If you download the latest version(as of this writing 5.0.07.0440) of the latest ipsec vpn client for the Cisco ASA you may notice an error when trying to connect through Windows 8. In order to get around this error and make it work you must modify your registry. It is a very simple tweak. Open regedit and browse to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesCVirtA. Once here look on the right hand side for DisplayName. You will see its current setting is something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows”. Simply change this to “Cisco Systems VPN Adapter for 64-bit Windows”. Once this is finished close regedit reboot your PC and voila your vpn will now work!
Normal Nat statment
access-list nonat extended permit ip
nat (inside) 0 access-list nonat-inside
New nat statment
object network vpnpool
nat (inside,outside) source static any any destination static vpnpool vpnpool
This NAT rule says to keep the source address for anything coming from the internal interface going to the range designated by the vpnpool object while also keeping the destination address the same.
Seems like a strange way of going about this but this is all i have come across so far. Anyone else has a better way please leave a comment.
Foresight Technologies located in Phoenix and Tempe Arizona currently utilizes N2 Network Solutions for 24/7 maintenance and monitoring. N2 has also done site to site VPN solutions for Foresight using Cisco ASA 5505 firewalls. Their server infrastructure, implemented by N2, is composed of Vmware ESX servers with multiple virtual machines.
Microsoft SBS Server 2008 is an excellent solution for small businesses. However, migrating to SBS 2008 is not that simple. First things first it is essential that you migrate to a new physical server. Doing an in place upgrade is a nightmare and I would not attempt to do it. If you don’t have another server and your current server is of x64 platform then you should create a virtual machine and use a physical to virtual utility to convert your existing machine to a virtual machine. Once that is done install SBS 2008 from scratch then power up the virtual machine. You can then migrate over to SBS 2008.
It should also be noted that x64 is becoming the new standard. It gives you a bus twice as big as its predecessor x86 processing. That being said Windows Server 2008 requires x64 hardware. It will not install on x86.
You basically have two choices when it comes to SBS2008 standard or premium. The main difference is with premium edition you can have 2 servers in the domain. As where standard was intended to be a single server solution.
Microsoft decided that ISA server would not be included in SBS 2008. This in my opinion was a good idea. There are things certain companies are good at and they should stick to their core competencies of things that they can perfect. Cisco owns Microsoft when it comes to networking/firewall’s and Microsoft has better server solutions. Do yourself a favor and do not try to use a “software” firewall solution. Use a Cisco ASA 5505 or model that fits your needs.
SBS 2008 also has a built in web interface for connecting to your PC at work. I believe RDP is the way to go for employees accessing your network remotely. The reason being is their PC acts as a dumb terminal and they can see and feel their desktop as if they were sitting at it. VPN solutions also known as virutal private networks are over rated. When a client VPN’s from home they basically connect their PC to your internal networking. Meaning that if their PC is compromised their attacker basically has a door to your network. Since it is almost impossible to control employees’ PC’s at home it is inevitable at some point they will get a virus or spyware. If you remember this is how Microsoft’s network was compromised a few years back.
Also with the premium edition you have the ability to install SQL 2008 standard. This is not an option with standard.
The steps for migrating from SBS 2003 are as follows:
Always run backups on your existing server first before doing anything. This is vital.
Next go to Windows Updates and make sure you upgraded and installed all service packs and updates.
You must now raise the function level of your SBS 2003 domain that can be done by first demoting any NT4 or Windows 2000 domain controllers(if you have any). Once that is complete Go to active directory domains and trust. Right click on your domain and select raise domain functional level to 2003. You must also upgrade the forest functional level to 2003. This can be done by staying in the console and right clicking on active directory domains and trusts select raise forest functional level.
I would recommend next that you have all of your users go into Outlook. Tell them to go to tools and empty recycle bin. This will free up tons of space worth of trash. It will help make your migration faster.
Make sure your source server has the correct time as this is essential: w32tm /config /syncfromflags:domhier /reliable:no /update
net stop w32time
net start w32time
Make sure your domain is in native mode and not mixed
Next prepare your server by inserting the 2008 SBS DVD. Go to tools click sourcetool and run it. You are going to need an answer file for this which can be created by running SBSAfg.exe on the SBS 2008 DVD.
Keep in mind you must remove the source server. You have 21 days.
When you install the new server make sure your answer file is on a USB drive. It will be auto detected as long as it is in the source of any drive. If it successfully detected after you answer all the Windows server 2008 questions you will get a start the migration page.
To migrate Exchange 2003 to Exchange 2008 I would recommend you have all your users create a backup PST from Outlook. This way you have local copies of your data. Once that is complete then on the migration wizard home page click migrate exchange mailboxes and settings. Follow the steps outlined.
Make sure to run this command to enable the pptp fixup protocol.
fixup protocol pptp 1723
If you are configure a Cisco Pix or ASA device and you have a server on the inside interface and clients on the outside who are using PPTP to VPN into the network you must make sure you do the following things.
Allow GRE traffic in the security policy
Allow PPTP traffic in the security policy
static entry for pptp on 1723 to your server
run this command in configure mode “fixup protocol pptp 1723”
Do you have a small, medium, or even large business? Are you looking for ways that employees can connect from home? There are many VPN technologies available to choose from today. The most popular choices include VPN, remote desktop, Citrix, goToMyPC(Worthless), and LogMeIn(Worthless).
I will explain each one of these choices and which ones i recommend:
I would personally not use the VPN option. Although this is probably one of the most popular deployed options I would not use it because what you are creating is a link from your employees remote machine to your network. It is the equivalent to plugging their pc directly into your network. Why is this not smart? Let me explain this means that if their machine has been hacked or they are on a hotel network, very common, then you have just opened a bridge into your entire network! Of course there are rules you can implement on your terminating server side but they can become very difficult to maintain and you will most certainly run into issues with things not working. This option is a huge security risk if you do not know what you’re doing!
The next options that I would stay away from are these little pay me $10 month and I’ll get you remote access to your machine. Services like this include goToMyPc and logMeIn. Sure they work but who wants to pay for something you should be getting for free?
The option that I personally feel is the safest, easiest, and most secure is configure remote desktop protocol or RDP. You need to be able to configure port address translation in your firewall, you may need to find help if you do not know how to do this. RDP runs on port 3389 so you need to go into your firewall and open this port to the IP address of the client machine you’re trying to access. However, if you have 20 employees that need to connect remotely then this is where you need the port address translation. You need to put holes in your firewall to all of your client machines. This means you pick a starting port let’s say 5000. So your employees will all get a port number like below.
Employee 1 = port 5000
Employee 2 = port 5001
Employee 3 = port 5002
Then you will give your employees the following information to connect remotely your external IP and port i.e. 220.127.116.11:5000. If they type this into Remote desktop and you have port 5000 to redirect to their workstation on port 3389 then they get connected right into their pc as if they were at work the entire time.