VPN with Windows 2003 Small business server and Sonicwall router

Posted on 2006-11-02
Last Modified: 2010-05-19
Can someone set me on the right track? I want to have employees be able to VPN into the office server to retrieve files.

I have a windows 2003 small business server with a sonicwall router.

Should I set up the vpn through the router and what are the steps to doing that? What software will the client computers use to vpn into the system? Is it built into Windows?

Do I have to buy licenses from Sonicwall to do this stuff?

The on the controll panel the sonicwall model says SOHO3, if that is relevant.

If you could just set me on the right track so I don't bark up the wrong tree as it were.
Question by:mrmyth
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
LVL 22

Assisted Solution

WMIF earned 50 total points
ID: 17862876
this article gives you a run through on the setup of rras on sbs.

you would have to configure your sonicwall to allow gre (port 47) through to the address of your sbs server.  then any windows machine can create a connection using the wizard for vpn.
LVL 77

Accepted Solution

Rob Williams earned 450 total points
ID: 17863969
You have 3 options as I see it:

a) set up the Sonicwall as your VPN endpoint, which is the better alternative, as it is a little more secure and will provide slightly better performance. However, you do have to buy client licenses from Sonicwall. I am not sure how there licensing works, some just require you have a support contract to be able to add VPN users, other require purchasing licenses, usually in groups of 5 or 10. Should you go this route following site has most of the documentation for setting up the Sonicwalls with their Global VPN client:

b) as WMIF suggested, you can use the Windows built-in VPN server. When working with SBS it is very important to use the wizards. You can actually 'break' networking not doing so. The end RRAS configuration is the same, but the way all the interrelated components works is somewhat different. The wizards will also make any changes to the firewall.
To create the server end of the VPN open the server management console, click on Internet and E-Mail, followed by Configure remote access,, then just follow the very short wizard. If you want to verify the configuration there is a great article at:
However, only use it for reference, use the wizard for the basic configuration.

As for the client end SBS again has a wizard. This will actually create a disk to configure the remote computer to connect. This is on the same page of the Server management console and is called Create a remote connection disk. The client can be configured manually, but it is recommended to use the disk. Should you need to do so manually see:

You also need to forward port 1723, and GRE. Depending on the router, GRE may be a specific command, or is often labeled "PPTP pass-through". Details for configuring port forwarding can be found at:

c) SBS has an other feature you may want to look at as well, Remote Web Workplace, which allows remote users to connect to a local workstation to work remotely. This is controlled with very secure access using SSL instead of a VPN, and works well:
This requires ports 443 and 4125 be forwarded on the router.


Author Comment

ID: 17864512
Thanks for the very thorough answer. I'm thinking I'm going to go the Sonicwall route, on your recommendation, depending on the how much it costs for the client licenses.

However if I did decide to go the Windows built-in VPN server, would the server need to be delivering the IP addresses on the network? Right now my sonicwall is the thing that delivers all the IPs and my server's DHCP is turned off.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 22

Expert Comment

ID: 17864533
if you go the windows route, it doesnt have to be the dhcp server for the network.  it does however want a range of ip addresses that it can hand out to its clients.  you can drop it onto a seperate subnet or you can block out a range from your dhcp server.

Author Comment

ID: 17864731
The windows route is looking pretty good to me, but I am a bit stuck on the DHCP range. In the wizard it asks for a DHCP range.

If the sonicwall is handing out a dynamic range of, could I just make the vpn range

I don't need that many clients connecting at one time and I don't have static IPs in that range.

Author Comment

ID: 17864735
Above I meant to say it asks for a range of static IP addresses where I said "it asks for a DHCP range."
LVL 77

Expert Comment

by:Rob Williams
ID: 17865554
Sue , the DHCP scope/range for the VPN clients can be anything you like, so long as it is part of the larger network subnet/range. Just make sure there is no overlap. Whether you use the server, the Sonicwall for your primary DHCP server, a typical example might be to  static IP's for for servers to static for printers to DHCP for client machines (not necessary, but using the server is recommended for this) to for VPN clients  (could be assigned by Sonicwall) to  for routers and network components

The Sonicwall may also have the option to use a DHCP Relay Agent for the VPN clients. This just tells the router to request the DHCP addresses from the server.

Just a note: The subnet used by the main office and the VPN client usually has to be different. If the office is using 192.168.1.x clients trying to connect from remote networks that also use 192.168.1.x probably will not be able to use the VPN. They can connect, but cannot access anything due to a routing conflict. Though it is not likely easy to change this, it is recommended the main network avoid common subnets like 192.168.0.x, 192.168.1.x, 192.168.2.x, 192.168.100.x, and 10.0.0.x  If you should decide to do this plan carefully, as all routers, printers and servers need to be changed, and all DHCP clients refreshed. Very important as well that if you decide to do this with the SBS you use the built in wizard to do so. I would even recommend posting a question in the SBS forum regarding changing the server's IP, to see if there any specifics r=that need to be addressed.

LVL 77

Expert Comment

by:Rob Williams
ID: 17871831
Thanks mrmyth,

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question