VPN and Active Directory Servers have to be separate?

[berderder]

Hi everyone,

 

My cousin says you can't run VPN and Active Directory on the same dedicated server because it's a Microsoft security feature. Is that true? You need a separate dedicated server for VPN, and another separate server for AD?

 

Thanks

[leadeater]

You wouldn't do it even if it was possible, it's extremely unsafe to do so. You're allowing connections and connection attempts from the internet through to your most trusted source of authentication and authorization. It's one thing to use AD authenticated VPN (which is fine) and another to actually route all VPN traffic through a DC and open ports up to the internet.

 

As for it being possible I don't know, I have never tried to install those server roles on the same server before, above reason.

[berderder]

1 minute ago, leadeater said:

You wouldn't do it even if it was possible, it's extremely unsafe to do so. You're allowing connections and connection attempts from the internet through to your most trusted source of authentication and authorization. It's one thing to use AD authenticated VPN (which is fine) and another to actually route all VPN traffic through a DC and open ports up to the internet.

 

As for it being possible I don't know, I have never tried to install those server roles on the same server before, above reason.

Gotcha, thank you. Yeah, there's a hacky way to do it apparently but like you said, unsafe 

[ssfdre38]

It is possible but unsafe as all hell. i only set up vpn for AD DS connections outside the network. 

[berderder]

16 minutes ago, leadeater said:

You wouldn't do it even if it was possible, it's extremely unsafe to do so. You're allowing connections and connection attempts from the internet through to your most trusted source of authentication and authorization. It's one thing to use AD authenticated VPN (which is fine) and another to actually route all VPN traffic through a DC and open ports up to the internet.

 

As for it being possible I don't know, I have never tried to install those server roles on the same server before, above reason.

The client says his previous place of employment allowed for one dedicated server utilizing VPN. Do you think this server must just not have had Active Directory DS on it or something? I'm wondering how they got away with it. It would be nice to provide him with an answer to that, as I pitched him he needs two dedicated servers

[ssfdre38]

the only way is have a dedi vpn with a pass though so when they connect to the VPN, they get access to the internal network and that is common with mid to large enterprise 

[berderder]

1 minute ago, ssfdre38 said:

the only way is have a dedi vpn with a pass though so when they connect to the VPN, they get access to the internal network and that is common with mid to large enterprise 

It may have been a mid to large business.

 

Do you a mean dedicated VPN server with a password that connects to the Active Directory Server?

[ssfdre38]

you would have it set up to connect to your DHCP server so it can pull an ip address for your connection to the vpn to give you access to the network and then to the AD DS. for a true setup its hard but can be done it just takes time

[leadeater]

21 minutes ago, berderder said:

The client says his previous place of employment allowed for one dedicated server utilizing VPN. Do you think this server must just not have had Active Directory DS on it or something? I'm wondering how they got away with it. It would be nice to provide him with an answer to that, as I pitched him he needs two dedicated servers

It may have been a single server but was it a single OS? Surely it was multiple VMs?

 

Frankly just because one place was doing something stupid doesn't mean it's a valid reason to do it again .

 

Also now days it's much better to terminate VPN connections on to your firewall rather than using the Windows Server role. You can still AD auth using 802.1X and the Windows NPS/RADIUS role.

[berderder]

34 minutes ago, leadeater said:

It may have been a single server but was it a single OS? Surely it was multiple VMs?

 

Frankly just because one place was doing something stupid doesn't mean it's a valid reason to do it again .

 

Also now days it's much better to terminate VPN connections on to your firewall rather than using the Windows Server role. You can still AD auth using 802.1X and the Windows NPS/RADIUS role.

Yeah, I really don't know what their situation was. Multiple VMs perhaps. Maybe they sort of hacked it like I was mentioning 

[Blake]

2 hours ago, berderder said:

Hi everyone,

 

My cousin says you can't run VPN and Active Directory on the same dedicated server because it's a Microsoft security feature. Is that true? You need a separate dedicated server for VPN, and another separate server for AD?

 

Thanks

1 hour ago, leadeater said:

It may have been a single server but was it a single OS? Surely it was multiple VMs?

 

Frankly just because one place was doing something stupid doesn't mean it's a valid reason to do it again .

 

Also now days it's much better to terminate VPN connections on to your firewall rather than using the Windows Server role. You can still AD auth using 802.1X and the Windows NPS/RADIUS role.

Yeah... this is alot more common then you think. has to do with MSP's doing things on the cheap and internal IT not knowing anything about security. When I started where I am we had the same, but it was fine because "the FSMO roles are on the other DC". Needless to say this wasn't fine at the next PCI audit.

 

But yeah just because something can be installed on a DC doesn't mean it should be. if it is two separate virtual hosts you're fine.

 

[berderder]

16 minutes ago, Blake said:

Yeah... this is alot more common then you think. has to do with MSP's doing things on the cheap and internal IT not knowing anything about security. When I started where I am we had the same, but it was fine because "the FSMO roles are on the other DC". Needless to say this wasn't fine at the next PCI audit.

 

But yeah just because something can be installed on a DC doesn't mean it should be. if it is two separate virtual hosts you're fine.

 

So I can put Active Directory on the server, and run VPN server from virtual machine on the same system? That would get around the security problem? 

[leadeater]

18 minutes ago, berderder said:

So I can put Active Directory on the server, and run VPN server from virtual machine on the same system? That would get around the security problem? 

You would virtualize both in that situation. Very rarely would I actually run a server directly on hardware now, even if it is a single VM. With a VM you gain the ability to create snapshots before doing changes and if something goes wrong you can roll back, also when it comes time to replace the hardware it is super simple as all you need to do is copy the VM to the new hardware then start it.

 

There are caveats to VM snapshots though, never do them on a DC or database server of any kind. Rolling back a DC will mess with authentication tokens and synchronization between other DCs and if you roll back a database VM you could corrupt the database and break applications that think they wrote data in to the database that is no longer there.

[samiscool51]

3 hours ago, leadeater said:

As for it being possible I don't know, I have never tried to install those server roles on the same server before, above reason.

it works with the build in vpn creater in windows networking in control panel but i think i doesn't talk to each other due to how they have been coded

it's also not a great idea to make a vpn unless you know what you are doing and have seen how someone else does it in person or have done it your self for a workplace

[berderder]

1 minute ago, samiscool51 said:

it works with the build in vpn creater in windows networking in control panel but i think i doesn't talk to each other due to how they have been coded

it's also not a great idea to make a vpn unless you know what you are doing and have seen how someone else does it in person or have done it your self for a workplace

Yeah I have a team working on it. I've hired a contractor to handle the VPN connection and will shadow his work 

[samiscool51]

1 minute ago, berderder said:

Yeah I have a team working on it. I've hired a contractor to handle the VPN connection and will shadow his work 

try not to get others to do it for you as if something goes wrong and you have to fix it if they aren't available then you will have no idea how it works

[berderder]

1 minute ago, samiscool51 said:

try not to get others to do it for you as if something goes wrong and you have to fix it if they aren't available then you will have no idea how it works

He will be ongoing remote support staff. It'll be ok 

[leadeater]

53 minutes ago, samiscool51 said:

it works with the build in vpn creater in windows networking in control panel but i think i doesn't talk to each other due to how they have been coded

it's also not a great idea to make a vpn unless you know what you are doing and have seen how someone else does it in person or have done it your self for a workplace

That is for creating a client VPN connection. What we are talking about is the Routing and Remote Access server role within Windows Server. There are some roles that Windows Server will not allow to be installed at the same time and others where if they are on the same server functionality is locked out/restricted.

 

56 minutes ago, samiscool51 said:

try not to get others to do it for you as if something goes wrong and you have to fix it if they aren't available then you will have no idea how it works

But it is better to get it done correctly than for you to do it incorrectly. Plus when you pay for an IT contractor to do work they supply all the required documentation on how it was setup.

[samiscool51]

1 hour ago, leadeater said:

That is for creating a client VPN connection. What we are talking about is the Routing and Remote Access server role within Windows Server. There are some roles that Windows Server will not allow to be installed at the same time and others where if they are on the same server functionality is locked out/restricted.

oh i get it now! 

sorry, had my wedding anniversary over the holidays and still messed up from it...

been like this for a month....

well i got to celebrate being married for 3 years with my wife! Yay!