Hi all,

I have a colleague who is on the road/works from home very
frequently, who also has a need to access internal systems
at times. He uses Windoze--and needs to access a Windoze
hosted application called Expandable--so the current solution
is for him to use Remote Desktop through the company's firewall.

Apart from the security concerns, this method clearly doesn't
scale. Judging from the limited research I've been able to
perform, it looks like a VPN would be the ideal solution.
Assuming the use of NAT at both ends, is this correct? The
set up I'm imagining is something like this:

Solaris VPN host---+
|
Windoze app host---+---Switch---NAT router---Internet---NAT router---client laptop
|
Other corp hosts---+

In the above ASCII art, assume that there could be multiple
"NAT routers and client laptops".

Is the above doable? That is, is it possible for a laptop running
Windoze (XP for example) to access corporate resources as though
it was inside the corportate NAT/firewall, assuming the use of a
Solaris VPN server?

If the above is doable, pointers for how to do this would be appreciated.
I'm currently wading through the IPsec part of the Solaris admin
manual if that helps. The target for the Solaris host is some recent
version of Nevada, probably build 95.

Many TIA,

--
Rich Teer, SCSA, SCNA, SCSECA

CEO,
My Online Home Inventory

URLs: http://www.rite-group.com/rich
http://www.linkedin.com/in/richteer
http://www.myonlinehomeinventory.com

Hi Rich,

I had a similar problem which was resolved in a very simple way, using
VirtualBox on Solaris 10 with Host Network Interfacing, I created a
Win2K workstation and installed the Checkpoint SecureClient VPN client
software for connecting to the Windows network.

A 64bit build of tuntap for Solaris 10 x86 which can be used with
OpenVPN/FreeSWAN or provide VirtualBox with Host Interfacing can be
found here

ftp://ftp@ftp.flomerics.co.uk/pub/tu...-amd64.tar.bz2

The missing Solaris 10 library can be found in the following file below

ftp://ftp@ftp.flomerics.co.uk/pub/su...laris-i386.deb

Hope that helps.


Rich Teer wrote:
> Hi all,
>
> I have a colleague who is on the road/works from home very
> frequently, who also has a need to access internal systems
> at times. He uses Windoze--and needs to access a Windoze
> hosted application called Expandable--so the current solution
> is for him to use Remote Desktop through the company's firewall.
>
> Apart from the security concerns, this method clearly doesn't
> scale. Judging from the limited research I've been able to
> perform, it looks like a VPN would be the ideal solution.
> Assuming the use of NAT at both ends, is this correct? The
> set up I'm imagining is something like this:
>
> Solaris VPN host---+
> |
> Windoze app host---+---Switch---NAT router---Internet---NAT router---client laptop
> |
> Other corp hosts---+
>
> In the above ASCII art, assume that there could be multiple
> "NAT routers and client laptops".
>
> Is the above doable? That is, is it possible for a laptop running
> Windoze (XP for example) to access corporate resources as though
> it was inside the corportate NAT/firewall, assuming the use of a
> Solaris VPN server?
>
> If the above is doable, pointers for how to do this would be appreciated.
> I'm currently wading through the IPsec part of the Solaris admin
> manual if that helps. The target for the Solaris host is some recent
> version of Nevada, probably build 95.
>
> Many TIA,
>

Rich Teer wrote:
> I have a colleague who is on the road/works from home very
> frequently, who also has a need to access internal systems
> at times. He uses Windoze--and needs to access a Windoze
> hosted application called Expandable--so the current solution
> is for him to use Remote Desktop through the company's firewall.

OpenVPN server works nicely on Solaris.

I too recommend OpenVPN (stable).

Its easy to setup and works perfect in heterogeneous enviroments.

On Mon, 25 Aug 2008, Daniel Brnak wrote:

> I too recommend OpenVPN (stable).
>
> Its easy to setup and works perfect in heterogeneous enviroments.

Thanks; I'll look into OpenVPN!

--
Rich Teer, SCSA, SCNA, SCSECA

CEO,
My Online Home Inventory

URLs: http://www.rite-group.com/rich
http://www.linkedin.com/in/richteer
http://www.myonlinehomeinventory.com

Rich Teer wrote:
> Thanks; I'll look into OpenVPN!

keep in mind that one of the interfaces of the OpenVPN server
would have to be reachable from the outside. The other interface
would be on the intranet.

It doesn't really match the picture you painted. You might have to
convince the network admins to open up access to the VPN server.

On Tue, 26 Aug 2008, Oscar del Rio wrote:

> keep in mind that one of the interfaces of the OpenVPN server
> would have to be reachable from the outside. The other interface
> would be on the intranet.

Got it. Do they have to be two physical interfaces, or can one
use virtual interfaces?

> It doesn't really match the picture you painted. You might have to
> convince the network admins to open up access to the VPN server.

That's OK; I am he. :-)

--
Rich Teer, SCSA, SCNA, SCSECA

CEO,
My Online Home Inventory

URLs: http://www.rite-group.com/rich
http://www.linkedin.com/in/richteer
http://www.myonlinehomeinventory.com

Rich Teer wrote:
> On Tue, 26 Aug 2008, Oscar del Rio wrote:
>
>> keep in mind that one of the interfaces of the OpenVPN server
>> would have to be reachable from the outside. The other interface
>> would be on the intranet.
>
> Got it. Do they have to be two physical interfaces, or can one
> use virtual interfaces?

I believe it has to be 2 interfaces. I tried it with virtual interfaces
after one NIC failed and while it looked like working, traffic was not
flowing. But I might have missed something in the rush (I just scavenged
another NIC and got it working again).