What's encryption?

Encryption Domain Alternative?

We are currently switching hosting providers and setting up tunnels between our client sites and our new hosting provider. Our new hosting provider recommended using encryption domains to limit the access of the tunnel, and we decided to give it a try; however, we are running into some issues. Our client-level application needs access to three different servers at our hosting facility: 1. The load balancer, which routes the traffic to our application data server (the IP begins with 174.xx.xx.xx); 2. The database server (the IP of the db server begins with 98.xx.xx.xx). and 3. The web-server (the IP begins wtih 98.xx.xx.xx). Thus, we were told by our new hosting provider that our customer must add three different IPs to the encryption domain: the VIP fro the load balancer which begins with 174.xx.xx.xx, the IP of our db server which beings with 98.xx.xx.xx and 3. the IP of our web server which also begins wtih 98.xx.xx.xx Our hosting provider is using Cisco ASA 5510 and our client is using Netgear ProSafe VPN Firewall Model FVS318. When we asked our client to add the three IPs to their router as the encryption domain, we were told that the Netgear ProSafe VPN Firewall Model FVS318 does NOT allow multiple IPs for the same tunnel in the encryption domain. We were told that: 1. We can enter a single IP for the encryption domain (cannot do this because we ahve three IPs). 2. Enter a single IP Range (cannot do this because we have two IP sets -- one beginning with 174 and one beginning with 98). 3. No encryption domain -- which is obviously not recommended. When we mentioned this problem to our hosting provider, we were told that our hosting provider can create a single NAT for all three IPs, but if they do this and the tunnel ever goes down, our hosting provider would have to initiate the tunnel. We do not want this. We want our customers and our application to be able to initiate the tunnel. Therefore, we are at a stand-still when it comes to a solution. Therefore, my question is what do you recommend using where we can give access to our client using the tunnel to only the three servers; is encryption domain the only way? if we don't use the encryption domain, is there soemthing else that we can use to protect our network? Is there a different piece fo the encryption domain puzzle that I am missing. I know that one solution is to get all devices on the same IP range and just use that IP range, but that would require close to 50 man hours of work because we have a few hundred VIPs setup that we will need to change.
Answer:

I am not sure what the "encryption domain" is, but I can tell you that I have a nest of different addresses that I have to let my co-workers have access to, and it all has to be encrypted. We are on Windows, and all my clients have Windows, so I don't know if this will apply to you, but here goes. We have an internal server farm where my VPN server is located. This handles the connection to all the clients coming in. I have a firewall that passes the client VPN via port forwarding to the VPN server. I have a second internal location that uses a different subnet than the first. It is connected to the firewall via IPSec. The company that owns ours has an IPSec connection to our network, and we have their internal IP range we have to deal with. A third IPSec connection goes to our manframe supplier. The firewall takes care of routing to the appropriate IPSec addresses. The problem is the clients. The only addresses they know are the ones on the single VPN subnet when they connect. If they try to go to the other IPSec connected addresses, the can eventually get there if they use the remote gateway. That is the default for the Windows VPN, and is not very attractive since ALL traffic from ALL connected VPN clients go through the company gateway. Nasty. My solution was to use CMAK. This is a utility from Microsoft. With it, I was able to pre-define connections for the client. In the definitions, I set up routing table modifications. One modification was to delete the default route that sent everything to the remote gateway. Next, I set up routes for the IPSec addresses to go over the VPN, and everything else went out over the local gateway. CMAK generates an install files. Send that to all clients. They install it, and that is end of their involvement. CM stands for Connection Manager. Forget what the A is, and K is Kit, since it is the tool you use to build the install files for the client machines. Don't know if this is a practical solution for you, but it works great for us.

shahaly at Yahoo! Answers Visit the source

Was this solution helpful to you?

Related Q & A:

what encryption is used?Best solution by Information Security
How to Code Encryption Algorithm in Java?Best solution by code2learn.com
How to disable HTTPS for a domain that shares IP with another domain that is under HTTPS?Best solution by Server Fault
What is Audio Encryption?Best solution by stackoverflow.com
Why would you use symmetric encryption instead of asymmetric one?Best solution by Quora

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.