views:

919

answers:

4

I have two distant locations with Windows Server 2003. Can I build a secure tunnel quickly? Is there secure VPN built into the OS? I have domain names and router control on both sides.

I can build a "VPN" connection with the wizard (PPTP), I opened port 1723 TCP on the other router, do I need 47 GRE also? The router does not allow me to configure GRE protocol.

Do I need to do something else on the second machine?

is the MS VPN secure? I used to trust only in openssh.

A: 

You can use ssh tunneling if you have an ssh server on the remote machine.

Angel Chiang
A: 

Take a look at rsync for Windows coupled with Delta Copy for Windows

All of the above without the need to install cygwin.

gahooa
The first link should be named "OpenSSH"?
Karl Thorwald
rsync/ssh will require a way to get through the firewall. If you're able to do that, rsync will work but there's a learning curve (esp. if you're a Windows person).
jdigital
The link is named "rsync for Windows" but it currently points to "sshwindows.sourceforge.net" - is that on purpose?
Karl Thorwald
A: 

If "quickly" means "for a single use", Remote Desktop with Drive Mapping might be the simplest solution, and requires only a single port (3389). Run MSTSC, make sure that the options include Drive Mapping, and you're good to go.

You can use (for example) \tsclient\c to access drives shared from one end or the other.

Otherwise, Routing and Remote Access is the service you can use that's built into the OS, and has wizards for configuring a VPN from each end.

The port publishing scenario does vary based on the VPN protocol and firewall in use: http://blogs.technet.com/rrasblog/archive/2007/06/13/ports-affecting-the-vpn-connectivity.aspx

Some (especially SOHO) router/Nat/firewalls don't like PPTP at all from a publishing perspective, but most perform it outbound without issue, these days.

Tristank
+3  A: 

There are a couple of options when trying to securely copy files between two Windows 2003 servers. Each option has it's pros and cons depending on your specific environment. Here is a list of options that comes to mind:

  1. Routing and Remote Access (RRAS) Virtual Private Network
  2. Windows IPSec
  3. Remote Desktop Protocol (RDP)
  4. SSH Service

RRAS can be configured as a demand dial VPN connection between two servers. There is a wizard that can walk you through creating the settings but it's usually used for scenarios where you want to join multiple sites (tunnel mode) and not for point to point connections (transport mode). Very secure and reliable but a little more complex that what you are asking for.

If you don't have to deal with any Network Address Translation (NAT) port forwarding you could simply create an IPSec policy and use a shared secret for the authentication. Configuring IPSec can be accomplished in the Local Security Policy (Secpol.msc) Management Console and there are wizards to walk you through the configuration. You can't get much more secure than this.

RDP is a simple solution that allows you to interact with each server using the Windows Explorer. Chances are you have already configured your servers to allow Remote Access and thus have this option available to you once you allow the traffic through the router/firewall. This traffic is safe and secure but requires interactive configuration (for example, you can't have a script launch rdp and copy the files).

The last option that comes to mind is SSH. I have been using FreeSSHD on my Windows servers for several years as a way to support scripted connections between my servers. You could also use OpenSSH but the configuration is a little more difficult than FreeSSHD. Reliable and secure this would be the easiest solution to configure even if having to deal with a router/firewall since you only need to open port 22. One warning, many people are actively scanning the network for SSH servers and attempting brute force logins. I only allow certificate based authentication to my servers thus avoiding any chance of someone guessing my password.

My first choice is to use IPSec (assuming you don't have any problems with NAT and/or firewalls) and my second choice would be SSH. I hope this helps.

Dscoduc