Remote Access Questions

Posted on 2011-02-11
Last Modified: 2012-05-11
I'm looking to make some changes on how my users gain remote access to my system.  Currently we have 20 or so users who like to have the ability to work from home.  So currently we have a 1-2-1 NAT setup for each of these users.  The users connect to their work PC using RDP over a public IP address.

My problem, I'm out of public IP's and have more users who want remote access along with multiple servers that need to be placed into my DMZ with public IPs.  Getting more IP's from my ISP is like pulling teeth.

So, my thought is to switch from giving each PC a 1-2-1 NAT to setting up a VPN.  I'm wondering what kinds of drawbacks this might have.  And I have multiple options for VPN as well.  I have a SonicWall that's got licensing for global VPN clients.  This has the standard OS, but I am switching it out with a new NSA 4500 with the enhanced OS as well.   Second, I could setup a 1-2-1 NAT to one of my Windows servers into a RAS server.  I have a bunch of new 2008 servers coming in that  will be replacing some 2003 servers, so one of those could potentially become a RAS server.

Any suggestions or reasons why a direct 1-2-1 would be better than usign a VPN?
Question by:JamesonJendreas
  • 2
LVL 33

Expert Comment

ID: 34873826
i can't really think of any reasons to do NAT as opposed to the VPN.  the vpn would be more secure and you will not have to open up your firewall to the internet.  additionally, to get around your out of IPs issue, you could use one public IP and change the RDP listening port on each client giving them a unique port.  on the new sonicwall, create an address object for each custom port and run the public server wizard for each user needing RDP access.

vpn is better.

plus, on the new sonicwall, i'd deploy the ssl-vpn interface.  using the clientless netextender ssl-vpn client, deployment will be easier.  you could bookmark each user's computer in the ssl-vpn portal and they'd only need to click the bookmark for their computer.

i wouldn't use RAS.  terminate the vpn at your sonicwall.  using RAS, you'd still need to open up the sonicwall to allow the RAS traffic through to the RAS server.  the upside to RAS, you could use the native Windows client.  no concern for compatibility there.

Author Comment

ID: 34874085
Good call - I like the sound of using the ssl-vpn.  I'm working the security angle to get this approved as the big-wigs who use RDP don't like change unless there is a reason I can put forward.  I've thought it was a really bad idea to have over 20 users PC's having 1-2-1's setup 9this is an inherited setup).

I'm finishing configuring my new sonicwall this weekend and deploying.  I thought about looking into setting up a one-to-many NAT using ports, so we could use one IP then let the firewall route the RDP session by port.

My slight concern is in the past I have had some issues with the VPN client for SonicWall (at a previous job) and found the windows client much easier to use.  But as you said, there's still that hole in my firewall reducing security if I use RAS.  I was thinking of terminating the VPN on a RAS server in DMZ and then configuring routes to get them across my firewall to my domain, but that in itself would be a headache as my DMZ domain has no trust with my LAN domain, so authenticating would be a pain in the arse.  

Now, that brings up another thing, I'm wondering what type of authentication can be setup for a VPN terminating on my Firewall.  I don't have a RADIUS server setup.  I'll have to check if LDAP is an option or if I need to setup each user with authentication locally on the fiorewall.
LVL 33

Accepted Solution

digitap earned 500 total points
ID: 34874159
here's a general KB on setting up intergration with different auth methods.  ldap is in there.  if you decide to got the RADIUS route, remember to keep the firewall enabled when you install the components on the server.  if you disable the firewall, the proper ports don't open and auth can't get through the server...this is on a 2008 server.

setting up the NAT'ing is so much work and for the level of inherent security risk you accept, it's better to put that effort into the vpn.  i can understand your concerns about the GVC app, which is why i'd stick with the ssl-vpn.  i have clients that i've not even setup the GropuVPN yet for this reason.

you can enable the sonicwall to use l2tp so you can use the windows native client, here's a kb on how to do that.

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Detect Failed Logins within Event Viewer 4 37
Cisco Edge Routers for BGP 6 55
assignment of laptops - risks 6 56
Cisco Anyconnect for Android 5 10
Each year, investment in cloud platforms grows more than 20% ( as an increasing number of companies begin to…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question