PIX 506e and Windows 2000 Server Domain Controller - best way to set up VPN

Hi, I am trying to set up a remote access VPN......Just for 1 user to remotely access our network.

We have a PIX 506e that sits in front of our LAN......we have a Windows

2000 Server Domain Controller.....

I have some basic questions that I am sure will not be hard for you guys to answer. BTW I posted a similar question on a Microsoft security NG but didnt receive alot of help.

First of all, I will probably end up using the Cisco VPN client.....but so far I have just tried to set up a PPTP connection......

The remote PC is able to connect to the network.....the DC authenticates the user, and the logs show this.....

First question: Does the PC that is connecting via the VPN have to be part of the domain? If I use a laptop that has been added to the domain in the past, I am able to access everything on th enetwork that I should be able to....just like if I was sitting in my office......

However, if I try to connect with a laptop that is not currently part of the domain, I can still connect....and Windows still authenticates me.....but I have no access to anything on the network.

Second question: If the PC connecting over the VPN has to be part of the domain....is it possible to add a new PC to the domain over the VPN? I tried this and it didnt work.

Third question: Does anyone know if there is a way to configure Windows 2000 Server to allow a PC (that has not been added to the domain) to access the domain? Is this what the Guest account does?

Thanks in advance for your help.


Reply to
Loading thread data ...

No, the remote PC does not have to be a member of the domain. It does, however, need to be able to resolve hostnames via both DNS and WINS, and will likely therefore have to use the DNS and WINS servers in the domain. Domain membership is not required in order to use those resources, typically, as authentication to access DNS and WINS is not necessary.

This is probably due to name resolution issues. Make sure your remote client is being passed the correct *internal* DNS and WINS servers as part of the PIX 506e VPN configuration.

Generally not. This is because a reboot is required during the domain joining process, and when you reboot you lose VPN connectivity. Note, however, that recent versions of the Cisco VPN client have a method whereby you can create a VPN connection *before* logon; I have used this functionality in the past to facilitate joining remote systems to a domain over a VPN.

Generally, the only thing that is required is a matching username and password on the local system and the domain.

BTW, if you want to follow up on this thread in the microsoft.public.windows.server.networking group, I'm generally monitoring messages there and we can pick up the discussion. Aside from the PIX configuration issues, this thread is pretty much OT for this NG.


Reply to
Scott Lowe

Scott -

Thanks you for your help. You were exactly right about what the problem was - WINS server. Now everything is working like it should be. I appreciate it.


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.