best hardware firewall choice for a windows server 2003 VPN setup

Posted on 2004-08-24
Last Modified: 2013-11-16
Hello. I'm fairly new to the whole world of VPN via Windows Server 2003 and AD. I have a home network with a server running Windows Server 2003. I would like to set up a VPN and allow clients to connect to my server and utilize AD to authenticate them. I plan to eventually use L2TP/IPSEC for protocols. However, my question lies on what hardware firewall will be the best for my needs. I want a good firewall for protection of my network. I keep reading about port 1723 and 47 fowarding. What firewall would be the best for my situation?
Question by:edgecombe74
  • 3
  • 3

Expert Comment

ID: 11889240
Windows 2000/2003 Server actually has a very good PPTP/L2TP server built-in to it, so you can terminate your VPN tunnels right at the server, if so, you can go with pretty much any router/firewall from the entry level - my personal favorite are the Linksys models - BEFSR41, BEFW11S4, etc. They can all pass through L2TP/IPSEC packets, just make sure you're on the latest firmware.

2 other considerations:
The first is handling multiple WAN IP addresses - if you have an ADSL or cable modem then most likely you'll only get 1 WAN IP, so any home "router" is fine. But if you plan to run multiple servers in-house and want each to have its own external IP address, then you need a firewall which can handle this. My recommendation for this is a Sonicwall TZ 170 - which can be had for around $500.

If you'd like to terminate your VPN traffic at the Firewall (completely offloading it from the Windows server), then you'll want a Firewall that includes VPN. The Sonicwall TZ170 unlimited-user (around $900) includes this feature and a single client license (so only one person can be VPN'd in at a time) but you can add more licenses.

I'll say that both Sonicwall and Windows VPN's work great. The windows one is nice as it doesn't require extra client software, is real easy to install, and lets you log on to a domain over a VPN. Sonicwall is more robust and managable. Both of them do the job.

Author Comment

ID: 11889322
Thank you for the comment. I had an idea that I wouldn't need any fancy firewall to suite my needs. I plan on terminating the VPN connection at the server anyway. I have one static WAN IP which is what the DSL modem uses. I also have another static IP using the same subnet mask for which my server will be using. Are there any special considerations that I need to be aware of to make the server's IP available to users on the internet?

Expert Comment

ID: 11899558
It seems that you stated that you have 2 useable WAN IP's (subnetted to most likely), and in order to utilize both of them you will need a firewall/router that handles multiple WAN IP's - like the Sonicwall TZ170. You can probably get away with the 10-node model for $495 list price (cheaper at If you don't care about using both IP's then you can just use a Linksys for $75 or less. If going the Linksys route then use it's port forwarding feature to forward ports 1723 TCP and 47 GRE to your server's LAN IP (these are the PPTP ports, L2TP runs on a different set). Also, you'll want to make sure your ISP allows inbound PPTP/L2TP traffic. Most "commercial accounts" should be fine, but ADSL carriers might block certain ports.
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline


Author Comment

ID: 11899640
Thanks again for the reply. My ISP provided me with 7 static IPs (5 useable) all subnetted to They assigned my DSL modem/router one of them, and I want to assign my server with one of the static IP addresses. Do I really need to utilize the IP assigned to the modem to make the VPN work? I also plan on hosting a website via IIS 6.0 on the same machine. If I foward ports 80, 1723, and 47 to my NIC card in my server, will this allow traffic resolved through internet DNS to reach my server?

Accepted Solution

tabush earned 250 total points
ID: 11918334
Yes you can do what you're looking for. Let's pretend the IP address your ISP assigned to your DSL modem is You need to get a Sonicwall TZ170 or similar product which can handle multiple WAN IP's. I prefer Sonicwall only because I've sold and installed over 50 of them, but I'm sure something from Watchguard or a similar company will also work well.
Back to the IP's: your DSL modem's Ethernet is Your server is You'll set up your firewall's WAN port to, subnet, gateway The LAN port on your firewall should be, subnet You will then create a one-to-one NAT association which connects (WAN) to (LAN). Once you've done that, you need to create access rules allowing services HTTP and PPTP from WAN (any ip) to LAN ( I'd also recommend allowing in PING so you can diagnose/troubleshoot when you're not at your server.

Then, the public IP that you will give to your DNS provider is (which is associated with your server). That's all there is to it.


Author Comment

ID: 11918769
OK, So I will need to assign my Sonicwall with one of the static IP's that my ISP provided I asssume. Sounds good to me. I would love to get this going. I'm currently taking Cisco 3 and 4, and I'm slowly getting up there in networking knowledge. Thank you for your help. It is well noted.........

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now