Remote Access Questions

Posted on 2011-02-11
Medium Priority
Last Modified: 2012-05-11
I'm looking to make some changes on how my users gain remote access to my system.  Currently we have 20 or so users who like to have the ability to work from home.  So currently we have a 1-2-1 NAT setup for each of these users.  The users connect to their work PC using RDP over a public IP address.

My problem, I'm out of public IP's and have more users who want remote access along with multiple servers that need to be placed into my DMZ with public IPs.  Getting more IP's from my ISP is like pulling teeth.

So, my thought is to switch from giving each PC a 1-2-1 NAT to setting up a VPN.  I'm wondering what kinds of drawbacks this might have.  And I have multiple options for VPN as well.  I have a SonicWall that's got licensing for global VPN clients.  This has the standard OS, but I am switching it out with a new NSA 4500 with the enhanced OS as well.   Second, I could setup a 1-2-1 NAT to one of my Windows servers into a RAS server.  I have a bunch of new 2008 servers coming in that  will be replacing some 2003 servers, so one of those could potentially become a RAS server.

Any suggestions or reasons why a direct 1-2-1 would be better than usign a VPN?
Question by:JamesonJendreas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 33

Expert Comment

ID: 34873826
i can't really think of any reasons to do NAT as opposed to the VPN.  the vpn would be more secure and you will not have to open up your firewall to the internet.  additionally, to get around your out of IPs issue, you could use one public IP and change the RDP listening port on each client giving them a unique port.  on the new sonicwall, create an address object for each custom port and run the public server wizard for each user needing RDP access.

vpn is better.

plus, on the new sonicwall, i'd deploy the ssl-vpn interface.  using the clientless netextender ssl-vpn client, deployment will be easier.  you could bookmark each user's computer in the ssl-vpn portal and they'd only need to click the bookmark for their computer.

i wouldn't use RAS.  terminate the vpn at your sonicwall.  using RAS, you'd still need to open up the sonicwall to allow the RAS traffic through to the RAS server.  the upside to RAS, you could use the native Windows client.  no concern for compatibility there.

Author Comment

ID: 34874085
Good call - I like the sound of using the ssl-vpn.  I'm working the security angle to get this approved as the big-wigs who use RDP don't like change unless there is a reason I can put forward.  I've thought it was a really bad idea to have over 20 users PC's having 1-2-1's setup 9this is an inherited setup).

I'm finishing configuring my new sonicwall this weekend and deploying.  I thought about looking into setting up a one-to-many NAT using ports, so we could use one IP then let the firewall route the RDP session by port.

My slight concern is in the past I have had some issues with the VPN client for SonicWall (at a previous job) and found the windows client much easier to use.  But as you said, there's still that hole in my firewall reducing security if I use RAS.  I was thinking of terminating the VPN on a RAS server in DMZ and then configuring routes to get them across my firewall to my domain, but that in itself would be a headache as my DMZ domain has no trust with my LAN domain, so authenticating would be a pain in the arse.  

Now, that brings up another thing, I'm wondering what type of authentication can be setup for a VPN terminating on my Firewall.  I don't have a RADIUS server setup.  I'll have to check if LDAP is an option or if I need to setup each user with authentication locally on the fiorewall.
LVL 33

Accepted Solution

digitap earned 2000 total points
ID: 34874159
here's a general KB on setting up intergration with different auth methods.  ldap is in there.  if you decide to got the RADIUS route, remember to keep the firewall enabled when you install the components on the server.  if you disable the firewall, the proper ports don't open and auth can't get through the server...this is on a 2008 server.


setting up the NAT'ing is so much work and for the level of inherent security risk you accept, it's better to put that effort into the vpn.  i can understand your concerns about the GVC app, which is why i'd stick with the ssl-vpn.  i have clients that i've not even setup the GropuVPN yet for this reason.

you can enable the sonicwall to use l2tp so you can use the windows native client, here's a kb on how to do that.


Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question