Set up a VPN tunnel between an AWS Windows server instance and a remote WiFi access point?

I need to set up a remote access point, inside my customer's LAN and firewall, with transparent (no NAT, etc) WiFi access to a WIndows Server instance on Amazon Web Services.  The only outbound connection allowable from the access point is to the Amazon instance.  No inbound connections from the internet to the access point will be possible, as the access point will be on a NATed address inside the customer LAN.  

Traffic from the WiFi clients must all be confined to the IPSEC tunnel between the access point and the Amazon instance.

I prefer that the remote WiFi clients have access to only specific ports on the Windows server (but that is not an absolute requirement).  The WiFi access point will be unreachable from the internet, and must therefore initiate the connection to the AWS server.  The server will have an IPv4 address on the internet.
RHenningsgardDirector of Telematics ProductsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RHenningsgardDirector of Telematics ProductsAuthor Commented:
Recommendations for hardware are very welcome!  Hoping to keep the price per access point (or access point+gateway) in the $400 range.  Should be no more than five or six WiFi clients at any one time.  WiFi clients are fixed-IP embedded 8/16 bit processors with no operating system - so no chance of running any commercial client-side VPN application software.
RHenningsgardDirector of Telematics ProductsAuthor Commented:
I see by the lack of quick answers that I may be asking for something unusual (or impossible).  It's very important to me to figure this out, including figuring out that it cannot be done if that's the case.

Therefore, I will give credit for any advice that helps me figure out what to do.  I will also ask additional max-point questions about multiple components of a solution as needed.  

I just paid for a one-year unlimited membership just to ask this one question.

Thanks in advance for any help or advice!
Lionel MMSmall Business IT ConsultantCommented:
I'm sorry that I can't help but if you need immediate help you can click on the 'request attention" button that way they can notify experts in this area to come take a look
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

RHenningsgardDirector of Telematics ProductsAuthor Commented:
Scouring the internet, I've learned that the configuration I seek is the second definition of a VLAN, (Virtual LAN).  The primary definition refers to a method (other than running different subnets) for isolating groups of machines on a single LAN, under the 802.1Q specification, with slightly different packet structure.  That is not the type of VLAN I need.  I need a virtual LAN where the geographically remote LAN acts as if it were local to the "home office" LAN.
Dirk KotteSECommented:
i build this with sophos UTM (Firewall) at AWS and RED-Device + AccessPoint at the Office ...
Some new RED devices should contain WLAN

this build a Tunnel between UTM-firewall and RED and the WLAN traffic is tunneled  to UTM at AWS.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
RHenningsgardDirector of Telematics ProductsAuthor Commented:

OK, that's a great start, and it sounds like you know the solution.  Could you fill me in a bit on the UTM at Amazon?  My knowledge of that is almost precisely zero, other than knowing that for which the initials stand, "Unified Threat Management."  I've had no need to bother with learning anything about UTM because I'm running a single application, a completely custom web server which I personally authored, and it's threat-immune.  (It's been running on the internet since the late 1990's, with no firewall, no nothing, and all it does with exploit attempts is log them for entertainment reading).
Dirk KotteSECommented:
sophos UTM is available as pre-build virtual appliance at AWS,
if you don´t need firewall features, you are free to not use these features.

Do you build your own operating system and your own web-service? great.
every OS or App i know has some bugs at their lifetime. and sometimes the fixes came to late.
Different security features hide these bugs.
RHenningsgardDirector of Telematics ProductsAuthor Commented:
Obviously an obscure question, well-answered!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.