Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

hardware vpn sharing

Posted on 2013-06-30
5
Medium Priority
?
333 Views
Last Modified: 2013-07-11
We are equipping a roaming group of RDP users that connect to one Windows Server 2008 Terminal Server from various sites. They move from site to site as a group and when working, they are all at the same site, generally in the same room.

When on site, they will be behind whatever NAT device is installed at that site. These are generally simple common brand firewalls that don’t block ports; they just require that the session be initiated from the LAN side of the device.

We are working to develop a configuration that will allow their terminal server sessions to share scan and print devices at their remote sites as they roam. We are investigating a native Windows solution, third party software solutions, and hardware solutions if they exist. This question is in reference to a hardware solution.

We would like to find hardware routers with VPN built in that can be configured like this:

Install one as the main gateway and NAT device at the site where the Terminal Server is located. It would be the gateway for the LAN that the Terminal Server is installed on and fixed endpoint for roaming tunnels.
Have a roaming router/VPN device with at least two Ethernet ports. One port would get a protected address from the LAN where the group is working and establish an IPSec tunnel to the gateway where the Terminal Server is located. Use the second port on the roaming router/VPN device to service a small LAN that RDP clients and network scanners and printers could be connected and be used simply as any other network device as the hardware handles all the routing and tunneling.

Two things concern us.
One – That the tunnel can be established through most common NAT devices that they will encounter and be behind as they roam.
Two – That the VPN device at the main Terminal Server location can accept tunnels established from roaming addresses. I seem to remember on older VPN devices that tunnels could be defined from roaming addresses, but on the newer equipment, it seems that both ends of the tunnel need to be defined with a fixed address.

.

Thank you.
0
Comment
Question by:mj2112
  • 3
5 Comments
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 1000 total points
ID: 39288855
"One – That the tunnel can be established through most common NAT devices that they will encounter and be behind as they roam."

My suggestion would be to ditch IPsec, then, and look to   OpenVPN solutions.
Or look to Logmein Hamachi.


In either case,  for your VPN hardware, you can look towards consumer routers that are capable of being flashed with DD-WRT  imagines  that have Hamachi or OpenVPN client capability;  due to the requirement to have multiple devices connect.


On the destination network side, look at using an x86 server with an interface outside your normal firewall rules (Bastion system),  or a virtual access server appliance...



The problem with using an IPsec VPN is,  that even with NAT-T    NAT traversal, it is not very robust or foolproof.

For a VPN that will reliably traverse NAT,  you should leverage a TCP or UDP based tunneling protocol  that by design works through a client-side NAT.
0
 
LVL 100

Assisted Solution

by:John Hurst
John Hurst earned 1000 total points
ID: 39288895
Take a look at Cisco RVxx VPN routers or Juniper Netscreen SSG routers. Both are reliable and both can handle NAT Traversal - I use it.

Hardware VPN routers work best with Static IP and always did. If your IP does not change a lot, you can get by with dynamic - I do that as well.

You can use NCP Secure Entry (www.ncp-e.com) for client access into these devices. NCP handles NAT Traversal very well.

... Thinkpads_User
0
 

Accepted Solution

by:
mj2112 earned 0 total points
ID: 39292088
Thank you both. I am assimilating your information. I will post back soon.
0
 

Author Comment

by:mj2112
ID: 39304399
i didn't mean to click my own comment................
0
 

Author Closing Comment

by:mj2112
ID: 39316939
Again, thank you both. I am using your advice as i decide. Best Regards...
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question