This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Best router to allow inbound Windows Remote Access
Hello, got a question from a customer who is on an Active Directory with a Windows Server 2008 box running Remote Access Server. What firewall could you recommend that allow inbound client connections to be tunneled from the Internet to the Windows box?
Re: Best router to allow inbound Windows Remote Access
The FVS336G plays no part in a connection between an "internal" client and a RAS server on the same LAN, and is not really involved in out going connections - it does need to have pptp passthrough, but that is it.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access? Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
Re: Best router to allow inbound Windows Remote Access
Pick a router - any router - and if you using NAT forward the appropriate ports to your windows server.
I've done it with everything from "el cheapo" consumer routers to enterprise gear - in short - just about any router in current production is capable of doing the job.
Just in case you ask - appropriate ports will be determined by how your customer chooses to configure his RAS - he can go pptp or l2tp/ipsec.
Between you & I though - I think he'd be better off using a VPN router, something like the FVS338 and terminating his VPNs on the router rather than on the server - he could probably use Windows IAS to handle the authentication, so that he can manage it from AD - I haven't personally tried this with 2008, but it works with 2003.
Re: Best router to allow inbound Windows Remote Access
Thanks, customer wants to use CMAK to roll out connection profiles to the domain users (so they show the nice logo...), and also to be based on PPTP for iOS devices that needs to connect.
I have tried inbound NAT on my FVS336G, opening PPTP to the internal server but then the client fails to connect:
Connecting clients in the internal network and the VPN jumps to life directly. Reversing the flow, a client connects from 192.168.1.0/24 to a RRAS on the "Internet" and all is fine...? To me it sounds like the FVS336Gv1 only can handle PPTP from internal network and out, and not the other way around. Do you have any experiences with this?
Re: Best router to allow inbound Windows Remote Access
The FVS336G plays no part in a connection between an "internal" client and a RAS server on the same LAN, and is not really involved in out going connections - it does need to have pptp passthrough, but that is it.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access? Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
