Hi Ben, Thanks for the advice
1) Since I'm totally new to VPNs, IPsec etc... could you clarify something for me. To setup a station-to-station VPN between the router and firewall, is that done with special software (ie stunnel or something else)? I don't have the basics down on this yet. The 'firewall' is actually a Solaris server so I could do anything there but on the router side, it's only a SMC box. What do I need on the Win boxes behind the router to set this up? 2) The users make idiots look like Einstein therefore I'll have to try 2a. I'm hoping that the cable connection between Shaw (Western Canada) and Swiss Telecom will be good. 3) I promise I won't tell. :) Gary. ----- Original Message ----- From: "Ben Nagy" <[EMAIL PROTECTED]> To: "'Gary Ferrer'" <[EMAIL PROTECTED]>; "'Firewall list'" <[EMAIL PROTECTED]> Sent: March 7, 2002 5:02 PM Subject: RE: advice > Caveat: I am prepared to bet that this will suck and be slow. > > 1. Set up station-to-station VPN between the router and the firewall. > IPSec or PPTP will be your best bet here. Test with ping between your > remote clients and your SMB server. > > 1a. If that's all too hard or doesn't work, just set up PPTP on your SMB > server, configure all the remote clients with a VPN dialup adapter, > allow PPTP (TCP 1723, IP Prot 47 (GRE))in through your firewall and do > the authentication and stuff on the internal server. Some might point > out that this way isn't as secure - they're absolutely right, but if you > use strong passwords it's not _all_ that abhorrent. Well, OK, it sort of > is. But it will work. I'd do it, if I were desperate, and I'm not a > _complete_ idiot. > > 2. Map drives on the clients, and make sure that the remote clients are > in the same workgroup/domain as the server in Canada, and add their > usernames to the Canadian domain, with permissions to access the shares. > Done. > > 2a. You could also do this the "daring" way and tell all the clients to > look in Canada for their WINS server, and they can then access all the > shares and Canadian machines just by browsing the network. Better for > maintainability, but entailing much peril, slowness and flakiness. > > 2b. If your users aren't computer morons, you can get them to access the > shares via //ip.address.goes.here/sharename, and then supply user > credentials - in which case you don't need to worry about making sure > domains etc match. The downside to this approach is that most users are, > in fact, computer morons. > > 3. Whether or not it all works, never tell anyone I gave you this > advice. > > Cheers! > > -- > Ben Nagy > Network Security Specialist > Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Gary Ferrer > Sent: Friday, March 08, 2002 3:39 AM > To: Firewall list > Subject: advice > > > Can someone give me some advice as to where to start with this project. > I have an SMC Barricade Broadband router in Europe (SMC7004ABR) which > supports VPN tunneling via L2TP, PPTP and IPSec pass through. There are > Win XP and 98 clients behind this router only. On the other end (here > in Canada), I have a Sunscreen lite 3.1 firewall on a Solaris 8 box. > Sunscreen has a VPN feature. I want to be able to give the Win clients > access to SMB shares behind the Solaris firewall via a VPN. How do I > set this up? What software do I need to do this (if any)? > > Thanks. > PS: If anybody can point me to a 'HOWTO' it would be appreciated. > > Gary Ferrer > [EMAIL PROTECTED] > > > > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
