Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Remote Access Questions

Posted on 2011-02-11
Medium Priority
Last Modified: 2012-05-11
I'm looking to make some changes on how my users gain remote access to my system.  Currently we have 20 or so users who like to have the ability to work from home.  So currently we have a 1-2-1 NAT setup for each of these users.  The users connect to their work PC using RDP over a public IP address.

My problem, I'm out of public IP's and have more users who want remote access along with multiple servers that need to be placed into my DMZ with public IPs.  Getting more IP's from my ISP is like pulling teeth.

So, my thought is to switch from giving each PC a 1-2-1 NAT to setting up a VPN.  I'm wondering what kinds of drawbacks this might have.  And I have multiple options for VPN as well.  I have a SonicWall that's got licensing for global VPN clients.  This has the standard OS, but I am switching it out with a new NSA 4500 with the enhanced OS as well.   Second, I could setup a 1-2-1 NAT to one of my Windows servers into a RAS server.  I have a bunch of new 2008 servers coming in that  will be replacing some 2003 servers, so one of those could potentially become a RAS server.

Any suggestions or reasons why a direct 1-2-1 would be better than usign a VPN?
Question by:JamesonJendreas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 33

Expert Comment

ID: 34873826
i can't really think of any reasons to do NAT as opposed to the VPN.  the vpn would be more secure and you will not have to open up your firewall to the internet.  additionally, to get around your out of IPs issue, you could use one public IP and change the RDP listening port on each client giving them a unique port.  on the new sonicwall, create an address object for each custom port and run the public server wizard for each user needing RDP access.

vpn is better.

plus, on the new sonicwall, i'd deploy the ssl-vpn interface.  using the clientless netextender ssl-vpn client, deployment will be easier.  you could bookmark each user's computer in the ssl-vpn portal and they'd only need to click the bookmark for their computer.

i wouldn't use RAS.  terminate the vpn at your sonicwall.  using RAS, you'd still need to open up the sonicwall to allow the RAS traffic through to the RAS server.  the upside to RAS, you could use the native Windows client.  no concern for compatibility there.

Author Comment

ID: 34874085
Good call - I like the sound of using the ssl-vpn.  I'm working the security angle to get this approved as the big-wigs who use RDP don't like change unless there is a reason I can put forward.  I've thought it was a really bad idea to have over 20 users PC's having 1-2-1's setup 9this is an inherited setup).

I'm finishing configuring my new sonicwall this weekend and deploying.  I thought about looking into setting up a one-to-many NAT using ports, so we could use one IP then let the firewall route the RDP session by port.

My slight concern is in the past I have had some issues with the VPN client for SonicWall (at a previous job) and found the windows client much easier to use.  But as you said, there's still that hole in my firewall reducing security if I use RAS.  I was thinking of terminating the VPN on a RAS server in DMZ and then configuring routes to get them across my firewall to my domain, but that in itself would be a headache as my DMZ domain has no trust with my LAN domain, so authenticating would be a pain in the arse.  

Now, that brings up another thing, I'm wondering what type of authentication can be setup for a VPN terminating on my Firewall.  I don't have a RADIUS server setup.  I'll have to check if LDAP is an option or if I need to setup each user with authentication locally on the fiorewall.
LVL 33

Accepted Solution

digitap earned 2000 total points
ID: 34874159
here's a general KB on setting up intergration with different auth methods.  ldap is in there.  if you decide to got the RADIUS route, remember to keep the firewall enabled when you install the components on the server.  if you disable the firewall, the proper ports don't open and auth can't get through the server...this is on a 2008 server.


setting up the NAT'ing is so much work and for the level of inherent security risk you accept, it's better to put that effort into the vpn.  i can understand your concerns about the GVC app, which is why i'd stick with the ssl-vpn.  i have clients that i've not even setup the GropuVPN yet for this reason.

you can enable the sonicwall to use l2tp so you can use the windows native client, here's a kb on how to do that.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
What we learned in Webroot's webinar on multi-vector protection.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question