Setting up VPN with Firewall rules for remote network users

HellmaUS
HellmaUS used Ask the Experts™
on
I have a office network running off of a small business server 2008 with a sonicwall tz180 firewall that i would like to create a vpn to setup some laptops as remote network users (for employees on the road or out of the office to access full network capabilities). I have enables the functionality on the server. I believe I setup the port forwarding rules on the firewall properly (port 1723), but perhaps there is more I need to do there. The Static IP address for our network is what I put into the setup wizard in network setup, but i cannot get the access correct. All the machines in my network have static IP addresses. We are running a terminal server as well. Please help me figure out what I haven't completed to make the whole thing work. Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
ctssteveowner

Commented:
With your TZ180 SonicWall, did you purchase the Enhanced OS?
Top Expert 2013

Commented:
If using the SBS VPN you simply run the VPN setup wizard under SBS console | network | connectivity, and it will configure client addressing, routing, authentication, and all else required.

On the Sonicwall you have to forward port 1723 and enable GRE pass-through.
On the client end you can connect to resources using IP's but if you want name resolution to work you need to follow the steps in the following link:
http://blog.lan-tech.ca/2011/05/14/vpn-client-name-resolution-2/

However if you have a terminal server, why do you need a VPN?  The terminal server will provide FAR better performance and better security.  VPN's have a major security flaw in that you are letting an uncontrolled remote computer on an uncontrolled remote network have full access to your corporate network.

Commented:
Did you consider using the Sonicwall Global VPN Client on your laptops to connect to the Sonicwall and bring you onto your LAN from there? You would have to buy licenses for it though so there is some cost involved.

Author

Commented:
RobWill-

The terminal server is quite slow and only allows 2 sessions at a time. Additionally, the VPN will allow for remote users to operate under standard conditions with access to complete functionality on their home machines as opposed to the limited software and data on the TS.

All of the computers have enforced client anti-virus in order to access the network anyway.
Top Expert 2013

Commented:
>>"The terminal server is quite slow and only allows 2 sessions at a time."
Then it is not a terminal server.  If Terminal services have not been added you can only have 2 users access the server at a time and it id for management purposes only. In this mode the server is optimized for background service such as file and print sharing and not for running applications.

I do however understand now why you want VPN access.  Keep in mind though hackers near the home system, over which you have no control, can far more easily access your corporate network. Also a VPN will not let users run applications involving databases, such as access or accounting apps, run on a home computer and access the data on the server. Doing so, because of the slow link, can result in data corruption.

SBS does offer Outlook Web Access, Outlook rpc/http, and Remote Web Workplace (to access their office PC) which all perform much better and more securely than a VPN.

If you are going to use a VPN, though the SBS VPN works well, using the Sonicwall VPN as suggested by ZabagaR, would be a little more secure and offer slightly better performance.

Author

Commented:
Ok I followed all the steps I could find setting up the sonicwall vpn client. I've set the access rules, setup the authentication for IKE IPSEC preshared secret.

I open the connection it shows
opening port
port opened
device connected
all devices connected
verifying username and password
and then i get this error window

error message from opening VPN connection

What setting am I missing?
Top Expert 2013

Commented:
Which method are you wanting to use. Initially you were discussing using the Windows VPN, and now the Sonicwall VPN.
The error message you received appears to be from the Windows VPN client not the Sonicwall Global VPN client

Author

Commented:
Based on your post from 4/17 i decided it best to use the Sonicwall VPN. I believe I followed the steps mentioned in the link you included. If the error message is coming from the Windows VPN then what should I do to cut this out of the equation?
Top Expert 2013
Commented:
Though the Sonicwall is the better and more secure solution I did not recommend using the Sonicwall VPN or provide a link.

I think there may be some misunderstanding of your options:
1) You can use the SBS server as a VPN endpoint (VPN server) and then on the Sonicwall router allow that traffic to be forwarded to the SBS
2) You can use the Sonicwall as the VPN endpoint and in conjunction with the Sonicwall VPN client connect to it directly

Option 1 uses PPTP and is easier to configure but a little less secure.  It does not involve any VPN configuration on the Sonicwall, just port forwarding and allowing GRE to pass. This uses the Windows VPN client

Option 2 uses IPSec, requires the Sonicwall have the appropriate licenses to do so, you need to download the Sonicwall Global VPN client, and there are no configurations required on the server, other than possibly the firewall.

It sounds as if you are mixing the two.
I can assist with the Windows VPN configuration, but I have not worked with Sonicwalls to advise you with it without having access to one.
The windows VPN simply requires you run the VPN setup wizard under SBS console | network | connectivity, and it will configure client addressing, routing, authentication, and all else. You then have to forward port 1723 and enable GRE pass-through on the Sonicwall.  As mentioned I don’t have a Sonicwall to check where the options are located. The following may help but keep in mind the methods vary with the firmware versions of the Sonicwalls.
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3913

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial