Windows RRAS vs Watchguard VPN

nutekconsultants
nutekconsultants used Ask the Experts™
on
Hi, we have a Windows 2003 Std Server which is a DC, and Exchange 2003 Server as well.
We have another Windows 2003 DC File server
currently our Exchange Server has enabled Windows RRAS for remote users to login and access email, files from home/offsite
Question is is this good practise?
We also have a fairly powerful Watchguard Firebox x550e Firewall - which I think migh tbe better off handling the VPN?  install vpn clients on users home PCs?

adv of this and disadv of each?



Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
n
Top Expert 2007

Commented:
I always prefer hardware over software for VPN. better control, and gived you some redundancy since you can have more than one usually, as well as DR options.

start testing and work up a plan to
1) Improve security
2) Consider 2 factor VPN access ( RSA or cryptocard type keyfob with RADIUS)
3) no access without a VPN client

I hope this helps !
Top Expert 2013

Commented:
No question if you have the Watchguard se it. It provides better security in that it is a perimeter device and uses IPSec, it offloads the encryption/decryption from the server to a dedicated device thus providing slightly better performance, and you have far more control over client deployment.
"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
The only pro of RRAS (using PPTP or L2TP/IPSec) is that you do not need a VPN client, as it is integrated into Windows.

If security and reliability is an issue, no doubt about it, the perimiter device's VPN is best. If a device behind a perimter device is used to terminate a VPN, there are often issues (because of NAT being applied). In particular with PPTP this can be a big issue (because of GRE, which is an own protocol, and its issues with NAT and stateful firewalls).

But IPSec needs an own client. Clients are often part of the license, so their amount is restricted. If that is an issue, you can use the free ShrewSoft VPN client (www.shrew.net), which works against almost any IPSec device.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial