Two VPN gateways on one Windows Server 2008?
Hello, I'm thinking about implementing the following scenario: two VPN "gateways" (like "intranet.contoso.com" and "extranet.contoso.com"), users in Active Directory group A are allowed to connect only to intranet VPN, users in group B are allowed to connect only to extranet VPN. Clients in intranet should be given broader access (more static routes to some internal networks) whereas clients in extranet are only allowed to access one, specific network. The two VPNs should have different subnets, of course. I think the isolation part could be done easily using some firewall but how to start: how to differentiate clients and assign them different addresses and static routes? It's simple if you have two Windows Server 2008 boxes but is it possible to use only one system? Maybe Network Access Protection would be be useful? Currently I have only one VPN configured with DHCP Relay Agent on the Internal interface in RRAS. DHCP is assigning static routes. I'm really looking forward to all suggestions and hints :) Thanks in advance, Regards, Wojciech
September 6th, 2010 6:53pm

Tiger, That looks promising, I'll give it a try today and get back if I have some more questions/mark as answer if it works :) Thank you for your post! Regards, Wojciech edit: I followed the instructions from the website you gave me and clients can connect. However it seems that they're still in the default VLAN because after the connection I can access all network resources. I expected the connectivity to break until I configure new VLAN interface on my router and allow it to route between my network and the new VPN VLAN. Do I need to configure Connection Request Policy as well? In the document only Network Policy is mentioned. Also there is a note Tunnel-Tag attribute only needed if my NAS server needs it. My NAS server is RRAS, right? Does it need this setting? Regards, Wojciech
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2010 11:57am

Thank you for your detailed information. I'm afraid the documentation you linked is not so helpful in my scenario because none of these documents regard using NAP & VLANs in VPN scenario, they are about 802.1x port security. In the meantime, however, I've come up with a solution on my own that seems to do the trick: IP filtering. I created multiple network policies in NAP, one policy for intranet and one for extranet AD user group, and configured IP filters respectively. For extranet I explicitly allow some traffic based on destination networks and/or ports. For intranet I allow all traffic. Regards, Wojciech
September 8th, 2010 12:06pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics