"Client-less" vpn? No native IPSEC in XP/Vista/Win7? (Hate'n Cisco client software)

Hello Everyone!

We have a cisco vpn concentrator which requires installation of the cisco vpn client software.  Currently, only a hand-full of lan-admin folks use it, and it works fine.

We are interested in rolling out vpn to our user community, and blocking all ports except RDP to particular servers on our network.

We don't want to have end-users install what we consider to be somewhat heavy cisco client software.

Someone suggested we buy a cheap linksys router which supports IPSEC VPN, but out IT-guy who researched it read that the only "client-less" windows vpn protocols are PPTP and L2TP, while the stand-a-lone routers only support  IPSec.  Therefore, he suggested we bring up PPTP on our isa server.

Question: is that true?

Not that I'm hating ISA, but I was kinda looking forward to a hardware router that wouldn't require windows updates.

Also, can anyone suggest a router for under $100 that we can trial for just a hand full of users to get our feet wet with this concept?  Remember: we want a lightweight solution that doesn't require installing client software on the user's home pc's, and that will talk to a cheap, stand-a-lone router.

All comments would be very much appreciated,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There are routers which support PPTP, AFAIK. Some WatchGuards for example do.

Up to Vista, all native protocols available were PPTP and L2TP/IPsec.
Starting with Windows 7, you can use IPSec with IKEv2 - if the VPN device supports that.

A non-heavy replacement of the Cisco VPN is ShrewSoft VPN (free, www.shrew.net). It will connect to more than only Cisco, and on both 64bit and 32bit.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
why not use a ssl vpn portal? like the ASA5510 it works really well and is highly configurable

no client is then needed!
mike2401Author Commented:
I don't know anything about SSL vpn, other than was I read just a few minutes ago.  I had the impression that SSL vpn only works in a web browser with web apps.

Busting 5 common myths about IT jobs.

Ignore popular stereotypes about what it’s like to work in IT. It’s a tech-driven world, and tech-based jobs are among the most diverse, and rewarding as you can get. Think you’ll be holed up in a basement, staring at a computer while outsourcing threatens your job security?

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
There are different implementation of SSL VPNs. Some want to install a piece of software as an network adapter (Juniper for instance). Most need to download and run Java applets. That has the advantage of getting full or restricted access to the network with usual software just by using a different IP address (most localhost addresses, 127.0.0.x).

Without such Java applets you only have "point-and-click" access, that is e.g. an especially prepared RDP object on a web page.

the ASA5510 has apps for rdp, ssh, amongst others

u dont need to install anything on the client computer to use it
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Yes, that is the latter method I mentioned. Real client-free, but very restricted (no database connection, network shares, FTP, ...).
network shares are an option and u can use smart tunneling and port forwarding for the ssl vpn portal clients for forwarding all sorts of things.

I like the ASA setup.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
ASA seems to be more flexible than what I have been presented before ...
mike2401Author Commented:
Thank you everyone.

Since we already have microsoft ISA servers, we decided to use that for end-user vpn's.  

Then, we'll restrict where and on what ports they can go using our cisco 6509.

It's a shame we have the impression that cisco's vpn client is heavy and too complicated for installation on home user's pc's.

I would have preferred to use the cisco vpn concentrator that we already own and not microsoft software (server needs reboots for windows updates, etc.)

Anyway, I very much appreciated everyone's input.

mike2401Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.