best hardware firewall choice for a windows server 2003 VPN setup

Posted on 2004-08-24
Last Modified: 2013-11-16
Hello. I'm fairly new to the whole world of VPN via Windows Server 2003 and AD. I have a home network with a server running Windows Server 2003. I would like to set up a VPN and allow clients to connect to my server and utilize AD to authenticate them. I plan to eventually use L2TP/IPSEC for protocols. However, my question lies on what hardware firewall will be the best for my needs. I want a good firewall for protection of my network. I keep reading about port 1723 and 47 fowarding. What firewall would be the best for my situation?
Question by:edgecombe74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Expert Comment

ID: 11889240
Windows 2000/2003 Server actually has a very good PPTP/L2TP server built-in to it, so you can terminate your VPN tunnels right at the server, if so, you can go with pretty much any router/firewall from the entry level - my personal favorite are the Linksys models - BEFSR41, BEFW11S4, etc. They can all pass through L2TP/IPSEC packets, just make sure you're on the latest firmware.

2 other considerations:
The first is handling multiple WAN IP addresses - if you have an ADSL or cable modem then most likely you'll only get 1 WAN IP, so any home "router" is fine. But if you plan to run multiple servers in-house and want each to have its own external IP address, then you need a firewall which can handle this. My recommendation for this is a Sonicwall TZ 170 - which can be had for around $500.

If you'd like to terminate your VPN traffic at the Firewall (completely offloading it from the Windows server), then you'll want a Firewall that includes VPN. The Sonicwall TZ170 unlimited-user (around $900) includes this feature and a single client license (so only one person can be VPN'd in at a time) but you can add more licenses.

I'll say that both Sonicwall and Windows VPN's work great. The windows one is nice as it doesn't require extra client software, is real easy to install, and lets you log on to a domain over a VPN. Sonicwall is more robust and managable. Both of them do the job.

Author Comment

ID: 11889322
Thank you for the comment. I had an idea that I wouldn't need any fancy firewall to suite my needs. I plan on terminating the VPN connection at the server anyway. I have one static WAN IP which is what the DSL modem uses. I also have another static IP using the same subnet mask for which my server will be using. Are there any special considerations that I need to be aware of to make the server's IP available to users on the internet?

Expert Comment

ID: 11899558
It seems that you stated that you have 2 useable WAN IP's (subnetted to most likely), and in order to utilize both of them you will need a firewall/router that handles multiple WAN IP's - like the Sonicwall TZ170. You can probably get away with the 10-node model for $495 list price (cheaper at If you don't care about using both IP's then you can just use a Linksys for $75 or less. If going the Linksys route then use it's port forwarding feature to forward ports 1723 TCP and 47 GRE to your server's LAN IP (these are the PPTP ports, L2TP runs on a different set). Also, you'll want to make sure your ISP allows inbound PPTP/L2TP traffic. Most "commercial accounts" should be fine, but ADSL carriers might block certain ports.
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!


Author Comment

ID: 11899640
Thanks again for the reply. My ISP provided me with 7 static IPs (5 useable) all subnetted to They assigned my DSL modem/router one of them, and I want to assign my server with one of the static IP addresses. Do I really need to utilize the IP assigned to the modem to make the VPN work? I also plan on hosting a website via IIS 6.0 on the same machine. If I foward ports 80, 1723, and 47 to my NIC card in my server, will this allow traffic resolved through internet DNS to reach my server?

Accepted Solution

tabush earned 250 total points
ID: 11918334
Yes you can do what you're looking for. Let's pretend the IP address your ISP assigned to your DSL modem is You need to get a Sonicwall TZ170 or similar product which can handle multiple WAN IP's. I prefer Sonicwall only because I've sold and installed over 50 of them, but I'm sure something from Watchguard or a similar company will also work well.
Back to the IP's: your DSL modem's Ethernet is Your server is You'll set up your firewall's WAN port to, subnet, gateway The LAN port on your firewall should be, subnet You will then create a one-to-one NAT association which connects (WAN) to (LAN). Once you've done that, you need to create access rules allowing services HTTP and PPTP from WAN (any ip) to LAN ( I'd also recommend allowing in PING so you can diagnose/troubleshoot when you're not at your server.

Then, the public IP that you will give to your DNS provider is (which is associated with your server). That's all there is to it.


Author Comment

ID: 11918769
OK, So I will need to assign my Sonicwall with one of the static IP's that my ISP provided I asssume. Sounds good to me. I would love to get this going. I'm currently taking Cisco 3 and 4, and I'm slowly getting up there in networking knowledge. Thank you for your help. It is well noted.........

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question