Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


best hardware firewall choice for a windows server 2003 VPN setup

Posted on 2004-08-24
Medium Priority
Last Modified: 2013-11-16
Hello. I'm fairly new to the whole world of VPN via Windows Server 2003 and AD. I have a home network with a server running Windows Server 2003. I would like to set up a VPN and allow clients to connect to my server and utilize AD to authenticate them. I plan to eventually use L2TP/IPSEC for protocols. However, my question lies on what hardware firewall will be the best for my needs. I want a good firewall for protection of my network. I keep reading about port 1723 and 47 fowarding. What firewall would be the best for my situation?
Question by:edgecombe74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Expert Comment

ID: 11889240
Windows 2000/2003 Server actually has a very good PPTP/L2TP server built-in to it, so you can terminate your VPN tunnels right at the server, if so, you can go with pretty much any router/firewall from the entry level - my personal favorite are the Linksys models - BEFSR41, BEFW11S4, etc. They can all pass through L2TP/IPSEC packets, just make sure you're on the latest firmware.

2 other considerations:
The first is handling multiple WAN IP addresses - if you have an ADSL or cable modem then most likely you'll only get 1 WAN IP, so any home "router" is fine. But if you plan to run multiple servers in-house and want each to have its own external IP address, then you need a firewall which can handle this. My recommendation for this is a Sonicwall TZ 170 - which can be had for around $500.

If you'd like to terminate your VPN traffic at the Firewall (completely offloading it from the Windows server), then you'll want a Firewall that includes VPN. The Sonicwall TZ170 unlimited-user (around $900) includes this feature and a single client license (so only one person can be VPN'd in at a time) but you can add more licenses.

I'll say that both Sonicwall and Windows VPN's work great. The windows one is nice as it doesn't require extra client software, is real easy to install, and lets you log on to a domain over a VPN. Sonicwall is more robust and managable. Both of them do the job.

Author Comment

ID: 11889322
Thank you for the comment. I had an idea that I wouldn't need any fancy firewall to suite my needs. I plan on terminating the VPN connection at the server anyway. I have one static WAN IP which is what the DSL modem uses. I also have another static IP using the same subnet mask for which my server will be using. Are there any special considerations that I need to be aware of to make the server's IP available to users on the internet?

Expert Comment

ID: 11899558
It seems that you stated that you have 2 useable WAN IP's (subnetted to most likely), and in order to utilize both of them you will need a firewall/router that handles multiple WAN IP's - like the Sonicwall TZ170. You can probably get away with the 10-node model for $495 list price (cheaper at If you don't care about using both IP's then you can just use a Linksys for $75 or less. If going the Linksys route then use it's port forwarding feature to forward ports 1723 TCP and 47 GRE to your server's LAN IP (these are the PPTP ports, L2TP runs on a different set). Also, you'll want to make sure your ISP allows inbound PPTP/L2TP traffic. Most "commercial accounts" should be fine, but ADSL carriers might block certain ports.
Protect Your Retail Business and Reputatio

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for a webinar on Sept. 28th to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.


Author Comment

ID: 11899640
Thanks again for the reply. My ISP provided me with 7 static IPs (5 useable) all subnetted to They assigned my DSL modem/router one of them, and I want to assign my server with one of the static IP addresses. Do I really need to utilize the IP assigned to the modem to make the VPN work? I also plan on hosting a website via IIS 6.0 on the same machine. If I foward ports 80, 1723, and 47 to my NIC card in my server, will this allow traffic resolved through internet DNS to reach my server?

Accepted Solution

tabush earned 750 total points
ID: 11918334
Yes you can do what you're looking for. Let's pretend the IP address your ISP assigned to your DSL modem is You need to get a Sonicwall TZ170 or similar product which can handle multiple WAN IP's. I prefer Sonicwall only because I've sold and installed over 50 of them, but I'm sure something from Watchguard or a similar company will also work well.
Back to the IP's: your DSL modem's Ethernet is Your server is You'll set up your firewall's WAN port to, subnet, gateway The LAN port on your firewall should be, subnet You will then create a one-to-one NAT association which connects (WAN) to (LAN). Once you've done that, you need to create access rules allowing services HTTP and PPTP from WAN (any ip) to LAN ( I'd also recommend allowing in PING so you can diagnose/troubleshoot when you're not at your server.

Then, the public IP that you will give to your DNS provider is (which is associated with your server). That's all there is to it.


Author Comment

ID: 11918769
OK, So I will need to assign my Sonicwall with one of the static IP's that my ISP provided I asssume. Sounds good to me. I would love to get this going. I'm currently taking Cisco 3 and 4, and I'm slowly getting up there in networking knowledge. Thank you for your help. It is well noted.........

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question