Most operations that users and administrators need to do from
remote locations can, and should, be performed using Remote Web
Access. RWA gives your users a secure portal to connect to the
resources of the SBS network, and it’s the preferred way to access the
network from a remote location.
|
Even though we generally try to avoid VPNs whenever possible
and use RWA for all our remote access needs, there is still one
operation we regularly perform that still works better over a
VPN—applying the monthly round of updates to the
server. Applying patches remotely is always something that has the
potential to cause disruption, but it’s also something that’s a part
of just about every SBS administrator’s life. With VPNs, there is
less likelihood of the connection being disrupted and not reinstated
than with RWA, in our experience.
The problem, of course, is that to enable VPNs for patching,
you have to enable a whole additional role on the server and start
up more services. And we’re firm believers in keeping the running
services to as small a number as possible.
So what are the alternatives if RWA is out for patching? One
is to use a firewall or router that is a VPN endpoint, offloading this from the SBS server
entirely. This didn’t work well in a two-NIC SBS 2003 environment,
but it works quite well in a single-NIC SBS 2011 environment. The
second alternative is to enable RDP directly to the SBS server. This
works, but has some significant security implications. If you do
this, we strongly suggest that you configure your firewall or router
to accept the RDP request only from a specific IP address or set of
addresses, and we also strongly suggest implementing AuthAnvil or
another form of TFA on the SBS server. Which isn’t a bad idea in any
case.
|
If you do have a compelling need to implement VPN onto your SBS
network, we strongly suggest that you carefully limit the users that
have VPN privileges and that you ensure their machines are fully
patched and protected at all times. VPNs significantly increase your
security risk from an unpatched and compromised computer causing
problems on your SBS network. Because VPNs allow a remote computer to
directly connect to your network, any malware on the remote computer
has full access to your SBS network.
1. Enabling VPNs
Enabling VPNs to your SBS network is a simple process. You run
the Set Up Virtual Private Networking Wizard from the Windows SBS
Console, and you configure your router or firewall for VPN passthrough. If you have Universal Plug and Play
(UPnP) enabled, SBS will make the change on the router for you. But
we don’t enable UPnP on our network, and we don’t recommend that you
do so, either. Just manually configure the router—it takes only a
few minutes, and we think it’s safer than leaving UPnP
enabled.
To enable VPN access to your SBS network, use the following
steps:
Open the Windows SBS Console if it isn’t already
open.
Click on Network in the navigation bar, and then click on
the Connectivity tab.
Select VPN Connection in the main pane, and then click
Configure A Virtual Private Network in the Tasks pane to open
the Set Up Virtual Private Networking Wizard shown in Figure 1.
Click on Allow Users To Connect To The Server By Using A
VPN. When the wizard completes, you’ll see a status page that
tells you the wizard completed successfully, and with any
warnings, as shown in Figure 2.
If you get a warning, click on View Warning Details to see
what the warning is about. If you have UPnP turned off on your
router, you’ll see the warning details shown in Figure 3.
Click Close to close the Set Up Virtual Private Networking
Warning Details page and then Finish to close the wizard.
If you don’t have UPnP enabled on your router, open
Internet Explorer and log on to the router.
The details for each router are different, but you need to
configure the router to forward port 1723 to the IP address of
the SBS server. You might also need to configure PPTP
Passthrough. Most routers have an automatic method (often called
“Virtual Servers”) for configuring port forwarding. Consult your
router documentation.
After the router is configured, you’ll probably need to
restart the router. When you do, VPNs will be enabled on your
SBS network.
