[VPN] Re: VPN with Exchange issue

Jon Scully jonscully at yahoo.com
Thu Dec 2 08:05:34 EST 2004 

--- "Dube, Paul" <paul at dube.net> wrote:

> Greetings all,
> I have a client that is presenting me with a new issue for which I do
> 
> not yet have all the facts. I will be on site tomorrow and hope to at
> 
> least get those. However, from what I have gathered so far, they are 
> using Outlook and Exchange with a custom developed application using 
> public folders. The data in the public folders must be available when
> 
> not connected so it must use the 'available offline' aspect of that 
> combination.
> I am not completely familiar with Outlook/Exchange but I believe that
> 
> this synchronization of content only transpires when using the native
> 
> connect mode which is not commonly available without a VPN. My client
> is 
> using the Shiva VPN client to connect to the LAN and access the
> Exchange 
> server. The issue arises when they are in a hotel or other location
> with 
> a LAN in the same subnet (192.169.1.255) and there is a machine on
> the 
> LAN at the same IP address as the exchange server on the corporate
> LAN.
> I am wondering if simply putting the Exchange server on an IP
> unlikely 
> to be assigned to a machine on another LAN, using a reserved address
> and 
> 1-1 NAT, or routing the connection over an SSH redirect would be a 
> workable solution. I am also wondering if the issue only arises due
> to 
> an oversight in initial implementation and the Shiva VPN can be 
> configured to route all requests on the specified ports over the VPN
> to 
> a remote machine, ignoring any local machine with the same IP
> address.
> 
> Thank in advance,
> Paul Dube

Having the same subnet on opposite ends of a VPN is a problem, almost
without exception, and a common one.  The best solution is, as you
stated, putting the predictable side of the VPN on a not-so-common
subnet.

Better yet, use a range of public IP addresses that are also firewalled
off from the public.  (i.e. Your people are likely not to find your
public IP addresses on the inside of anyone else's firewall.)

Hotel 192.168.0.0/16 --> NAT/FW --> PIP/ISP --> Internet --> ISP/PIP
--> FW/NAT --> VPN/PIP --> Router --> 192.168.0.0/16 Office

PIP: Public IP address (e.g. not one of 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16)
ISP: Internet Service Provider
NAT: Network Address Translation
FW: Firewall

With the right system the "FW/NAT --> VPN/PIP --> Router" section can
be done in one unit.  The point is to use the ultimate, predictable
internal subnet: Public IP addresses.



		
__________________________________ 
Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 
http://my.yahoo.com

More information about the VPN mailing list