Enterprise Class VPN Fast and Easy with the Celestix RAS3000
By Thomas W Shinder M.D.
We’ve been running into an increasing number of organizations who already have one or more ISA Server 2000 firewalls in place but haven’t yet configured these firewalls as co-located ISA Server 2000 firewall/VPN servers. While the co-located ISA Server 2000 firewall/VPN server is the ideal "one-box" solution for a co-located VPN server and firewall, sometimes the ISA firewalls are already working at peak capacity and the organization wants to setup a dedicated VPN server. The VPN server can lie in front of, in parallel, or behind the ISA Server 2000 firewall.
VPN server and VPN gateway setup and configuration can become an error prone and complex affair very quickly. While configuring ISA Server 2000 firewall/VPN servers is probably easier than any other firewall/VPN device, it still isn’t a "walk in the park". It was for this reason that we put together the ISA Server 2000 VPN Deployment Kit . If you’re interested in putting together a cost effective, stable and good performance co-located firewall/VPN solution, check out the ISA Server 2000 VPN Deployment Kit and see how it’ll work for you.
We recently needed to install a dedicated VPN server for a customer who already had a fully loaded ISA Server 2000 back to back configuration. This customer wanted to put the VPN server in parallel with the edge ISA Server 2000 firewall so that VPN users would have access to servers in the DMZ and also be able to use the internal ISA Server 2000 firewall to access the internal network. Most of the network traffic affecting the ISA Server 2000 firewalls was on the external ISA Server 2000 firewall box. Because of this, we decided that users who required internal network access could first establish a VPN connection with the VPN device on the front end and then use VPN passthrough through the back-end ISA Server 2000 firewall/VPN server to access the corporate network.
The next step was to decide on a dedicated VPN server for this network. We always prefer using Microsoft VPN clients and VPN servers because you don’t get into inevitable the finger pointing and compatibility issues you see when using non-Microsoft VPN clients and VPN servers. We also needed the VPN server that was a rack ready appliance that could be set up quickly to support about 300 users. Finally, we wanted an appliance that would allow us to "qualify" VPN clients to make sure they had the latest service packs and security hotfixes installed before connecting to the DMZ or corporate network.
Our solution was the Celestix RAS3000. The RAS3000 is a dedicated 1U rack mountable VPN appliance using Windows Server 2003’s powerful Routing and Remote Access VPN server features as a base, and then builds on them to create a high performance, secure and easy to manage Windows-based dedicated VPN appliance. We were able to put together the configuration seen below Using the Celestix RAS3000.
We needed the VPN appliance setup to be quick and easy because time was at a premium. We weren’t disappointed! The appliance box has nicely labeled interfaces and network cables are included in the box (which really helps when you’re at a site that doesn’t have extra cables and you borrowed somebody’s car to get there). You can use the RAS3000 setup guide, or if you’re like me, you’ll try to make it work without the reading the guide until you run into trouble.
The first step was to plug in the power, the DMZ and external interface cables. Next, turn the thing on. You can manage the RAS3000 setup using a crossover cable and laptop or from a management station on the network. Not having a notebook around, I needed to use a management station on the same network as the internal interface of the RAS3000. From the management station you can connect to the Web interface of the RAS3000 using the internal IP address. But how do you know what the IP address is? Just look at the front of the RAS3000 and it tells you.
Log on to the RAS3000’s Web interface to begin setting up the VPN appliance. The quick setup option got us up and running in less than 20 minutes.
The RAS3000 can be completely managed via its intuitive and attractive Web interface or you can use RDP and connect to a Windows Server 2003 desktop. I found that just about everything could be done via the Web interface, but if you are already a Windows RRAS VPN networking pro, you might find it faster to access the RRAS console to do troubleshooting.
The RAS3000 has all the features included with the Windows Server 2003 RRAS VPN server. These include:
- Support for PPTP and L2TP/IPSec protocols
- Can act as VPN Server and VPN gateway for site to site links
- Full support for IETF non-proprietary NAT traversal for IPSec VPN connections
- Secure triple DES encryption
- User level auditing
- Integration with Active Directory
- RADIUS support for user authentication
- Network Load Balancing for connection balancing and real time failover
In addition, the RAS3000 adds these goodies:
- Comprehensive, easy to use Web based interface
- SQL based logging and reporting
- Email alerts for a types of system status conditions
- Enhanced support for VPN Quarantine
- Real time monitoring and alerting
- Optimized hardware/software configuration maximizes performance
- Automated VPN client configuration – just run the Wizard and distribute the VPN client file to your users. They’ll connect to the RAS3000 in less than 3 minutes!
- Option to upgrade to two factor authentication for VPN access
- And lots more…
One of my favorite features was the slimmed down version of the Connection Management Administration Kit (CMAK) included with the RAS3000. You run the Web based CMAK Wizard and it creates an executable file VPN users install on their computers. Once the install completes, the user can connect to the RAS3000 VPN server. Our users connected in less than 3 minutes after receiving the file.
If your ISA Server 2000 firewalls are already loaded up and can’t support a co-located ISA/VPN configuration, or if you want a dedicated, easy to use and easy to setup and manage Windows-based VPN server and gateway appliance, then I highly recommend that you consider the Celestix RAS3000. The RAS3000 will get you out of the battle with incompatible third party VPN client/server solutions and get your users connected without the finger pointing hassles.
For more information on the Celestix RAS3000, please visit the Celestix Web site at http://www.celestix.com/products/ras/ras3000/intro.htm
Many thanks to Tony Bailey, Ph.D from Microsoft for his invaluable assistance in reviewing and testing the RAS3000 VPN appliance.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=12;t=000296 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom