects two computers. The VPN client connects to the VPN server using a tunneling protocol, such as PPTP. Both the client and the server much have IPs assigned. PPTP can be used for both client-to-gateway and gateway-to-gateway scenarios. PPTP can pass through a NAT. In fact, Microsoft recommends that PPTP be used in scenarios that require a NAT-capable VPN connection. member: I need to be able to perform remote access connections from my Windows CE handheld to the LAN by using VPN connectivity. We are running Nortel Contivity VPN routers. I haven't heard of any Nortel VPN client for Windows CE. Do you know if it would be possible to use some other kind of VPN client to connect to a Nortel VPN switch?

Jerry Honeycutt: Try Certicom's movianVPN. I have two mixed mode domains, each on their own subnet, connected via Cisco VPN. I've setup DNS and established trusts so I can now explicitly browse single machines' shares in either domain. How do I browse the other domain? The opposite domain doesn't show up in 'entire network' or 'directory'. How do I get it to do this?

William Boswell: When you connect via the VPN, your machine is assigned an IP address. This address is more than likely in the subnet where you can view the servers in My Network Places. This means you've connected to the subnet master browser in that subnet. You should get a browse list that contains both domains.

Try this. Add an LMHOSTS entry for the PDC Emulator in the domain you can't see in the browse list. Sample line: BigDog #PRE #DOM:domain_name.

Run nbtstat -R to flush and reload the cache. Run nbtstat -c to check that the cache has the new entry.

Make your VPN connection and see what happens to the browse list. Run Browmon (from the Resource Kit) at the client and point it at the domain you're able to browse, then the domain you can't.

If you would like to ask our experts a question of your own, click here.


Featured Topic: Claim victory over VPNs

Webcast: Configuring VPNs in the Windows environment

Webcast: Using a VPN as your alternate or backup network

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.