Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Recommendation for Small Business VPN

Posted on 2007-11-30
8
Medium Priority
?
326 Views
Last Modified: 2013-11-16
Here is an overview of our company structure:

25 employees (with more to come)
10-15 off-site could be offsite at anytime (with more to come)

We currently run 1 server with Windows Server 2003 SBS. Our current VPN solution is a Watchguard Firebox x700. However, we're having a lot of issues with it.

1) I haven't been able to get windows authentication to work with it. So we're currently using the built-in proprietary authentication. It'd be a lot easier to manage the users if I could simply have a security group that contains which users can connect remotely.

2) Users aren't able to easily use mapped drives/network shares. Once they connect to the VPN (Mobile User VPN is the client software), they have to use shortcut folders that reference the server by IP rather than server name. For some reason, it'll connect with the IP, but not the name.

3) Our users seem to get disconnected at the same time everyday. Right around 4:30pm, they get disconnected and have issues trying to reconnect.

I've spoken with support for all 3 of these issues and haven't made much headway at all. Needless to say, we're incredibly frustrated with this product.

What I need are some suggestions to replace this device. It is currently operating as a router, VPN, and firewall. Software and hardware solutions are both welcome. I've been looking into Citrix Access Essentials, but thats obviously quite expensive compared to a hardware solution.

So the short story: I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops.

Any help is appreciated, thanks!
Derek
0
Comment
Question by:derekkromm
  • 5
  • 3
8 Comments
 
LVL 77

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 20383205
>>"I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops."

Though my preference would be the Watchguard MUVPN,to answer your question, use the SBS built-in VPN service. It's easy to configure, deploy, and administer, uses windows authentication, and will easily allow you to map drives/shares. If the computers are members of the domain, the logon box (ctrl+alt+del) will have an option to connect using dial-up connection. Check that and the VPN will be an alternative. This way the VPN connects before logon and group policy can be applied and logon scripts run to automatically map drives.
http://www.lan-2-wan.com/SBS-VPN-instr.htm
0
 
LVL 15

Author Comment

by:derekkromm
ID: 20383266
Do you know of any huge benefits to using the Watchguard as opposed to the SBS VPN service? Basically, why is it your preference?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20383356
A hardware VPN solution, in general or in theory, will provide a little better security as it is a perimeter device and uses IPSec rather than PPTP, and should give slight performance improvements where it is a device dedicated to encryption and decryption. The other point it is more difficult for an unauthorized user to set up a client. Windows client is built in and just requires connection and user information. Sometimes users share their passwords. Watchguard requires access to the config file which can be secured.

However, with less than 25 users I would think the benefits would out weigh the above considerations. at least you can test it without any hardware expanses.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 15

Author Comment

by:derekkromm
ID: 20383552
Ya, I plan on testing it out over the next month to see how it goes. The cost (or lack thereof) is defintely a huge benefit.

Have you ever ran into any of the problems I currently have w/ the Watchguard? Do you have any suggestions on how I could potentially fix them? I, too, would prefer a hardware solution if we are able to correct these issues.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20383690
I haven't used windows authentication with Watchguards. It wasn't an option as I recall on the less expensive SOHO's I used. However, most will let you use a Windows RADIUS server for authentication. In the RADIUS server policies you can allow members of a named group access. This way you simply have to add your new users to that group to give them access. User profile under Dial-In has to be checked appropriately (Control Access through Remote Access Policy). You may be doing this now.

As for name resolution that is a problem. Simplest and most dependable method is to put a little batch file on the user's desktop. After connecting the VPN click on the batch file to map drives by IP.
If you can, another alternative is to add the primary sites DNS server to the MUVPN client. Then you should also change the binding order of the VPN adapters to make the VPN first. This is done in control panel | network connections | on the menu bar chose Advanced | advanced settings | Adapters and binding order.  If the VPN adapter is not present you need to open the VPN security policy editor and on the "My Identity" tab of the policy select virtual adapter required. Then re-boot the PC.

As for the 4:30 problem that is bizarre. That sounds like an ISP problem or a power glitch. Is the router on a UPS? How long does it last, i.e can they reconnect right away?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20383718
One other possibility for name resolution is to use NetBIOS names. NetBIOS broadcasts don't work over a VPN, but you can add the remote servers/PCs and IPs to the client LMHosts file. If you are not familiar with Hosts/LMHosts files let me know.
0
 
LVL 15

Author Closing Comment

by:derekkromm
ID: 31411942
Thanks a ton!!! Very helpful :)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 20384624
Very welcome Derek, Thank you.
Cheers !
--Rob
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question