Recommendation for Small Business VPN

Posted on 2007-11-30
Last Modified: 2013-11-16
Here is an overview of our company structure:

25 employees (with more to come)
10-15 off-site could be offsite at anytime (with more to come)

We currently run 1 server with Windows Server 2003 SBS. Our current VPN solution is a Watchguard Firebox x700. However, we're having a lot of issues with it.

1) I haven't been able to get windows authentication to work with it. So we're currently using the built-in proprietary authentication. It'd be a lot easier to manage the users if I could simply have a security group that contains which users can connect remotely.

2) Users aren't able to easily use mapped drives/network shares. Once they connect to the VPN (Mobile User VPN is the client software), they have to use shortcut folders that reference the server by IP rather than server name. For some reason, it'll connect with the IP, but not the name.

3) Our users seem to get disconnected at the same time everyday. Right around 4:30pm, they get disconnected and have issues trying to reconnect.

I've spoken with support for all 3 of these issues and haven't made much headway at all. Needless to say, we're incredibly frustrated with this product.

What I need are some suggestions to replace this device. It is currently operating as a router, VPN, and firewall. Software and hardware solutions are both welcome. I've been looking into Citrix Access Essentials, but thats obviously quite expensive compared to a hardware solution.

So the short story: I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops.

Any help is appreciated, thanks!
Question by:derekkromm
  • 5
  • 3
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 20383205
>>"I need a VPN solution that is reliable and can easily handle Windows Authentication and will allow users to access network shares without having to jump through hoops."

Though my preference would be the Watchguard MUVPN,to answer your question, use the SBS built-in VPN service. It's easy to configure, deploy, and administer, uses windows authentication, and will easily allow you to map drives/shares. If the computers are members of the domain, the logon box (ctrl+alt+del) will have an option to connect using dial-up connection. Check that and the VPN will be an alternative. This way the VPN connects before logon and group policy can be applied and logon scripts run to automatically map drives.
LVL 15

Author Comment

ID: 20383266
Do you know of any huge benefits to using the Watchguard as opposed to the SBS VPN service? Basically, why is it your preference?
LVL 77

Expert Comment

by:Rob Williams
ID: 20383356
A hardware VPN solution, in general or in theory, will provide a little better security as it is a perimeter device and uses IPSec rather than PPTP, and should give slight performance improvements where it is a device dedicated to encryption and decryption. The other point it is more difficult for an unauthorized user to set up a client. Windows client is built in and just requires connection and user information. Sometimes users share their passwords. Watchguard requires access to the config file which can be secured.

However, with less than 25 users I would think the benefits would out weigh the above considerations. at least you can test it without any hardware expanses.
LVL 15

Author Comment

ID: 20383552
Ya, I plan on testing it out over the next month to see how it goes. The cost (or lack thereof) is defintely a huge benefit.

Have you ever ran into any of the problems I currently have w/ the Watchguard? Do you have any suggestions on how I could potentially fix them? I, too, would prefer a hardware solution if we are able to correct these issues.
New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

LVL 77

Expert Comment

by:Rob Williams
ID: 20383690
I haven't used windows authentication with Watchguards. It wasn't an option as I recall on the less expensive SOHO's I used. However, most will let you use a Windows RADIUS server for authentication. In the RADIUS server policies you can allow members of a named group access. This way you simply have to add your new users to that group to give them access. User profile under Dial-In has to be checked appropriately (Control Access through Remote Access Policy). You may be doing this now.

As for name resolution that is a problem. Simplest and most dependable method is to put a little batch file on the user's desktop. After connecting the VPN click on the batch file to map drives by IP.
If you can, another alternative is to add the primary sites DNS server to the MUVPN client. Then you should also change the binding order of the VPN adapters to make the VPN first. This is done in control panel | network connections | on the menu bar chose Advanced | advanced settings | Adapters and binding order.  If the VPN adapter is not present you need to open the VPN security policy editor and on the "My Identity" tab of the policy select virtual adapter required. Then re-boot the PC.

As for the 4:30 problem that is bizarre. That sounds like an ISP problem or a power glitch. Is the router on a UPS? How long does it last, i.e can they reconnect right away?
LVL 77

Expert Comment

by:Rob Williams
ID: 20383718
One other possibility for name resolution is to use NetBIOS names. NetBIOS broadcasts don't work over a VPN, but you can add the remote servers/PCs and IPs to the client LMHosts file. If you are not familiar with Hosts/LMHosts files let me know.
LVL 15

Author Closing Comment

ID: 31411942
Thanks a ton!!! Very helpful :)
LVL 77

Expert Comment

by:Rob Williams
ID: 20384624
Very welcome Derek, Thank you.
Cheers !

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now