The difference between a VPN tunnel and VPN-passthrough.

Can someone please explain the differences between a VPN-Tunnel and a VPN pass-through?

Here is what i am trying to achieve:

Remotely manage a network of 30 Pcs using VNC/PCanywhere

Server 1 - Windows 2000 server with static internet facing IP address ( and 1 static address of
Server 2 - Windows 2000 DC running DHCP for the 30 client PCs. 1 static address of
Server 3 - Windows 2000 DC (backup) with static IP

30 clients ( >

I am looking for a hardware firewall/router/vpn device so that i can connect my pc to my client's office and be assigned an internal IP allowing access inside the network ( for example). The some devices of the ones i'm looking at have X number of VPN tunnels and some just have VPN-passthrough, so what's the difference? Which one should i use given my situation?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi apcs-uk,
A VPN Tunnel is where the device itself acts as the end point to the VPN so it handles all the encryption required and efectivly joins the two local networks together.

The alternative method is to run a VPN client on a PC. For this to work the router/firewall the traffic goes through needs to understand the VPN traffic as on home routers this option is called 'pass-thru'.
apcs-ukAuthor Commented:
grblades, thanks for the quick response. With the VPN tunnel, how does the authentication to the 2000 domain work (ie. access to resources within the domain)?

With the PASS-THROUGH, can i route the VPN traffic to a specific server on the network, (, for example)?
If you have the Windows server as the VPN endpoint then you can either:-
1) Log into your machine and then ititiate the VPN connection. When you connect you supply a username/password. When you go to access a resource you may be asked a password for the domain once.
2) When you log on to your machine you choose to log on remotely and when you connect you log straight into the domain at the remote site. This will mean the user gets a different profile. Most of the time this is too much of a pain to use.

A router supporting PASS-THRU can only reliably be used at the clients site. If you want a router for your main site where the VPN server is you need a better router/firewall when you can specify specifically the type of traffic which can be sent to a particular machine

My normal recomendation is to go for something like a Cisco PIX firewall and for the clients to use the Cisco VPN client as it is more secure. You can configure the PIX to authenticate against the Windows server if you wish. When clients connect using this method they are asked for a password and then the Cisco client connects. Once connected they will be asked for a username/password when they access the network resource.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.