Windows 2000 Server Routing and Remote Access OR I'd Rather Suck a Dead Toad and HELP !!!

Yesterday I wasted an entire day to get close to 0 results.  Sigh.  Here's the deal.  One of our clients, a non-profit, who specializes in placing people with disabilities in jobs asked us recently for some basic networking help.  They needed a VPN set up and their internal network needed to have a "bastion" network server added.  A bastion network server is a single computer with two network cards through which all Internet traffic passes.  It (generally) provides via dhcp the addresses for a local subnet like 192.168.x.y and is the sole outside machine that is exposed on the Internet.  [ Good Article on Bastion Networks ]

Right now their ISP has provided them with external IP addresses for each of their office computers (and server) and they run ZoneAlarm on each machine to "protect" them.  This is one of the more brain dead ways to run an office lan with Internet access and just plain scares the crap out of me.  DO NOT DO THIS FOR YOUR OFFICE !!!  Their IT guy is one of their staff and NOT a Linux person who does the IT along with being a full time case worker.  I convinced him that this was unsafe and we should do it with implementing a basic VPN.  He had a licensed copy of Windows 2000 Server and thus began my descent into the land of "I'd rather suck a dead toad".  I do know that some folks have had really good luck with using Windows 2000 Server for this type of purpose.  I had no luck.  None of the options for Windows 2000 Routing and Remote Access worked -- if I got DHCP working then the lan worked only locally and client machines couldn't see the Internet.  If I setup the VPN options (as per Microsoft's exact directions) then the server couldn't see the Internet (and stopped responding to external Pings).  Oh and just as a warning to others -- INSTALL SERVICE PACK 3 FIRST.  I lost a lot of time since I didn't realize the machine was missing service pack 3 and apparently none of this stuff works without SP3.  No I can't confirm this with Microsoft's fix list but after doing an SP3 upgrade then and only then did the NAT options begin working.

So here's what I'm looking for:

1. Can a single computer running Windows 2000 Server do this?  Serve both as a bastion host and as an incoming VPN server?  Theoretically it is possible but practically I'm starting to wonder if their setup tools allow it.
2. Exact, step by step directions to do this (if they exist).  I've done I can't tell you how many Google queries and there are directions out there --- but they all are hinted at in the tables of contents of different books -- not anything like a good Linux How To document.
3. Alternatives.  If Windows 2000 Server isn't a good way to do this then I can drop a dedicated Linux box on site but I'll end up picking up the maintenance burden so low maintenance would be good.

One approach I'm considering is a small Linksys hardware firewall between their outside Internet connection and their internal lan to provide the DHCP.  These boxes, which are generally used for home networking, are actually quite reliable and since the office only has a fractional, shared T1, would be fast enough.  Since these are only in the $70 range now, I can just chuck one in for free as a donation (we're only talking about 5 or 6 machines in the office plus one server).  At a minimum this is safer than Zone Alarm.

Tip #1: The pain started 1st thing when I got their and neither of the network cards in the bastion host (well the theoretical bastion host) could ping.  Standard IBM etherjet cards that worked perfectly before going in this box.  Know what fixed them?  Just moving the graphics card over one slot and the moving the two network cards over to where the graphics card was.  Go figure.  Plug and Play ?  Try Plug and Pray or as I prefer "Plug and sacrifice a goat".

Tip #2: I did expect some problems so I brought along an extra hub with me which I setup immediately.  This let the "bastion" host and the IT guy's laptop be isolated from the main network preserving Internet access for everyone else in the office.  This way for the 8+ hours that I had to tinker with the beast known as Windows 2000 Server Routing and Remote Access at least Internet access was preserved.

Note: They're budget strapped and since we've done one big project for them this fell into the category of free help for good client relations.

6:44:36 AM      Google It!   comment []    IM Me About This