Recommendation for Small Business VPN

Here is an overview of our company structure:

25 employees (with more to come)
10-15 off-site could be offsite at anytime (with more to come)

We currently run 1 server with Windows Server 2003 SBS. Our current VPN solution is a Watchguard Firebox x700. However, we're having a lot of issues with it.

1) I haven't been able to get windows authentication to work with it. So we're currently using the built-in proprietary authentication. It'd be a lot easier to manage the users if I could simply have a security group that contains which users can connect remotely.

2) Users aren't able to easily use mapped drives/network shares. Once they connect to the VPN (Mobile User VPN is the client software), they have to use shortcut folders that reference the server by IP rather than server name. For some reason, it'll connect with the IP, but not the name.

3) Our users seem to get disconnected at the same time everyday. Right around 4:30pm, they get disconnected and have issues trying to reconnect.

I've spoken with support for all 3 of these issues and haven't made much headway at all. Needless to say, we're incredibly frustrated with this product.

What I need are some suggestions to replace this device. It is currently operating as a router, VPN, and firewall. Software and hardware solutions are both welcome. I've been looking into Citrix Access Essentials, but thats obviously quite expensive compared to a hardware solution.

So the short story: I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops.

Any help is appreciated, thanks!
LVL 15
Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
>>"I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops."

Though my preference would be the Watchguard MUVPN,to answer your question, use the SBS built-in VPN service. It's easy to configure, deploy, and administer, uses windows authentication, and will easily allow you to map drives/shares. If the computers are members of the domain, the logon box (ctrl+alt+del) will have an option to connect using dial-up connection. Check that and the VPN will be an alternative. This way the VPN connects before logon and group policy can be applied and logon scripts run to automatically map drives.
derekkrommAuthor Commented:
Do you know of any huge benefits to using the Watchguard as opposed to the SBS VPN service? Basically, why is it your preference?
Rob WilliamsCommented:
A hardware VPN solution, in general or in theory, will provide a little better security as it is a perimeter device and uses IPSec rather than PPTP, and should give slight performance improvements where it is a device dedicated to encryption and decryption. The other point it is more difficult for an unauthorized user to set up a client. Windows client is built in and just requires connection and user information. Sometimes users share their passwords. Watchguard requires access to the config file which can be secured.

However, with less than 25 users I would think the benefits would out weigh the above considerations. at least you can test it without any hardware expanses.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

derekkrommAuthor Commented:
Ya, I plan on testing it out over the next month to see how it goes. The cost (or lack thereof) is defintely a huge benefit.

Have you ever ran into any of the problems I currently have w/ the Watchguard? Do you have any suggestions on how I could potentially fix them? I, too, would prefer a hardware solution if we are able to correct these issues.
Rob WilliamsCommented:
I haven't used windows authentication with Watchguards. It wasn't an option as I recall on the less expensive SOHO's I used. However, most will let you use a Windows RADIUS server for authentication. In the RADIUS server policies you can allow members of a named group access. This way you simply have to add your new users to that group to give them access. User profile under Dial-In has to be checked appropriately (Control Access through Remote Access Policy). You may be doing this now.

As for name resolution that is a problem. Simplest and most dependable method is to put a little batch file on the user's desktop. After connecting the VPN click on the batch file to map drives by IP.
If you can, another alternative is to add the primary sites DNS server to the MUVPN client. Then you should also change the binding order of the VPN adapters to make the VPN first. This is done in control panel | network connections | on the menu bar chose Advanced | advanced settings | Adapters and binding order.  If the VPN adapter is not present you need to open the VPN security policy editor and on the "My Identity" tab of the policy select virtual adapter required. Then re-boot the PC.

As for the 4:30 problem that is bizarre. That sounds like an ISP problem or a power glitch. Is the router on a UPS? How long does it last, i.e can they reconnect right away?
Rob WilliamsCommented:
One other possibility for name resolution is to use NetBIOS names. NetBIOS broadcasts don't work over a VPN, but you can add the remote servers/PCs and IPs to the client LMHosts file. If you are not familiar with Hosts/LMHosts files let me know.
derekkrommAuthor Commented:
Thanks a ton!!! Very helpful :)
Rob WilliamsCommented:
Very welcome Derek, Thank you.
Cheers !
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.