Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Best router to allow inbound Windows Remote Access
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-09-21
01:42 AM
2011-09-21
01:42 AM
Hello,
got a question from a customer who is on an Active Directory with a Windows Server 2008 box running Remote Access Server. What firewall could you recommend that allow inbound client connections to be tunneled from the Internet to the Windows box?
Cheers,
/Mattias
Solved! Go to Solution.
Message 1 of 4
Labels:
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-09-21
08:14 AM
2011-09-21
08:14 AM
The FVS336G plays no part in a connection between an "internal" client and a RAS server on the same LAN, and is not really involved in out going connections - it does need to have pptp passthrough, but that is it.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access?
Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access?
Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
Message 4 of 4
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-09-21
05:44 AM
2011-09-21
05:44 AM
Re: Best router to allow inbound Windows Remote Access
Pick a router - any router - and if you using NAT forward the appropriate ports to your windows server.
I've done it with everything from "el cheapo" consumer routers to enterprise gear - in short - just about any router in current production is capable of doing the job.
Just in case you ask - appropriate ports will be determined by how your customer chooses to configure his RAS - he can go pptp or l2tp/ipsec.
Between you & I though - I think he'd be better off using a VPN router, something like the FVS338 and terminating his VPNs on the router rather than on the server - he could probably use Windows IAS to handle the authentication, so that he can manage it from AD - I haven't personally tried this with 2008, but it works with 2003.
I've done it with everything from "el cheapo" consumer routers to enterprise gear - in short - just about any router in current production is capable of doing the job.
Just in case you ask - appropriate ports will be determined by how your customer chooses to configure his RAS - he can go pptp or l2tp/ipsec.
Between you & I though - I think he'd be better off using a VPN router, something like the FVS338 and terminating his VPNs on the router rather than on the server - he could probably use Windows IAS to handle the authentication, so that he can manage it from AD - I haven't personally tried this with 2008, but it works with 2003.
Message 2 of 4
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-09-21
06:42 AM
2011-09-21
06:42 AM
Re: Best router to allow inbound Windows Remote Access
Thanks,
customer wants to use CMAK to roll out connection profiles to the domain users (so they show the nice logo...), and also to be based on PPTP for iOS devices that needs to connect.
I have tried inbound NAT on my FVS336G, opening PPTP to the internal server but then the client fails to connect:
(INTERNET) -- | FVS336Gv1 | -- (192.168.1.0/24) -- | RRAS |
Connecting clients in the internal network and the VPN jumps to life directly. Reversing the flow, a client connects from 192.168.1.0/24 to a RRAS on the "Internet" and all is fine...? To me it sounds like the FVS336Gv1 only can handle PPTP from internal network and out, and not the other way around. Do you have any experiences with this?
Cheers,
/Mattias
customer wants to use CMAK to roll out connection profiles to the domain users (so they show the nice logo...), and also to be based on PPTP for iOS devices that needs to connect.
I have tried inbound NAT on my FVS336G, opening PPTP to the internal server but then the client fails to connect:
(INTERNET) -- | FVS336Gv1 | -- (192.168.1.0/24) -- | RRAS |
Connecting clients in the internal network and the VPN jumps to life directly. Reversing the flow, a client connects from 192.168.1.0/24 to a RRAS on the "Internet" and all is fine...? To me it sounds like the FVS336Gv1 only can handle PPTP from internal network and out, and not the other way around. Do you have any experiences with this?
Cheers,
/Mattias
Message 3 of 4
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2011-09-21
08:14 AM
2011-09-21
08:14 AM
The FVS336G plays no part in a connection between an "internal" client and a RAS server on the same LAN, and is not really involved in out going connections - it does need to have pptp passthrough, but that is it.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access?
Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
You could have the port forwarding completely disabled on your 336 and you still get the results you report.
First question - does the RAS have internet access?
Second question - what do you mean by "inbound NAT"?
I quit using pptp a while back (switched to ipsec) but from memory all that is required on the router is to forward port 1723 to the RAS, and if you're using a dynamic WAN ip, you'll also need to setup some form of dynamic DNS - DynDNS has worked well for me.
For the FVS338 (and presumably the 336) - just add an incoming service and select pptp from the pull down menu, select allow always and enter the address of the RAS.
Message 4 of 4