Ah, I missed the point! This looks like a very good way to go.

I'm still looking forward to learning what "Forward PPTP Clients..." feature
does.

Thanks!! John

>-----Original Message-----
>From: James W. McKeand [mailto:james at mckeand dot biz] 
>Sent: Monday, November 07, 2005 19:30 PM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] Forwarding PPTP vpn clients to a W2k3 server
>
>John Benjamin wrote:
>> Thanks James
>> 
>> You don't forward GRE, it is a protocol (47).   Perhaps enabling
>> "support" for Protocol 47 is what the "Forward PPTP Clients..."
>> feature does? 
>
>Yes, I think that is what it does. I don't believe there is a 
>mechanism in the WebGUI to "forward" or allow the GRE protocol 
>on a inbound NAT rule.
>
>> We'd like to stick to AD as the single authentication server on the 
>> LAN. Your solution looks great for an existing Radius framework.
>> Maybe someday I'll get a chance to use it.
>
>IAS uses the AD for authentication. To quote the article:
>
>"To interface the m0n0wall VPN with Active Directory a user 
>group must be created and added to the RAS policy. Each user 
>in this group must also have "dial-in" access enabled. Then 
>the IAS service must be installed. Finally, a RAS policy & 
>client must be added."
>
>I did not disable outbound NAT in the m0n0wall configuration 
>and it still works.
>
>It does not take long to setup. Last week, I set it up for a 
>client in about 30 minutes over RDP (client is in Wisconsin, I 
>am in Texas).
>
>_________________________________
>James W. McKeand
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>