Link to home
Create AccountLog in
Avatar of JamesonJendreas
JamesonJendreas

asked on

Remote Access Questions

I'm looking to make some changes on how my users gain remote access to my system.  Currently we have 20 or so users who like to have the ability to work from home.  So currently we have a 1-2-1 NAT setup for each of these users.  The users connect to their work PC using RDP over a public IP address.

My problem, I'm out of public IP's and have more users who want remote access along with multiple servers that need to be placed into my DMZ with public IPs.  Getting more IP's from my ISP is like pulling teeth.

So, my thought is to switch from giving each PC a 1-2-1 NAT to setting up a VPN.  I'm wondering what kinds of drawbacks this might have.  And I have multiple options for VPN as well.  I have a SonicWall that's got licensing for global VPN clients.  This has the standard OS, but I am switching it out with a new NSA 4500 with the enhanced OS as well.   Second, I could setup a 1-2-1 NAT to one of my Windows servers into a RAS server.  I have a bunch of new 2008 servers coming in that  will be replacing some 2003 servers, so one of those could potentially become a RAS server.

Any suggestions or reasons why a direct 1-2-1 would be better than usign a VPN?
Avatar of digitap
digitap
Flag of United States of America image

i can't really think of any reasons to do NAT as opposed to the VPN.  the vpn would be more secure and you will not have to open up your firewall to the internet.  additionally, to get around your out of IPs issue, you could use one public IP and change the RDP listening port on each client giving them a unique port.  on the new sonicwall, create an address object for each custom port and run the public server wizard for each user needing RDP access.

vpn is better.

plus, on the new sonicwall, i'd deploy the ssl-vpn interface.  using the clientless netextender ssl-vpn client, deployment will be easier.  you could bookmark each user's computer in the ssl-vpn portal and they'd only need to click the bookmark for their computer.

i wouldn't use RAS.  terminate the vpn at your sonicwall.  using RAS, you'd still need to open up the sonicwall to allow the RAS traffic through to the RAS server.  the upside to RAS, you could use the native Windows client.  no concern for compatibility there.
Avatar of JamesonJendreas
JamesonJendreas

ASKER

Good call - I like the sound of using the ssl-vpn.  I'm working the security angle to get this approved as the big-wigs who use RDP don't like change unless there is a reason I can put forward.  I've thought it was a really bad idea to have over 20 users PC's having 1-2-1's setup 9this is an inherited setup).

I'm finishing configuring my new sonicwall this weekend and deploying.  I thought about looking into setting up a one-to-many NAT using ports, so we could use one IP then let the firewall route the RDP session by port.

My slight concern is in the past I have had some issues with the VPN client for SonicWall (at a previous job) and found the windows client much easier to use.  But as you said, there's still that hole in my firewall reducing security if I use RAS.  I was thinking of terminating the VPN on a RAS server in DMZ and then configuring routes to get them across my firewall to my domain, but that in itself would be a headache as my DMZ domain has no trust with my LAN domain, so authenticating would be a pain in the arse.  

Now, that brings up another thing, I'm wondering what type of authentication can be setup for a VPN terminating on my Firewall.  I don't have a RADIUS server setup.  I'll have to check if LDAP is an option or if I need to setup each user with authentication locally on the fiorewall.
ASKER CERTIFIED SOLUTION
Avatar of digitap
digitap
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account