hardware vpn sharing
Posted on 2013-06-30
We are equipping a roaming group of RDP users that connect to one Windows Server 2008 Terminal Server from various sites. They move from site to site as a group and when working, they are all at the same site, generally in the same room.
When on site, they will be behind whatever NAT device is installed at that site. These are generally simple common brand firewalls that don’t block ports; they just require that the session be initiated from the LAN side of the device.
We are working to develop a configuration that will allow their terminal server sessions to share scan and print devices at their remote sites as they roam. We are investigating a native Windows solution, third party software solutions, and hardware solutions if they exist. This question is in reference to a hardware solution.
We would like to find hardware routers with VPN built in that can be configured like this:
Install one as the main gateway and NAT device at the site where the Terminal Server is located. It would be the gateway for the LAN that the Terminal Server is installed on and fixed endpoint for roaming tunnels.
Have a roaming router/VPN device with at least two Ethernet ports. One port would get a protected address from the LAN where the group is working and establish an IPSec tunnel to the gateway where the Terminal Server is located. Use the second port on the roaming router/VPN device to service a small LAN that RDP clients and network scanners and printers could be connected and be used simply as any other network device as the hardware handles all the routing and tunneling.
Two things concern us.
One – That the tunnel can be established through most common NAT devices that they will encounter and be behind as they roam.
Two – That the VPN device at the main Terminal Server location can accept tunnels established from roaming addresses. I seem to remember on older VPN devices that tunnels could be defined from roaming addresses, but on the newer equipment, it seems that both ends of the tunnel need to be defined with a fixed address.