Solved

Remote Access Questions

Posted on 2011-02-11
3
529 Views
Last Modified: 2012-05-11
I'm looking to make some changes on how my users gain remote access to my system.  Currently we have 20 or so users who like to have the ability to work from home.  So currently we have a 1-2-1 NAT setup for each of these users.  The users connect to their work PC using RDP over a public IP address.

My problem, I'm out of public IP's and have more users who want remote access along with multiple servers that need to be placed into my DMZ with public IPs.  Getting more IP's from my ISP is like pulling teeth.

So, my thought is to switch from giving each PC a 1-2-1 NAT to setting up a VPN.  I'm wondering what kinds of drawbacks this might have.  And I have multiple options for VPN as well.  I have a SonicWall that's got licensing for global VPN clients.  This has the standard OS, but I am switching it out with a new NSA 4500 with the enhanced OS as well.   Second, I could setup a 1-2-1 NAT to one of my Windows servers into a RAS server.  I have a bunch of new 2008 servers coming in that  will be replacing some 2003 servers, so one of those could potentially become a RAS server.

Any suggestions or reasons why a direct 1-2-1 would be better than usign a VPN?
0
Comment
Question by:JamesonJendreas
  • 2
3 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34873826
i can't really think of any reasons to do NAT as opposed to the VPN.  the vpn would be more secure and you will not have to open up your firewall to the internet.  additionally, to get around your out of IPs issue, you could use one public IP and change the RDP listening port on each client giving them a unique port.  on the new sonicwall, create an address object for each custom port and run the public server wizard for each user needing RDP access.

vpn is better.

plus, on the new sonicwall, i'd deploy the ssl-vpn interface.  using the clientless netextender ssl-vpn client, deployment will be easier.  you could bookmark each user's computer in the ssl-vpn portal and they'd only need to click the bookmark for their computer.

i wouldn't use RAS.  terminate the vpn at your sonicwall.  using RAS, you'd still need to open up the sonicwall to allow the RAS traffic through to the RAS server.  the upside to RAS, you could use the native Windows client.  no concern for compatibility there.
0
 
LVL 1

Author Comment

by:JamesonJendreas
ID: 34874085
Good call - I like the sound of using the ssl-vpn.  I'm working the security angle to get this approved as the big-wigs who use RDP don't like change unless there is a reason I can put forward.  I've thought it was a really bad idea to have over 20 users PC's having 1-2-1's setup 9this is an inherited setup).

I'm finishing configuring my new sonicwall this weekend and deploying.  I thought about looking into setting up a one-to-many NAT using ports, so we could use one IP then let the firewall route the RDP session by port.

My slight concern is in the past I have had some issues with the VPN client for SonicWall (at a previous job) and found the windows client much easier to use.  But as you said, there's still that hole in my firewall reducing security if I use RAS.  I was thinking of terminating the VPN on a RAS server in DMZ and then configuring routes to get them across my firewall to my domain, but that in itself would be a headache as my DMZ domain has no trust with my LAN domain, so authenticating would be a pain in the arse.  

Now, that brings up another thing, I'm wondering what type of authentication can be setup for a VPN terminating on my Firewall.  I don't have a RADIUS server setup.  I'll have to check if LDAP is an option or if I need to setup each user with authentication locally on the fiorewall.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34874159
here's a general KB on setting up intergration with different auth methods.  ldap is in there.  if you decide to got the RADIUS route, remember to keep the firewall enabled when you install the components on the server.  if you disable the firewall, the proper ports don't open and auth can't get through the server...this is on a 2008 server.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8201

setting up the NAT'ing is so much work and for the level of inherent security risk you accept, it's better to put that effort into the vpn.  i can understand your concerns about the GVC app, which is why i'd stick with the ssl-vpn.  i have clients that i've not even setup the GropuVPN yet for this reason.

you can enable the sonicwall to use l2tp so you can use the windows native client, here's a kb on how to do that.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3544
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now