edgecombe74
asked on
best hardware firewall choice for a windows server 2003 VPN setup
Hello. I'm fairly new to the whole world of VPN via Windows Server 2003 and AD. I have a home network with a server running Windows Server 2003. I would like to set up a VPN and allow clients to connect to my server and utilize AD to authenticate them. I plan to eventually use L2TP/IPSEC for protocols. However, my question lies on what hardware firewall will be the best for my needs. I want a good firewall for protection of my network. I keep reading about port 1723 and 47 fowarding. What firewall would be the best for my situation?
ASKER
Thank you for the comment. I had an idea that I wouldn't need any fancy firewall to suite my needs. I plan on terminating the VPN connection at the server anyway. I have one static WAN IP which is what the DSL modem uses. I also have another static IP using the same subnet mask for which my server will be using. Are there any special considerations that I need to be aware of to make the server's IP available to users on the internet?
It seems that you stated that you have 2 useable WAN IP's (subnetted to 255.255.255.252 most likely), and in order to utilize both of them you will need a firewall/router that handles multiple WAN IP's - like the Sonicwall TZ170. You can probably get away with the 10-node model for $495 list price (cheaper at cdw.com). If you don't care about using both IP's then you can just use a Linksys for $75 or less. If going the Linksys route then use it's port forwarding feature to forward ports 1723 TCP and 47 GRE to your server's LAN IP (these are the PPTP ports, L2TP runs on a different set). Also, you'll want to make sure your ISP allows inbound PPTP/L2TP traffic. Most "commercial accounts" should be fine, but ADSL carriers might block certain ports.
ASKER
Thanks again for the reply. My ISP provided me with 7 static IPs (5 useable) all subnetted to 255.255.255.248. They assigned my DSL modem/router one of them, and I want to assign my server with one of the static IP addresses. Do I really need to utilize the IP assigned to the modem to make the VPN work? I also plan on hosting a website via IIS 6.0 on the same machine. If I foward ports 80, 1723, and 47 to my NIC card in my server, will this allow traffic resolved through internet DNS to reach my server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, So I will need to assign my Sonicwall with one of the static IP's that my ISP provided I asssume. Sounds good to me. I would love to get this going. I'm currently taking Cisco 3 and 4, and I'm slowly getting up there in networking knowledge. Thank you for your help. It is well noted.........
Addison
Addison
2 other considerations:
The first is handling multiple WAN IP addresses - if you have an ADSL or cable modem then most likely you'll only get 1 WAN IP, so any home "router" is fine. But if you plan to run multiple servers in-house and want each to have its own external IP address, then you need a firewall which can handle this. My recommendation for this is a Sonicwall TZ 170 - which can be had for around $500.
If you'd like to terminate your VPN traffic at the Firewall (completely offloading it from the Windows server), then you'll want a Firewall that includes VPN. The Sonicwall TZ170 unlimited-user (around $900) includes this feature and a single client license (so only one person can be VPN'd in at a time) but you can add more licenses.
I'll say that both Sonicwall and Windows VPN's work great. The windows one is nice as it doesn't require extra client software, is real easy to install, and lets you log on to a domain over a VPN. Sonicwall is more robust and managable. Both of them do the job.